Getty Images

Cyber insurance: What does a CISO need to know?

We look at how the market for cyber insurance is evolving and how IT security chiefs can avoid buying the wrong level of cover

This article can also be found in the Premium Editorial Download: Computer Weekly: How to get the right level of cyber insurance

The global cyber insurance market is set to be worth US$20bn in 2025, according to researchers at Statista. That is up from just under $8bn in 2020.

Cyber insurance is now a very common way for businesses, especially larger organisations, to protect themselves against cyber attack. As one expert puts it, “everyone has it”, at least among large enterprises. And dedicated cyber insurance plans are becoming more common among small and medium-sized enterprises (SMEs), too.

Publicity around cyber attacks, particularly ransomware, has driven interest in cyber insurance. But while CISOs and CIOs increasingly see insurance as part of their cyber security framework, it is not without its problems. Premiums are rising, insurers are excluding more risks – including acts of war and ransomware – and policyholders can be forced to adopt onerous control measures to obtain the cover they need.

Heidi Shey, principal analyst at Forrester, says there has been a “hardening of the market” recently, and some insurers, such as AXA France, are refusing to write cover for ransomware.

At the same time, there are reports that ransomware groups are actively going after firms with cyber insurance, and even pitch their demands just below the ceilings in any policy.

“The major trend we have seen in the past 12 months is a reduction in the limit of indemnity – the maximum amount an insurer will pay under a policy – and the rising cost of cyber insurance due to ransomware losses impacting the cyber insurance portfolio of almost every insurer,” says Simon Gilbert of insurance brokers Elmore. All this can make it difficult to get the right cover.

What is cyber insurance?

Cyber insurance comes in two main forms – a standalone policy, or as cover within business interruption, or even, for smaller firms, general insurance.

At the most basic level, cyber insurance pays out an agreed sum to help businesses undertake remedial action and restore services. But the market is complex. Some policies, for example, exclude the loss of money through business email compromise. Cover for loss of customer data, or compensation claims, also varies widely, as the National Cyber Security Centre (NCSC) points out in its cyber insurance guidance.

“Cyber insurance has been around for about 20 years, and in the beginning, the focus was on data breaches and data theft,” says Matthew Martindale, a partner focusing on cyber security and the financial sector at consulting firm KPMG. “But in recent times, there has been a massive focus on ransomware. That has driven changes in coverage, with more focus on business interruption.”

This has led cyber insurance to provide more than cash payouts. Insurers offer a range of incident management and incident response services, from communications and legal assistance to digital forensics. This can extend to help in dealing with the aftermath of a data breach, or fraud investigations.

Read more about cyber insurance

  • It’s harder to buy cyber insurance coverage for ransomware attacks in 2022. Our expert reviews what to look for in a policy, how to qualify and how to get the most out of it.
  • Changes in insurance exemptions for acts of war reflect an increase in damages caused to enterprises related to state-sponsored cyber attacks.

Some insurers also offer cyber security consulting and advice on risk management during the period of cover. These services can be very useful, especially for firms with limited or no cyber security capabilities. For larger or more mature organisations, though, this might simply duplicate or even complicate existing incident response plans.

Insurance challenges

Although the cyber insurance market is expected to grow, it is becoming tougher for organisations to arrange the right cover.

Chief among the challenges is cost. Premiums are increasing, and cover is more restricted. Also, insurers may look for security and compliance measures that some businesses cannot afford. 

“I’d say premiums are surging, and I guess that trend is here to stay because the technical and legal landscape is becoming more and more complex,” says Ilia Kolochenko, founder of security firm Immuniweb. He points to rising fines under data protection laws as an increasing risk, with some insurers refusing to write new business.

He advises CISOs to be very careful with how cyber insurance contracts are drafted, as a lack of attention to detail can result in firms not having the cover they thought they had bought.

“The most frequent pitfalls that we observe is either you have too many exclusions, or the policy uses overbroad language,” says Kolochenko. This leads to insurers refusing to pay out.

And, as the NCSC points out, cyber threats change rapidly. CISOs need to check whether cover applies to new or emerging threats. If it does not, the policy might be of more limited use.

Another issue is the need for organisations to put in place specific cyber security measures before they can buy cover. Many of these measures are steps that responsible businesses will take anyway, but others are too onerous, expensive or of debatable practical value.

This is a particular challenge for smaller companies, says Muttukrishnan Rajarajan, a member of the Chartered Institute of Information Security and professor of security engineering at City, University of London.

“The most frequent pitfalls that we observe is either you have too many exclusions, or the policy uses overbroad language”
Ilia Kolochenko, Immuniweb

“Even when SMEs are aware of insurance, the biggest challenge I see from interacting with them is that they are pushed to perfect their cyber hygiene and secure certification like Cyber Essentials Plus before even attempting to get cyber insurance,” says Rajarajan.

“In many instances, they simply don’t have the resources or budget to address challenges and implement controls, leaving them uninsured, whether because of a flat unwillingness to insure or due to prohibitively high premiums.”

Larger firms face their own difficulties. “Nowadays, it’s challenging to get cyber insurance as the insurers bring in a red team or pen testers to evaluate the security programmes of the potential client to ensure they are meeting a level of cyber security standards,” says James McQuiggan, security awareness advocate at KnowBe4.

These tests will be done before any policy is agreed. Even then, policy cover is likely to be lower than it was in 2019, says McQuiggan. He points out that policies increased by about 50% from 2018 to 2019, and firms are now seeing “anywhere from a 5% to 18% increase each quarter, due to ransomware attacks”.

Other industry observers are seeing similar issues. “Unrealistic or unnecessary inclusions in cyber insurance checklists are a challenge for CISOs,” says Rob Demain, CEO of security firm e2e-assure. “For instance, a checklist might ask if a company applies security patches within 30 days of release. Not all companies will need every patch, and they might not be able to apply it within 30 days. Another checklist might say the company needs to have a SIEM [security information and event management] monitored 24/7 by a SOC [security operations centre]. Purchasing, commissioning and managing a SIEM, as well as implementing 24/7 response, could be a £250,000 expense that organisations just don’t have the budget for.”

Some large insurers approve only 5% of applicants, says Demain. “That tiny percentage must remain compliant all year round, too, which is hard to achieve with continuous and stringent assessment,” he adds. However, this does not mean cyber insurance is without value. 

Making cyber insurance work

The cyber insurance market certainly suffers because of its complexity, and both insurers and their clients have made matters more difficult by using policies to pay ransomware demands.

“The good news is that in most cases, the insurers are willing to cover the full limit for business interruption from ransomware attacks,” says broker Simon Gilbert. “It is the actual ransom demands that have been tailed back most.”

But even where policies are more expensive and more restrictive, they are still valuable. Firms would need a very cool-blooded attitude to cyber risk to carry no insurance at all.

However, CISOs and risk officers do need to be realistic with their boards about what policies can and cannot do. For all the pre-contract testing and advice, cyber insurance will not stop attacks. Nor can it prevent loss of business, or reputational damage.

As one insurance expert puts it, a cyber policy is a “backstop”. It should prevent a loss that threatens the business’s existence. Boards can adjust the level of cover they need, and the premiums they will pay, according to their own appetite for risk.

“Having cyber insurance will not stop a cyber attack, but it will help a business recover faster and, in most cases, prevent catastrophic failure,” says Gilbert.

“Many organisations were using insurance as a bit of a crutch, to allow them to limp through and avoid doing some difficult technology changes”
Matt Middleton-Leal, Qualys

And firms can do much to put their own houses in order. In recent years, certainly before the pandemic, some organisations relied too much on cyber insurance to cover risks that they could – and, arguably, should – have mitigated themselves.

In part, this was due to a lack of resources and skills, says Matt Middleton-Leal, managing director for Europe, the Middle East and Africa (EMEA) north at supplier Qualys. “I think the challenge is that many organisations were using insurance as a bit of a crutch, to allow them to limp through and avoid doing some difficult technology changes,” he says.

“There are about 185,000 vulnerabilities out there in the world at the moment. But if you boil that down in terms of the associated risks, you get down to probably 30, 40 or 50, which are things that organisations need to fix, and which will stop breaches from happening in not all, obviously, but in a huge number of cases.”

Middleton-Leal adds: “The reduction in overall risk in doing that, versus buying insurance, is much greater. But organisations haven’t been doing it because they haven’t been able to get that data and associate it with the corresponding risk.”

This is an area where insurers – and CISOs – could work more closely together. Insurers want to write policies that are profitable, at least in the medium to long term. Firms need cover that protects them from the worst consequences of cyber attacks, and allows boards to offset risks that cannot be carried or mitigated in-house.

Ultimately, cyber insurance is as much about an organisation’s risk management as it is about protecting its systems or data.

“In my experience, there is still more work to be done by the insured for them to understand and express their cyber risk to their executive committees and boards,” says KPMG’s Martindale. “What is the risk we are carrying, what is the risk we think we can get to, and what is our risk tolerance?”

Answering those questions will help CISOs make the most of any cyber cover.

Read more on IT risk management