With cyber risks increasing, more organizations are choosing to protect themselves with cyber insurance. But with more complex standards and policy options, how can they be sure they're getting the best protection?
Just because cyber-attacks are no longer all over the news doesn’t mean that they’ve gone away. In fact, the opposite could be true as cyber-attacks have now become an expected part of doing business. Indeed, cyber-attacks against tax & accounting firms have increased 80% between 2014 and 2020, according to the Association of International Certified Professional Accountants (AICPA), while the American Bar Association (ABA) reported in 2021 that 25% of US law firms had been breached at some time.
As those cyber risks have increased, so too has the growth of insurance coverage for cyber incidents. But while cyber insurance has begun to receive more uptake, increasingly stringent standards for coverage as well as confusion about the options available for cyber incidents could leave some companies in the lurch.
According to the 2022 Cyber Readiness Report from insurance provider Hiscox, almost two-thirds (64%) of companies now have cyber insurance as either a standalone insurance policy or as part of another policy. This represents a small rise from 58% two years ago. The highly regulated financial services sector has the highest rate of cyber insurance adoption at 74%, while the construction and travel/leisure industries have the lowest adoption at 53% each.
Crimes of opportunity
Judy Selby, a partner in the insurance practice at law firm Kennedys and a regular speaker on cyber issues, said that she’s beginning to see an improvement of companies’ general cyber awareness that current hacking incidents are largely “crimes of opportunity,” rather than dependent on the industry in which a company operates.
“I think for years, there was a thought process that nobody would be interested in my data, my company’s data,” Selby said. “And if you remember the days of the big retail incidents, the data breaches, I remember companies saying to me personally, well, we don’t have credit cards, so nobody’s going to want our information.”
Now however, she added, “I think the uptake is getting higher now than it used to be. And part of that was this realization that yes, it can happen to us, which is a really big deal. And also recognizing that the exposures come from so many different angles.”
Indeed, the Hiscox survey found a strong correlation between exposure to a breach and a desire for cyber insurance. Out of the firms that did not have cyber insurance or did not plan to get it, nearly 80% had not experience a cyber-attack within the past year. Just over half (51%) of those were also considered “novices” in cyber readiness, according to the Hiscox scale.
Even among those companies that had cyber insurance, however, there remained some stratification between the types of coverages they held. Notably, companies were split roughly down the middle as to whether they held a standalone cyber policy or covered cyber as part of a larger policy. Among companies with 250 or more employees, 35% had a standalone cyber policy in place, and 40% had cyber coverage as part of another policy. At companies with under 250 employees, those figures were 28% and 29%, respectively.
“I think the uptake is getting higher now than it used to be. And part of that was this realization that yes, it can happen to us, which is a really big deal. And also recognizing that the exposures come from so many different angles.”
Selby said she is a proponent of standalone coverage, if possible, for a few reasons. First is simply “because the coverage is so comprehensive, you have all this great first-party coverage for dealing with an incident.” Particularly with more sophisticated cyber-attacks, policies that include business interruption coverage, regulatory coverage, and liability coverage are coming into play.
Concerning the latter, Selby noted that many companies are “not technically or financially able to respond to an incident on their own.” When a network is encrypted and the company’s access to it is blocked, for example, even the simplest of questions become complicated: How do we communicate with each other? How do we hire vendors to come in and help us? And even if we wanted to pay a ransom, how would we do that?
“These are things you don’t want to have to learn on your own,” she explained. “And so, the first-party coverage can be a real lifeline to companies to efficiently and effectively manage this incident from [not only] a financial standpoint [and] an operational standpoint, but also from a reputational standpoint.”
Preparing for a cyber incident
Outside help on cyber incidents may be increasingly necessary because overall cyber readiness is falling, the Hiscox survey notes. Respondents’ self-assessment of overall cyber readiness fell by 2.6% overall during the past year, with the number of companies qualifying as “experts” falling from 20% to 4.5%. The survey attributed those decreases to awareness of new vulnerabilities such as the Apache Log4j logging library vulnerability, as well as a continued talent crunch for cybersecurity experts.
That’s why Selby said she tells clients to not only get to know the details of their insurance providers’ coverage options (and subsequent limits on policies), but also what she calls providers’ “cyber squad” team. A typical cyber insurance provider will have a mix of panel firms, forensic analysts, notification vendors, and more that can be a godsend in a pinch, often provided at discounted rates.
This extra value can be important when making a business case for cyber insurance as well, she added, as the insurance has become more expensive and the scrutiny for coverage has gotten more intense. Some security measures, such as multi-factor authentication, are now table-stakes for coverage, which could scare off some businesses. However, Selby drew an analogy to property insurance: Every provider is going to ask not only about fire incidents that happened in the past, but sprinkler systems and fire exits that could help prevent them in the future.
“It always surprises me when people… complain about having to provide the information,” Selby said. “It’s like, if you don’t understand your own risk, why would you expect another company to say, okay, we’ll insure that for you, we’ll take that risk on your behalf when you don’t know what it is? And then when you say that, they go, oh yeah, that makes sense.”
Ultimately, cyber issues aren’t going away, particularly as the Hiscox survey found the median cost of a cyber-attack nearly doubled in the both the United States and the United Kingdom last year. That means cyber insurance will also continue to represent a piece of companies’ risk mitigation profile by necessity.
“The issues that people have with applying for the coverage, that shouldn’t stand in the way,” Selby said. “I think people should proceed and get the coverage, and when you get it, keep it, even if the price has gone up.”