KANSAS CITY, MO — Protecting against cyber risk is a critical concern for businesses of all sizes. Cyber liability insurance is an essential component of a comprehensive cyber security strategy and provides protection against losses or damages resulting from cyberattacks or data breaches by covering costs related to investigating and responding to a cyberattack.
Cyber liability insurance covers a range of risks and exposures. Common coverages include data breach response, cybersecurity liability, cyber extortion, network security liability and business interruption. Coverage can include the costs associated with investigating a breach; notifying affected parties; providing credit monitoring and identity theft protection; legal defense costs; damages arising from claims made by third parties for a data breach or cyberattack; ransom payments; and crisis management.
The typical limits of a cyber liability insurance policy vary depending on the size of the company, the industry and the level of risk. However, the typical limit for a small- to medium-sized business (SMB) could be between $1 million and $5 million, while larger corporations typically purchase policies with limits of at least $10 million.
Given the ever-evolving cyber threat landscape, it’s important to understand the state of the market and the coverage available. Cyber risk and mitigation evolve rapidly, much like the technology sector itself.
While the cyber security landscape remains dynamic and volatile, the cyber risk insurance market showed signs of stabilization in the first half of 2023.
The good news for insureds is that taking proactive steps to establish and maintain robust, up-to-date security controls will position an organization for a positive outcome when renewing or seeking new coverage. Insureds are generally seeing smaller renewal rate increases compared to recent years when some saw increases of more than 120%.
Several factors are contributing to this trend, including the growing prevalence of security controls. In recent years, companies and organizations have increasingly recognized the critical importance of cybersecurity and have invested in security controls.
Another key driver is the leveling off of ransomware attacks. Ransomware remains a significant threat, but 2022 arguably saw attacks leveling off, or at least the frequency of attacks moderating. This development may have encouraged some insurers to expand their capacity for cyber coverage.
That said, attacks are once more on the rise. March 2023 saw a record number of ransomware attacks, with North America being the most targeted region and SMBs also increasingly targeted.
Finally, the moderate improvement in the ransomware landscape combined with increased pricing has resulted in better loss ratios for carriers.
Healthier balance sheets for cyber products allow insurers to expand capacity and moderate renewal rate increases.
Key cyber risks include cybercrime, Payment Card Industry Data Security Standard (PCI DSS) fines, business interruption, reputational risk, and emerging risks such as artificial intelligence (AI).
Cybercrime encompasses ransomware, social engineering fraud, payment fraud, data breaches and other types of attacks, including those on the supply chain. Estimates of the financial impact vary, but the cost is substantial by any measure.
Any organization that accepts, processes, stores or transmits credit card information must comply with PCI DSS. Failure to do so may result in monthly fines — imposed by card brands or acquirers — ranging from $5,000 to $100,000. Additionally, noncompliance with PCI DSS may lead to consequences such as liability for fraudulent charges and credit card replacement costs.
Downtime from a cyber event can lead to substantial losses. While business interruption is primarily associated with direct cyberattacks, it can also be a result of operational failures or an incident affecting a contingent business such as a supplier, vendor or partner.
Reputational risk also accompanies cyber risk. Companies with high-profile cyber events can incur costs to remediate reputational damage.
AI and machine learning can contribute to strengthening cyber defenses, but these technologies are also leveraged by bad actors for malicious purposes. In addition, businesses using AI to generate content or surveil customers could face liability claims related to its use.
While price increases in cyber insurance have stabilized, a number of issues that can potentially impact coverage and remediation from cyberattacks have emerged.
War exclusions. Cyber insurers have previously covered cyber incidents linked to nation states, despite war exclusions that are included in many types of insurance. Depending on policy wording, coverage could be denied if nation-state cyberattacks cause systemic losses.
Panel vendor challenges. Under the terms of a policy, an insurer may mandate the use of its panel of cyber security vendors, even if an insured has its own cyber security team and vendors. Policy terms and close communications between insureds, brokers and insurers can help prevent these types of conflicts.
Application misrepresentation. Last year, a major insurance company filed suit against an insured, alleging the company had misrepresented its security controls in its application. This type of dispute could lead to denied claims and makes it critical that insureds work closely with their insurance advisors to provide comprehensive representations of their security controls.
Cyber liability insurance is an essential component of a comprehensive cybersecurity strategy. Businesses must take proactive steps to establish and maintain robust, up-to-date security controls, positioning themselves for a positive outcome when seeking coverage. Additionally, businesses must understand the state of the market and any coverage limitations to ensure they have sufficient protection against cyber risk
This has been adapted from the October | Q4 2023 issue of Commercial Baking. Read the digital edition here.
