Organisations unable to afford adequate cyber insurance cover set to double in 2023
Huntsman Security today warned that the number of organisations that will be either unable to afford cyber insurance, be declined cover, or experience significant coverage limitations is set to double in 2023. Even for those insured, the perfect storm of ongoing attacks, tightening regulations and growing financial pressures is making it more likely that any attack on an organisation will leave it exposed.
“Factors like the supply chain crisis, inflation and skill shortages are all adding to the difficulty for organisations trying to execute on their cybersecurity strategy. At the same time, increases in insurance premiums, limits on coverage, increasing underwriting rigour, and capacity constraints are all limiting the accessibility of cyber insurance, for many,” commented Peter Woollacott, CEO Huntsman Security.
“Loss ratios will not improve until premium incomes better match the current level of pay-outs. With this reduced insurance access alongside increasing cyber threats and tightening regulations, many organisations are losing cyber insurance as an important risk management tool. Even those who can still get insurance are paying a prohibitively high cost,” Woollacott continued.
With a third of UK firms subject to cyber attacks at least once a week, cyber insurance as part of overall risk management is crucial. To bridge this accessibility gap insurers are seeking to improve the quality of risk information, so premiums better reflect the true cost of that risk. Unless organisations can demonstrate they have insurers’ specified controls in place to manage their security risks, insurers will continue to have difficulty quantifying that risk. It’s for these reasons that insurers have changed the basis upon which their products are offered to reflect the risk being underwritten more accurately.
In this environment, improving and demonstrating the effectiveness of security controls will now be essential: both for organisations looking to improve their cyber resilience and oversight while enhancing their eligibility for insurers, and for insurers who need to minimise their own exposure by ensuring the accuracy of their risk pricing process. These are likely to include:
- Multi-factor authentication
- End-point protection
- Restricted administrator privileges
- Patch OS/application
- Staff awareness
- Regular back ups
- Tested business resilience planning
- Disaster recovery planning
Forrester Research, in their “Top Cybersecurity Threats for 2022” report, dated April 2022, predicts that, as risk information improves, it is likely that insurers will include new underwriting requirements and greater scrutiny of risk mitigation and security program maturity. As noted, this is already underway with insurers undertaking more rigorous underwriting processes. If other lines of insurance are any guide, as organisations start to improve their cyber risk management and oversight, insurers will improve their risk pricing models and reward those organisations that can evidence higher levels of security controls with more favourable insurance costs and terms.
Changing buyers’ and sellers’ need for cybersecurity will undoubtedly result in ongoing recalibration in the insurance market. Cyber risk introduced by third party suppliers is a case in point.
“The cyber insurance industry will continue to face continued uncertainty in the coming years with a difficult risk environment exacerbated by changing business models,” commented Peter Woollacott. “Ensuring organisations follow best practice will be key to reducing risk but measuring this across a complex organisation can be a huge challenge. Automated risk assessment tools will help inform risk management efforts, but organisations must be committed to improving their cyber hygiene from the outset and then maintain a regime of improving cyber resilience. The interlinked nature of modern business, cyber defences and compliance now extends beyond the enterprise to partners and suppliers of those insured, and so the smallest vulnerability can quickly escalate into a significant breach across a supply chain,” he added.