In the words of former FBI director, Robert Mueller, “There are only two types of companies: those that have been hacked and those that will be.”
This reality, combined with increased awareness and frequency of cyber attacks, has led to a rise in cyber insurance. The percentage of insurance clients opting for cyber coverage has increased from 26% in 2016 to 47% in 2020. The insurance industry is now facing pressure and concerns about an increase in claims due to the conflict in Ukraine. However, cyber insurance is not the ultimate solution to the growing threat.
In the late 1990s, cyber insurance had fewer restrictions and more coverage, but that has changed in recent years. Now, there is a shift towards traditional risk measurement, with underwriters assessing the biggest risks and excluding certain risks from coverage. Premiums for cyber insurance have also increased, with more than half of policyholders experiencing a price rise of up to 30% by the end of 2020.
While the conflict in Ukraine may lead to more cyber insurance purchases, most policies will not protect against nation-state attacks or ransomware. Insurance companies are likely to refine their language and increase coverage exclusions to hedge their risks. Therefore, organizations looking to mitigate risk should not solely rely on cyber insurance.
The first step should be a risk assessment to determine the anticipated impact of a cyber incident. Insurance is an important part of risk management, especially for high impact but low probability risks. Organizations should also focus on improving their security measures, automating risk monitoring, and consolidating security tools for better visibility. Only after completing a thorough risk assessment and establishing a strong security foundation should organizations consider investing in cyber insurance.
The interest in cyber insurance is expected to grow, but it is crucial for companies to understand the details of their policies. The future will likely bring more clarifications and rewriting of exclusion clauses. Instead of relying solely on insurance, organizations should prioritize proactive cyber hygiene as the best defense against cyber attacks.