Combating the rising costs of cyber insurance: how we got here, and what organizations can do

Cybersecurity is a challenge that cannot be solved completely or simply checked off an organization’s to-do list. It is continuous work that requires a multi-faceted approach to reducing and managing any associated cyber risks.  

One approach for managing cyber risk is cyber insurance, although many organizations are now questioning the feasibility of insurance given the recent changes in the insurance market. 

Over the last 12-to-18 months, the cyber insurance market has shifted significantly. Generally, it has become more expensive to purchase cyber insurance – and those pricy premiums now offer some organizations significantly less coverage than before. In some cases, organizations are now paying multiple times more for cyber insurance than they paid in recent years, and yet they are receiving substantially less coverage. 

As for why cyber insurance is becoming pricier and providing less coverage for certain organizations, there are many factors, some of which include: 

• Cyber criminals are becoming increasingly skilled at defeating the various protections that organizations have deployed, while also continuing to take advantage of human errors through phishing and ransomware attacks  
• Insurance companies are facing a much higher likelihood of claims and those claims are also likely to be more costly as these cyber incidents are larger and more impactful on organizations 
• Evaluating how well a cybersecurity program protects an organization and reduces risk is difficult to calculate and there is no universally agreed upon standard for that type of evaluation 

As such, this makes pricing cyber insurance difficult for the insurance companies. Therefore, insurers have reevaluated their risk tolerances and calculated that this increased risk means they have more potential exposure, which in turn drives the higher costs that are then passed along in the premiums. 

Many organizations feel helpless against the surging cost of cyber insurance, wondering if there is anything they can do to combat the increasing premiums and decreasing coverages. Whereas in the past, organizations were likely willing to absorb the reasonable price of cyber insurance because it was an easy cost justification, now organizations are thinking about risk management more strategically by asking the questions, “How much actual risk mitigation are we getting?” and “Is cyber insurance