• >
  • Opinion
  • >
  • The escalating cost and complexity of cyber insurance
Read time: 3 minutes

The escalating cost and complexity of cyber insurance

25 Oct 2023
Martin Potgieter, co-founder and technical director of Nclose.
Martin Potgieter, co-founder and technical director of Nclose.

You know what they say, death and taxes are unavoidable. But there’s another thing you can add to that list: the growing number of cyber incidents that can have a significant impact on businesses’ financial well-being. It's not only the rise in attacks that poses challenges, but also the increased premiums charged by cyber insurance companies. It’s like a one-two punch for organisations, with the threat of cyber intrusions growing stronger and the price tag for protection climbing higher and higher.

According to recent statistics released by the Council of Insurance Agents and Brokers (CIAB), cyber insurance premiums increased by around 28% in the first half of 2022 compared to the same period in 2021. By the end of 2022, premiums increased by a further 20.3% compared to the previous year. These numbers correlate with those released by Statista, which found that 89% of insurance brokers had seen an increase in demand for cyber insurance policies over the same period, and 72% had seen an increase in claims.

As cyber insurance claims went up, insurance companies began putting stricter limitations on what they cover and what businesses must do to keep their coverage intact. It’s all because of the ever-growing complexity of the cybersecurity landscape. These insurance providers prioritise their own protection by demanding that their customers put certain levels of security in place. As a result, there has been a major clamp-down on what type of coverage these companies provide and what they expect their customers to do to ensure the insurance remains valid.

The consequences of paying

An important question to consider is: How much does cyber insurance influence attacker behaviour? Payouts made to these criminals have not only changed the way they target and demand ransoms, but it has also become a tempting reward for them.

However, it’s worth noting that some cyber insurance policies have started excluding ransom payments from their coverage. This means that organisations relying solely on insurance may no longer have the guarantee of ransom payment if they fall victim to a cyberattack. This shift in policy coverage aims to discourage attackers from targeting organisations with the expectation of a payout.

Cyber insurance is no longer something that offers peace of mind and allows the organisation to relax. Instead, it has become a last-resort protection that comes into play when all other measures have failed – but only if the policy explicitly covers ransom payments. The game has changed, and both companies and insurers need to navigate this new reality with caution.

Cyber insurance alone is not enough

While cyber insurance is important and should be a priority for the C-suite, it’s not foolproof. The threat landscape can be challenging. Ransomware payouts have skyrocketed in recent years, emboldening attackers. They’re now using double and triple extortion to increase their profit margins. They encrypt the data, demand the ransom, and then start going to your business partners and telling them that your company has been compromised and that their data is now also at risk. They threaten to release your partner’s information alongside your own and demand money from everyone involved. Cyber-insurance can’t protect against this level of reputational threat.

That is why cyber insurance companies are now telling their customers what to do to ensure their insurance stays valid. Companies are now under pressure from multiple fronts — regulation, attackers, and insurers — to guarantee that every possible security step is taken should they be compromised. Companies need to reinforce their security systems and investments, and collaborate with third-party service providers to ensure comprehensive protection. 

Daily newsletter