The Future of Cyber Insurance

by Brandon Graves, Partner


Many of our clients ask questions about cyber insurance.  More and more contracts require it, and many organizations feel it is critical to have cyber insurance regardless of obligations.  There are a lot of pitfalls for unwary customers in the insurance market, but some changes on the horizon will make things worse.

Rates Will Increase

According to the UK’s Information Commissioner’s Office, the number of reported ransomware attacks rose 100% in 2021.  That level of increase has driven a significant increase in cybersecurity insurance premiums.  According to Marsh, the price of insurance in the UK rose 68% from one quarter to the next; this matches what we’ve seen.  Some market analysts see sustained double or triple digit increases every quarter.

With rates increasing, assessments are increasing as well.  In the past, it was possible to get cybersecurity insurance with minimal investigation if a company was willing to pay enough.  Now, more and more insurers are requiring specific security controls, such as multi-factor authentication and endpoint detection and response, before issuing policies.  Companies seeking policies may have to invest in additional security controls at the same time they pay more in premiums.

Policies Will Cover Less

At the same time policies are increasing in cost, they are decreasing in coverage.  Lloyd’s of London recently announced that it wants insurers to exclude state-sponsored cyberattacks from coverage.  This would be in addition to the standard force majeure clauses most policies already have.  Lloyd’s concerns deal with the potential wide-spread damage ransomware could cause to the economy, but so much cybersecurity risk can be at least arguably attributed to state-sponsored organizations that the exception might swallow the policy.

That leads to another concern.  Attribution in a cybersecurity incident can be difficult for forensic firms.  Now, insurance claims may turn on attribution.  This may lead forensic firms to be more cautious in attribution; it may also lead companies to be even more reluctant to share information with law enforcement, if that information could point back to a state actor.

The Future of Insurance

As insurance changes, companies seeking coverage will need to change as well.  A strong cybersecurity program can lower rates, and well written answers to insurer questionnaires can limit policy challenges after a breach.  But insurance cannot be the only way that companies mitigate risk.  Companies will need to ensure that their contracts with both vendors and customers spread risk appropriately.  Reducing that risk through more in depth analysis of business partners will also become more important as insurance coverage shrinks.  These and other measures will be critical to reducing the harm a cybersecurity incident can cause