Fewer threats to business people are increasing and occurring in the form of cyber-attacks. One day it’s ransomware or human engineering, the next it’s hacking, hacking or malware. In the past, the silver lining for businesses dealing with this issue has been cyber insurance, providing financial protection from an invisible enemy. But technology is constantly changing, and new challenges are emerging in the market for this coverage.
Although the cyber insurance market was slow to evolve, many businesses in recent years have made the right decision to protect themselves from potential losses. According to the National Association of Insurance Commissioners (NAIC), insurers wrote about $4.1 billion in cyber premiums in the United States in 2020, with $2.75 billion in premiums written directly by in-house insurers, the most recent year for which statistics are available.
Globally, data firm Statista estimates that cyber debt was $8 billion in premiums in 2020 and could grow to $20 billion by 2025.
From our department’s involvement in the NAIC’s Cybersecurity Working Group, it is encouraging to see a large, competitive marketplace that ensures businesses have access to the security they need. However, whether this continues will depend on affordability – and there are other challenges in the market, as well as signs that point to major challenges in the coming years.
Not so long ago, insurers had entered the cyber insurance market and worked to convince businesses that this was the most important thing that could be purchased at affordable rates.
Now, due to the constant evolution and complexity of cyberattacks combined with the increasing connectivity of our devices, along with the Russian invasion of Ukraine, the rise of international security, and the development claims, companies are struggling. The possibility of simultaneous loss for policyholders is a serious problem. With more and more, we’re seeing lower market share, higher premiums, lower capacity as other carriers jump into the market, and underwriters insisting on risk management before they write policy.
So how can insurers and businesses meet these challenges and ensure the future success of the market? What is important is that both parties appreciate their shared responsibility.
It is important for businesses to invest in their technology, training and expertise to ensure they are familiar with the basics of cyber security. Strong controls should be implemented, such as regular training, ensuring a secure VPN connection, and multi-factor authentication. Although insurers are not focused on certain technologies, they want to understand how the business develops risk management strategies using existing technology and internal standards.
When cyber incidents occur, they need to be resolved quickly, and businesses need to contact their authorized cybersecurity vendors immediately after a breach – regardless of the time or day of the week. An enterprise risk manager is essential to any organization and must be prepared to deal with threats and ensure that internal and external resources are ready to respond.
By building these businesses and creating defensive measures within cybersecurity that can be implemented in the short term, businesses can help keep cyber insurance from running smoothly.
Likewise, insurance carriers need to ensure that their underwriters are getting the right information and confidence in pricing to increase competition and attract new entrants to the market, which leads to better regulation. They need to update their customer models, some of which are based on archival documents from the past decade, to see how the information is progressing – especially because of the security measures the sales team is taking. They must also find ways to control their losses through limits, deductibles, and reinsurance.
Finally, there needs to be a realization in the insurance industry that our public and national economy will suffer if businesses cannot afford the products they need to protect themselves. While recycling these resources is important, going out of the market to get them is not in the country’s economic interest.
By working together, the business community and the insurance sector can take proactive steps that ensure that the cyber insurance market is not only grounded in the concept of viability but thrives in the future.
While having insurance makes sense for any business, it does not absolve the business of its responsibility. After all, having dental insurance does not negate your responsibility to brush and floss your teeth. Likewise, cyber insurance is no substitute for cyber hygiene.
Christopher Nicolopoulos of Bow is the commissioner of the NH Hampshire Department of Insurance, and DJ Bettencourt of Salem is the agency’s deputy commissioner.