Cyber risk is on the rise, with ransomware leading the charge. The FBI's Internet Crime Complaint Center reported 3,729 ransomware complaints in 2021—a 50% increase from the previous year. And with average ransomware payments increasing (reaching a staggering $812,000 in 2021), attackers have only become more emboldened. Cyber criminals know that many insurance carriers have payment provisions for ransomware payments, so they are launching more attacks, especially within critical infrastructure and supply chains.
As data breaches have become more prevalent—and more costly—demand has spiked over the past few years for cyber insurance plans. Forecasts estimate the global cyber insurance market will double in size by 2025 to reach $22 billion. This has forced carriers to increase their costs and, in many cases, restrict or put heavy conditions on what they cover in order to manage their own risk exposure.
While insurance plans hold lots of value, firms should not approach cyber insurance as a catch-all for potential ransomware attack damages. Not only do insurers cost more today, but they also have stricter underwriting policies—meaning, if you aren’t taking proactive steps to mitigate your cyber risk, you may find yourself without the coverage you expected when a breach occurs.
Cyber insurance primarily covers privacy risks, security risks, operational risks, and service risks. These are typically covered under three types of insurance:
Network security coverage protects your business in the event of a data breach or cyber attack like malware or ransomware. This can include costs such as expense reimbursement for ransomware negotiation and demand, breach notification, forensics, data restoration, and oftentimes public relations expertise.
Privacy liability coverage defends organizations from lawsuits, such as class-action lawsuits, or regulatory penalties from state and federal governments following a cyber incident or privacy law violation. This is especially important for organizations that work with sensitive customer data, like healthcare, where a breach of private data could open the business to major liability exposure.
Network business interruption coverage insures against operational cyber risk. If a cyber incident occurs that shuts down your network or your provider’s network, cyber insurance can cover the costs of lost profits and other expenses during the disruption.
Medical liability covers intellectual property infringement and liabilities related to online content or digital advertising.
Errors and omissions coverage protects you from damages incurred from breaches of contract due to performance lapses with customers or partners. So if a data breach occurs that impacts service level agreements, this cyber insurance can cover that risk.
Cyber insurance generally insures organizations against cyber risks such as:
Cyber insurance typically does not cover:
Additionally, keep in mind insurance companies are tightening their coverage standards and policies. This means there may be gaps in coverage depending on what losses qualify under the insurance agreement.
With the rising costs of cyber risks, insurance companies are tightening policy terms to minimize their losses.
One of the main ways insurers are mitigating risk is through increasing exclusions for “war and terrorism.” This cyber war exclusion basically says that the insurer is not responsible for damages resulting from cyber attacks connected with war or foreign enemies.
The main issue with these exclusions is that they tend to be overly broad—leaving it unclear what incidents may or may not be covered. This is especially true today as cyber attacks can essentially be considered invasions, and most ransomware firms are located in Russia or eastern Europe. This leaves a “grey” area as to what constitutes terrorism, especially for countries with particularly fraught relationships with those countries.
One of the most high-profile examples of this exclusion is the Mondelez case. Mondelez International, Inc., a snack food manufacturer, was infected by the malware NotPetya in 2017. The infection caused significant damage as well as disruption to global supply chains. But when Mondelez went to file a $100 million claim under an all-risk property policy, it was denied based on the war exclusion.
This is a good example of the complexity of insurance coverage in the cyber landscape. The claim fell under a property policy rather than a cyber insurance policy—but it highlights just how interconnected cyber damages can be with other types of losses and insurance coverage. That’s why it is important for organizations to review their policies carefully to see where they are covered and what gaps and exclusions may apply.
The pandemic has also tightened underwriting and payout guidelines even further. Insurers now have more controls and requirements on security protocols, backups, and infrastructure as a condition for coverage and payout of damages. This means organizations are increasingly expected to maintain a minimum level of cyber health to qualify for the coverage they are paying for.
Relying solely on cyber insurance for your risk management isn’t enough. Due to the rising costs of coverage as well as the complex policy requirements and exclusions, it’s important to take proactive steps to mitigate risks upfront.
In addition to improved security measures around your own network perimeters, organizations should evaluate their entire risk landscape across their supply chain.
Here are a few ways you can do this:
Underpinning all these risk mitigation steps is good data. Without it, you won’t have the context and insight needed to take strategic action. A robust supplier intelligence solution is essential for providing the depth and breadth of data needed to assess and monitor your suppliers’ cybersecurity risks at scale.