The latest update on cyber risk and insurance, posted by Steve Hallo on the Property Casualty 360 website, shows cyber losses continue to increase in frequency, severity and complexity. According to Accenture plc, total costs and lost revenue from cyber attacks could reach $5.2 trillion in three years. On the other side, GlobalData projects gross written cyber insurance premiums will reach $20.6 billion (almost triple 2020 premiums) by 2025. Put another way, there isn't enough premium to cover all cyber losses. Insurers will restrict, or even stop writing, cyber insurance or go bankrupt.
Cyber insurance is no longer an option for businesses of any size. However, it is only a partial solution.
Much of the increase in cyber losses is due to increased ransomware payments - average payments increased 60% between first and second quarters of 2020, according to Accenture. With cyber criminals basing ransomware demand on a victim's insurance limit, one insurer response is to have sublimits for ransoms, or even to exclude them.
Organizations need to mitigate cyber risk, using standards such as NIST's Cybersecurity Framework for risk identification, protection, detection and recovery. They need to pay attention to third party vendors' security as much as their own. They must also keep abreast of new regulatory statutes and regulations.
Accenture identifies four critical elements in cyber protection:
- Complete and transparent risk assessments.
- Targeted services to reduce exposures.
- Tailored insurance coverage.
- Breach response services.