Cyber insurance explained: What it covers and why prices continue to rise

Cyber insurance can't protect your organization from cybercrime, but it can keep your business on stable financial footing should a significant security event occur.

insurance

Credit: David Hilowitz

What is cyber insurance?

Cyber insurance, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is a policy with an insurance carrier to mitigate risk exposure by offsetting costs involved with damages and recovery after a cyber-related security breach or similar event.

What does a cyber insurance policy cover?

Cyber insurance policies are becoming more diverse as the market matures, and the finer details regarding what one policy may cover can be somewhat different to another, depending on several factors. Nonetheless, Lori Bailey, chief insurance officer at commercial insurance provider Corvus, tells CSO that there are general commonalities across most cyber insurance policies:

Richard Hodson, director and insurance broker at UKGlobal Broking Group, adds that policies also typically cover communications and public relations following incidents. “We are now seeing more and more policies offering post breach funds as well that includes training to staff to prevent repeat occurrences and full system diagnostics.”

Not all policies are created equal, and these coverages would be included in a comprehensive, standalone cyber policy but not necessarily in cyber coverage that’s added to a package policy, Bailey adds. What’s more, not all forms of cyber risk are covered by insurance. “For example, the financial damage caused by war and/or terrorism or failure of internal infrastructure wouldn’t be covered, and neither would the reputational costs that can be incurred following an attack.” Likewise, a virus that was not specifically designed or created to target the affected company may well be excluded, too, says Hodson.

Ransomware and litigation drive changes in cyber insurance

The cyber insurance market is going through a state of flux as cybersecurity trends trigger shifts. Organizations of all shapes and sizes have been investing in cyber insurance policies to add protection. Meanwhile, evolving cyberthreats and risks have continued to plague organizations and test their resiliency. As a result, cyber insurance providers are becoming more versed in and responsive to specific cybersecurity.

Leading the trends affecting demand for and cost of coverage, policy terms and conditions, requirements, and limits is ransomware. Actors are employing craftier and more sophisticated methods to extort (and multi-extort) businesses for potentially huge sums of money.

The increase in ransomware has led to more organizations considering investments in cyber insurance as many have seen the cost of ransomware cause huge financial disruptions at other businesses, Bailey says. “Aside from the direct costs of a ransom, recovering from these attacks is costly. In 2021, breach response costs increased from 29% to 52% of overall claim costs.”

As demand has risen, supply has struggled to catch up, Bailey adds. “Insurers are raising rates and standards for risks they are willing to cover. In terms of the coverage itself, some insurers have pulled back on how much they’ll cover for a ransomware attack or reduced the overall limit they are offering for businesses of a certain size.”

Even if insurers haven’t significantly altered coverage, they will likely have instituted subjectivities on their policies that require compliance with certain key security measures as a condition of the policy, Bailey says.

Research highlighting a decline in ransomware attack and payment claims with organizations prioritizing prevention and recovery goes some way to suggest that cyber insurers may be inclined to look more favorably on businesses seeking cover. However, global insurer Beazley recently issued data showing that prices for cyber insurance continue to rise despite a downward trajectory of claims, while premium rates for renewals increased 23% year-on-year in the third quarter of 2021.

“What’s more, the coronavirus pandemic increased the vulnerability of many organizations to cyber risk, as thousands of systems moved to cloud-based platforms to enable a remote workforce,” says Proofpoint’s resident CISO Andrew Rose. “During this time, cyber insurance companies urged businesses to re-evaluate their insurance policies, as the evolution of their tool sets and working practices, and the threats that apply to them, may not be represented in their existing cover, leaving unexpected gaps and shortfalls which could be catastrophic.”

For technology and compliance lawyer Jonathan Armstrong, the most significant driver of change in cyber insurance is demand for financial protection from litigation against organizations in the wake of cyber incidents. “We have seen that an attack or breach can be followed in the next day or so by lawyers claiming that they are investigating litigation against the company that has been hit.”

This issue has been under the spotlight recently in the Lloyd v Google case in the UK. Richard Lloyd alleged that Google collected data from around 4 million iPhone users between 2011 and 2012 regarding their browsing habits without their knowledge or consent for commercial purposes, such as targeted advertising. He looked to bring representative action on behalf of all affected individuals against Google for compensation, which Google opposed.

The UK Supreme Court sought to establish whether such a claim for a breach of data protection legislation can succeed without distinctive personal damage and if claimants can bring group action on behalf of unidentified individuals, including people who may not even be aware that they were affected.

On November 10, 2021, the UK Supreme Court ruled in favor of Google on both counts, meaning the action against them cannot proceed in its current form. This will be a relief to UK data controllers who were concerned that a decision in favor of Lloyd would open the floodgates for costly and time-consuming claims of little or no merit.

“In short, this judgment is a restoration of the status quo in relation to data claims,” says Will Richmond-Coggan, data protection litigator and director at law firm Freeths. “I expect that we will see fewer claims being pursued, and those that are will be ones where demonstrable harm has been caused, so we should expect that those will be easier to quantify and settle at an earlier stage. Even the unmeritorious high-volume claims of recent years have required a lot of time and cost to be expended in fending them off, so the exclusion of those claims will certainly improve the risk profile of low impact breaches, and this should influence the pricing of risk across the cyber insurance market.”

Regardless of the outcome though, Armstrong predicts that litigation will remain an impactful trend in cyber insurance. “If anything, we may see claims be threatened even more quickly as law firms and funders try and recruit claimants for ‘opt-in’ actions.”

Cyber insurance exclusions for state-backed cyberattacks

In August 2022, insurance marketplace Lloyd’s of London announced that it is set to introduce cyber insurance exclusions to coverage for “catastrophic” state-backed attacks from 2023. In a market bulletin published on August 16, 2022, Lloyd’s stated that whilst it “remains strongly supportive of the writing of cyberattack cover” it recognizes that “cyber-related business continues to be an evolving risk.” Therefore, the company will require all its insurer groups to apply a suitable clause excluding liability for losses arising from any state-backed cyberattack in accordance with several requirements.

In a bulletin, Lloyd’s of London wrote, “When writing cyberattack risks, underwriters need to take account of the possibility that state-backed attacks may occur outside of a war involving physical force. The damage that these attacks can cause and their ability to spread creates a similar systemic risk to insurers.” Lloyd’s aims to ensure that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings, it added. “We consider the complexities that can arise from cyberattack exposures in the context of war or non-war, state backed attacks means that underwriters should ensure that their wordings are legally reviewed to ensure they are sufficiently robust.”

Moving forward, all standalone cyberattack policies falling within risk codes “CY” and “CZ” must include a suitable clause excluding liability for losses arising from any state-backed cyberattack in accordance with new requirements, Lloyd’s stated. The requirements will take effect from March 31, 2023, at the inception or on renewal of each policy, with no requirement to endorse existing, in force policies, unless when the expiry date is more than 12 months from March 31, 2023.

Speaking to CSO in August, Jonathan Armstrong, lawyer and partner at compliance firm Cordery, said that the biggest issue organizations and CISOs are going to face in relation to the exemption put forward by Lloyd’s will surround accurate attack attribution. “Whilst with specialist help you can often say that there are indicators of nation-state involvement, we know it’s hard to be certain. It’s these difficulties which are likely to lead to litigation, as the insurers may think there is nation-state involvement, but the insured might think this is not the case,” he stated. Putting proper procedures in place will be key, and to get attribution right an organization will need proper and effective monitoring on its systems to assist in an investigation, Armstrong added.

How to review cyber insurance exclusions for state-backed attacks

In September 2022, Cisco Talos issued guidance on what CISOs need to consider when reviewing such an exclusion clause, with particular focus on strategies for attack mitigation. It set out these four key factors:

Step 1: Collect forensic evidence: CISOs should ensure that they are able to gather forensic evidence from attacks to identify as much information as possible regarding how an attack was carried out, and the infrastructure used by the attacker. This forensic capability, how evidence will be gathered and preserved, should be agreed with the insurer.

Step 2: Define how attribution will be made: The attribution of a specific attack should be made by comparing evidence gathered from the attack with that of previous attacks. CISOs should agree the process by which forensic artefacts are used to attribute attacks and the degree of certitude necessary to declare an attack as having been carried out by a specific group.

Step 3: Consider the volatility of attribution: The gathering of evidence and intelligence is a continuing process. Information previously assumed to be fact may be subsequently identified as incorrect or a purposeful red herring. New evidence may be identified months or years after an attack that changes the estimated attribution of prior attacks. CISOs should determine a period after which the attribution of attack (if made) will not be changed even if subsequent evidence is uncovered.

Step 4: Define the nature of state-backing: CISOs should agree what constitutes state-backing. Ideally, CISOs should agree with their insurers the set of threat actor groups (and their synonyms) which are considered to be state-backed. State involvement in cyberattacks is a spectrum of activity. The decision line where an attack can be referred to a state-backed is a fine one that requires consideration and agreement.

How to assess your cyber insurance needs

Once a company has understood the state of the current cyber insurance market and the scope of coverage, it can then explore whether a policy will be of benefit. “Insurance is essential for many aspects of corporate life, and cybersecurity is rapidly becoming one of those,” says Rose. “Each firm must do the mathematics themselves, to balance the cost of the insurance, against the cost of the event, and the opportunity cost of the money spent on annual premiums. Identify what needs to be protected the most. Applying limits to the cover can reduce risk and help balance the business case for this increasingly essential cover.”