The State of Cyber Insurance 2022 [Research]
The cyber insurance market is in flux, along with how organizations use it.
Premiums are increasing, coverage can be confusing, and a sizable number of organizations are currently uninsurable because they lack basic security technology like endpoint detection and response (EDR).
These factors are fueling a “cyber insurance gap” for a majority of North American companies — and those without the appropriate coverage face increasing headwinds as a growing number of sales agreements and strategic partnerships require partners and vendors to have this type of insurance.
Cyber Insurance Study and White Paper
To understand the state of cyber insurance in 2022, BlackBerry and Corvus Insurance surveyed 415 IT and cybersecurity business decision makers — within both small and mid-sized businesses (SMBs) and large enterprises — and the findings reveal both significant obstacles and potential solutions related to cyber insurance.
BlackBerry Director of Global Public Relations, Matt Chandler, spotted a key takeaway, right away, from the responses. “The headline is that organizations are underinsured, or uninsured, and they're looking for the government to help.”
And Corvus Insurance CTO, Vincent Weafer, explains the backstory of these findings.
“In general, we've come through what is known as a hard market. Ransomware has been rising over the last couple of years, which in turn has driven losses,” he says. Some insurers exited the market. Those who stayed re-evaluated their exposure. “What we are seeing are the frustrations with getting cyber insurance, understanding what you're covered for...premiums have gone up, but the limits have gone down. That's part of what has come out in the survey — and you look across and say, okay, what can be done about this?”
You can explore the answer to this question and several others in the new white paper, How Cybersecurity Insurance Provides Protection.
3 Topline Findings on the State of Cyber Insurance
Let’s look at three big-picture findings from the new BlackBerry and Corvus Insurance research:
- Only 55% of respondents currently have cyber insurance
- Of those with insurance, over one-third (37%) aren’t covered for ransomware payments
- Of those with ransomware payment coverage, only 19% of all businesses surveyed have limits greater than the median 2021 ransomware demand of $600,000. That number drops to 14% for SMBs with fewer than 1,500 employees.
These factors may explain why half of SMB respondents say they are hoping the government will offer financial assistance to organizations hit by ransomware attacks.
Companies standing in this “insurance gap” face a dilemma. One Chief Financial Officer (CFO) who responded to the survey explains it like this:
“Do I pay high premiums and keep paying to keep my policy, or do I just set aside a self-funded account as a rainy-day fund and pray we don’t get hit?”
I doubt this CFO is alone when you consider that 85% of respondents saw an increase in their cyber insurance premiums over the past 12 months and most reported double-digit rate hikes.
Could going without cyber insurance make sense? We explore that in additional detail in the white paper. However, along these same lines, our research revealed something else about those who remain uninsured: Some organizations applying for coverage are being turned down because they lack certain basic controls.
Organizations Denied Cyber Insurance Coverage
Many cyber insurance policies are becoming more prescriptive — meaning applicants must meet certain security benchmarks, or they will not write a policy. One example of this involves successfully deploying EDR.
In our research, we found that more than one-third of respondents (34%) reported being denied cyber coverage for not meeting EDR eligibility requirements. And on the flip side, nearly half (41%) of respondents adopted EDR to meet cybersecurity insurance requirements.
Cyber Insurance as a Strategic Partner
If you look at the previous results from a business risk perspective, you can see a glimmer of how organizations and cyber insurers can work together. Implementing EDR (for example) reduces risk to the organization enough that the organization becomes insurable. This means much of the remaining risk held by the organization can now be passed to the insurer. A key action — implementing a control — allows the organization to reduce its risk twice.
And Weafer says this is just the start of how insurers can be a resource:
“This can also help you with your investment discussions with the board in terms of ‘Hey, I really want to invest in EDR or managing the deployment. Here's why it makes sense. And here's where we can get some savings if I do this better’.”
And he reminds us that insurers have the data that organizations need. “We've got the loss statements. So we can actually work together with the industry to provide those insights. If you invest in zero trust, what is it likely to mean in terms of lower costs of claims and less likelihood to see losses occurring?”
Uncover more about what organizations need to be insurable and how they can use cyber insurance as a key part of risk management in our new white paper. Read: How Cybersecurity Insurance Provides Protection.