What cyber insurance is, and how to make the most of it

Protecting yourself from cybercrime is more important than ever. Take it from the FBI, which warned last year it had tracked losses from cyber fraud at $6.9 billion in 2021, up 64% from the year prior. Following proper security hygiene is step number one, but another important aspect is cyber insurance. Unfortunately, that’s getting a little more complicated. Here’s what’s changing in the cyber insurance market, and how to maximize the potential benefits of getting a policy, in 2023.

Read the small print

Cyber insurance (which is also called cyber risk or cyber liability insurance) can help organizations reeling from the impact of an attack, breach, or other cyber incident cover the costs of a prompt response. Some cyber insurers go one step further, helping organizations arrange an array of covered services so that responders can get rolling before costs mount.

It’s not just organizations that run their own systems and networks that need insurance—managed services providers (MSPs) and managed security services providers (MSSPs) also need their own plans for incidents involving clients. Regardless of who’s buying, cyber insurance packages vary significantly in what they cover and when, depending on the provider and the exact language of the contract. For example, MSPs/MSSPs may purchase errors and omissions coverage in addition to a standard cyber policy to limit liability if a client thinks the provider is responsible for a breach.

Cyber insurance can potentially cover everything from losses due to interruptions of business and the destruction of digital assets to recovery costs like data retrieval and theft or ransoms from various kinds of cybercrime. Justin Reinmuth, CEO and founder of Techrug, a company that specializes in policies for IT services firms, warned that buyers should look over policies carefully to determine the exact scope of coverage and be aware of exclusions.

“I think the biggest thing to understand is buying cyber liability errors and omissions insurance [is] not like buying auto insurance or workers comp,” Reinmuth told IT Brew. “It’s unregulated…the devil is in the details.”

Prepare for sticker shock

Premiums for cyber insurance skyrocketed last year. Professional services firm Marsh & McLennan estimated premiums were up 79% in Q2 2022 from the year prior, after more than doubling in each of the prior two quarters.

Reinmuth attributed that to the end of a 2010s “gold rush” in the market. At the end of the last decade, he said, a sudden rise in the scale of attacks and the cost of handling them caught the industry off guard: “They didn’t expect to collect $1,000 and pay out a million dollars in ransom.”

The Covid-19 pandemic also contributed to ever higher premiums, as work-from-home models increased organizations’ potential attack surfaces and cyber risk. CRC Insurance Service, for example, released data showing 82% of accounts it placed in June 2022 had rate increases of at least 20%, and 44% saw premiums increase by more than half.

“We’ve seen examples where breaches have taken place and the damage goes on for 18 to 24 or more months,” Jeffrey Wheatman, cyber risk evangelist at Black Kite, said. “That’s sort of not the norm in insurance.”

“The cyber security expertise at a lot of the insurance companies was not really where it needed to be,” Wheatman told IT Brew. “I don’t think they really knew how to assess what risk exposures were—they were sending out questionnaires, and they were taking the questionnaires at face value, and they got burned.”

Be ready to up your security game

Rates for MSPs and MSSPs are in the process of becoming a major cost, akin to what doctors pay for medical malpractice coverage, Reinmuth said, as cyber insurers have determined that loss ratios in recent years have approached unsustainable levels. Those insurers are now underwriting with additional exclusions and tighter preconditions, like minimal security requirements—which, in Reinmuth’s view, means organizations will no longer be able to use insurance as a crutch for poor security practices.

Reinmuth added that companies should expect stricter standards from insurers wary of paying out preventable claims and who may now mandate higher standards (like multi-factor authentication) or require that clients work with approved vendors. For example, he said that in January, he saw a policy that required policyholders to work with a specific backup provider.

“They’re asking a lot more questions,” he said. “If you’re doing five or six things correctly, and you actually have this security implemented, the likelihood of a claim goes down dramatically and drastically.”