Broker Check

Cyber Insurance Today

September 23, 2021

If you have read previous posts about cyber insurance, you know it is always changing. Here are the latest updates from security firm Halock (https://www.halock.com/what-you-need-to-know-about-cyber-insurance/):

  • Premiums are going up, and the rise is continuing. Average prices have increased by 32% as of June 2021compared to the previous year. In the near future Standard & Poor expects annual increases of 20-30%.
  • Losses are getting worse. The average paid loss went from $145,000 in 2019 to $358,000 in 2020. Industry loss, defense and cost containment ratios that averaged 42% from 2015 to 2019 rose to 77% in 2020.
  • Cyber insurance is a necessity to cover first and third party costs of data breaches and ransomware attacks, plus regulatory costs.       

If you aren't worried yet about cyber attacks, Gartner warns that by 2025 attackers will have weaponized operational technology that will perform commercial and reputational vandalism and possibly threaten human life. The financial impacts of cyber attacks will reach $50 billion and CEOs will be personally liable (with implications for D&O in addition to Cyber insurance).

Cyber insurers are tightening their coverage requirements and declining organizations with inadequate security. Organizations with remote workers must be sure their policies are broad enough and check for any restrictions. Each policy must be carefully read before purchasing.

The Independent Insurance Agents & Brokers of America's Agents Council for Technology has a 12 step cyber security compliance program:

  1. Risk assessment.
  2. A documented security policy.
  3. An incident response plan.
  4. Security training and monitoring.
  5. Penetration testing and vulnerability scanning.
  6. Access control protocol.
  7. Documented security policy for third party service providers.
  8. Encryption of non-public information.
  9. Designation of a Chief Information Officer.
  10. An audit trail.
  11. Multi-factor authentication.
  12. A procedure for disposal of non-public information.