Expert debunks misconceptions impacting cyber insurance investment

A Forrester report found that only a quarter of firms possess standalone policies.

A nagging discrepancy in cyber insurance ownership has raised questions about the comprehensiveness and adequacy of the coverage businesses are securing. Despite scepticism from business owners about the effectiveness of insurance, 78% of firms admitted facing vulnerabilities in the past year.

“A key concern for these businesses will be their ability to do business if their business partners require proof of cyber insurance as a condition of doing business together.

Third-party risk is a primary concern for many companies and a key driver for why many organisations invest in cyber insurance,” Heidi Shey, principal analyst at Forrester explained to Insurance Asia.

/Heidi Shey, principal analyst at Forrester.

For many businesses, whether B2B or B2C, having cyber insurance is not just an added value but a requirement for partnerships, making it a crucial investment, Shey said. “Few organisations are in a financial position to self-insure,” she added.

Forrester’s report, “The Chief Information Security Officers (CISOs) Guide to Cyber Insurance,” revealed the perception that having cyber insurance makes an organisation more of a target for cyberattacks is largely unfounded.

“Due to increasingly stringent requirements that insurers have of policyholders, the organisations that qualify for cyber insurance policies at the best coverage and rates will typically also have a strong cybersecurity programme and controls in place,” said Shey.

The report also showed organisations with cyber insurance, particularly standalone policies, typically experience fewer breaches and recover more quickly from incidents.

Despite 83% of businesses having some form of cyber insurance, only 26% possess standalone policies. Fitch Ratings estimates that these standalone policies account for 70% of industry premiums, driven by higher costs.

Asia Pacific (APAC) has been seen as one of the fastest-growing regions for the past five years in terms of primary cyber insurance market, S&P Global reported. The region was also accompanied by Latin America. North America and Western Europe, however, post slower expansion due to their larger market size.

The compound annual growth rate (CAGR) of APAC for primary cyber insurance and reinsurance for the 2018-2022 period respectively grew to 51.2% and 43.4%. The data is based on the ratings agency’s cyber insurance survey for global multi-line insurers and global reinsurance groups.

Meanwhile, the CAGR for primary insurance and reinsurance averaged 36.2% and 58.0% globally.

“About 56% of gross premiums written (GPW) on affirmative cyber insurance--which explicitly covers cyber risk--are generated in North America; about 37% in Europe, the Middle East, and Africa; 6% in Asia-Pacific, and 1% in Latin America,” S&P Global said.

In 2022, global cyber insurance premiums reached approximately $12b, and it's projected that they will continue to rise at an average annual rate of 25% to 30%, reaching around $23b by 2025.

Fallacy or fact?

Misconceptions about cyber insurance can hinder investment decisions, Shey warned.

“Depending on existing awareness about cyber insurance within the organisation, CISOs may need to first help make the case for why this matters, dispel misconceptions and set internal expectations related to its purpose and benefits. This is especially true for organisations that do not currently have cyber insurance coverage,” she said.

When applying for or renewing a policy, clarify the requirements for internal stakeholders. This includes gathering information for insurers, assessing cyber risks and tolerance for interruptions, planning coverage scenarios, and determining which incident and breach-related costs the firm can cover without insurance.

“You may also want to work with your legal team to understand your contracts with business partners, especially those that require your firm to have security controls, and the terms for financial exposure if breached,” Shey said.

Organisations with robust cybersecurity programmes that align with standalone cyber insurance policies experience fewer breaches and quicker incident responses compared to those with endorsements or no coverage.

Self-insurance is a viable option for organisations with substantial reserves but requires a thorough understanding of potential costs and risks. A standalone cyber insurance policy is tailored specifically to address cyber risks.

A prevalent misconception is that self-insuring or investing in a robust security programme negates the need for cyber insurance. However, businesses can benefit from the added advantages that insurers offer beyond the policy itself. These benefits can include incident response preparedness, security monitoring services, and discounts from security technology partners.

In contrast, adding cyber coverage to a general policy, such as property, crime, or liability insurance, may not sufficiently meet an organisation’s needs for cyber protection.

Forrester points out that the appropriateness of coverage depends on several factors, including the organisation's risk appetite and the specific scenarios they aim to cover.

“Regardless of how an organisation is covered for cyber, they need to have a clear understanding of what their insurance policy does or does not cover,” Shey said. “It is in the insurer's best interest that your organisation has a strong cybersecurity and risk management programme.”

3 key trends

Three key trends are affecting cyber insurance applications and renewals, notably regulatory requirements and data analysis.

“The regulatory requirements of insurers may start in or apply to one region, and ultimately impact its global operations. An example is the New York State Department of Financial Services 2021 cyber insurance risk framework of best practices, pushing for more granular risk mitigation requirements for policyholders,” Shey said.

“There is a heavy emphasis on risk and exposure data collection and analysis, so insurers can better assess underwriting risks and the security posture of insureds. Businesses should be prepared to react to more in-depth questions and scrutiny from insurers, and more clearly communicate their risk posture to their insurance provider,” she added.

Recommendations

Forrester recommends that CISOs and their organisations develop a strategy to make cyber insurance work for them. 

Shey stressed that insurance providers have specific requirements that must be met to qualify for coverage. Organisations should conduct a maturity assessment of their cybersecurity programme to identify any gaps. 

This assessment can help prioritise investments in specific areas to improve the programme’s maturity and enhance eligibility for cyber insurance coverage. 

She noted how savvy companies utilise a combination of external attack surface management, breach and attack simulation, and cyber risk quantification tools to understand their current risk posture and communicate it effectively to insurers.

It is essential to leverage insurer resources and align incident response plans with insurer requirements to secure the right level of protection.

Shey suggested that part of the strategy should involve identifying the benefits the insurer can provide beyond the policy, leveraging its resources and partners, and understanding the necessary steps in the event of a breach.

“It’s also a good idea to review your incident response plan and processes to ensure that you take cyber insurance and your insurer's requirements into account, to help facilitate a smoother process for incident response as well as filing a subsequent claim,” she said.