Cyber Insurance: The Cost Of Doing Business

Brought to you by CYRIN

Recently researchers at Zscaler claimed that a ransomware gang received $75 million, reportedly the largest ransom payment made by a cyberattack victim since records began. An undisclosed Fortune 50 company paid this record-breaking figure to the Dark Angels ransomware group. This payment almost doubles the previous record of $40 million, which was paid in 2021 by insurance giant CNA Financial after the company was locked out of its network by cybercriminals using Phoenix Locker ransomware.

The question for any company is - what would you pay and what does it cost to defend yourself?

It’s important to look at the data to assess the cost of a cybersecurity breach. Recent numbers from Security Intelligence indicate that “For 13 consecutive years, the United States has held the title for the highest average data breach cost. In 2013, the average total organizational cost of a breach in the U.S. was $5.4 million. But in 2023, the total per breach in the U.S. swelled to $9.48 million, a whopping 75.5% increase. The Middle East was in second place with a cost per breach of $8.07 million. In third place, Canada had a cost of $5.13 million per breach.”

The numbers show that for the last 13 years the healthcare industry has held the top spot for the cost of a data breach. According to Security Intelligence, recent estimates show that healthcare organizations spent $10.93 million per breach on average. For most of the reporting periods, financial and pharmaceuticals have held second and third place in the cost per industry.

Cybersecurity breaches are astronomically expensive, but the other key issue is the recovery time after an attack. Mitnick Security reports that, “According to IBM, it takes, on average, 277 days to identify and contain a data breach. Regardless, the results are devastating. In fact, for every hour of downtime, companies will suffer $100,000, on average.”

What Is Cyber Insurance?

Reinforcing cybersecurity defenses and ensuring an adequate, well-trained professional workforce is a first line of defense, but in anticipation of the escalating trend of increased cyberattacks, many companies are buying cybersecurity insurance policies in the hopes of avoiding huge ransomware payments. What is the cost of these policies and what kind of coverage do they provide? According to Travasecurity, cyber insurance is meant to provide organizations with financial security against the adverse effects that a cyberattack may cause. Insurance might cover direct financial loss from a security breach and the services necessary to recover, like recovery of stolen data, lost income if business is halted, and other possible associated fines and fees.

Cyber insurance comes in many different forms from many different companies; many enterprises believe it is a worthy investment because the costs of a potential breach are so high. There is cyber insurance for individuals, which typically focuses on protection against identity theft. There is cyber insurance for small businesses, and enterprises which either includes first-party coverage, third-party coverage, or both. First-party insurance provides compensation directly to the insured individual or business. Third-party coverage is liability protection to another party when the insured person or business is liable for damages. Third-party coverage can cover compensation to another party as well as the cost of lawsuits and other legal fees.

Covered costs can be significant, including anything from notification systems for affected customers to forensic services for data recovery. Policies also might cover court costs and other legal fees, like claims and settlements for liability. Finally, cyber insurance can cover customer reparations, including public relations services, customer notification systems, and even credit monitoring for the affected customers. So, having these costs covered is a major cyber insurance benefit.

What Does Cyber Insurance Cost?

According to some estimates, cyber insurance for small to mid-sized companies can be fairly inexpensive, ranging anywhere from $250–$5,000 a year, for $250,000 and up coverage per occurrence. Of course, the details are critical and things like deductibles and the difference between what is and what is not covered in cyber liability insurance will depend on the company and the policy. As with any insurance it pays to shop and check reviews and reputation.

The cost of cyber-insurance premiums typically lags behind changes in the threat landscape. In 2020 and 2021, according to a January 2024 article in Dark Reading, ransomware and other disruptive attacks surged, leading to significant costs for the insurance industry. When attacks went up in frequency, premium fees rose in cost, more than doubling year-over-year by the fourth quarter of 2021, according to risk management consultancy Marsh. Throughout 2022 and 2023, however, rate increases slowed and even declined in the second and third quarters of 2023, according to the latest quarterly Global Insurance Market Index report. "Improvements in cybersecurity controls have led to a higher proportion of insureds not paying ransoms, [even though] they may still incur breach response expenses and business income losses to which cyber policies respond," Marsh stated in the report.

Despite its growing pains, the cyber-insurance industry continues to expand, with the value of Direct Written Premiums (DWPs) growing to $5.1 billion in 2023, an increase of 62% year-over-year, according to FitchRatings. While all insurers have tightened up their policies - clarifying the hostile/warlike act exclusions, for example -  competition to satisfy businesses' risk needs has only grown, resulting in a softening of prices for coverage, says Shawn Ram, head of insurance for cyber-insurance firm Coalition.

For large enterprises, cyber insurance is widely seen as the cost of doing business while cyber-insurance underwriting for smaller companies continues to be an area of potential growth. In 2022, the total dollar value of cyber-insurance premiums - including both standalone and packaged policies - surged to $7.2 billion, according to risk-rating agency A. M. Best, which noted that the number of direct premiums for cyber-insurance had tripled in three years.

According to a recent July 2024 report in Dark Reading, the market pendulum has swung in the other direction, meaning prices for insurance are actually falling. Much of the decline is the result of a more competitive marketplace; in the last two years, more insurance companies have started to offer coverage for cybersecurity incidents such as ransomware attacks and data breaches. According to a new report from London-based Howden Insurance, the lower rates are also partly tied to better cyber hygiene overall among a growing number of insured organizations.

Market Trends

According to a report by Munich Re, the cyber insurance market is maturing, even as a significant proportion of cyber risks remain uninsured. Their report highlights the increasing demand for cyber insurance, driven by the rapid advancement of technology such as artificial intelligence and cloud technology, and the growing dependence on IT, IoT, and digital services across global industries. Despite these industry developments, 87% of global decision makers believe their companies are not adequately protected against cyberattacks, indicating a gap in the level of protection offered by the insurance industry, per the report.

The past year has, in fact, seen a surge in cyberattacks, with annual ransom crypto payments doubling to $1.1 billion in 2023 from $567 million in 2022. The manufacturing sector was the most susceptible to ransomware attacks, with 67% of respondents in this sector facing such attacks. Business and professional services, retail and health care all followed with 61% of each sector facing ransomware attacks.

Looking ahead, Munich Re predicts that artificial intelligence will shape the threat landscape in 2024 and beyond. AI is expected to automate and personalize cyberattacks, making them cheaper and faster to distribute. However, AI will also augment the efforts of cyber defenders, improving detection and response capabilities.

The global cyber insurance market, currently worth $14 billion, is expected to double to $29 billion by 2027, due in part to the escalating frequency of cyber-attacks. The cyber insurance market has nearly tripled in size over the past five years, largely due to the commitment of reinsurers and the emerging interest from capital markets in cyber risks. Despite this, only a fraction of the risks has been insured so far. Large corporations still account for the majority of premiums, while small and medium-sized enterprises (SMEs) largely bear their cyber risks independently.

Beyond Insurance: How Do You Minimize Cyber Risk?

How can businesses or organizations lower their cyber risk? A 2023 article from Forbes, referencing information from the Ponemon Institute, indicates that cybersecurity risk can be reduced from 60% to as low as 10% with a good training program.

The article cites five specific steps companies or organizations can take to improve their individual situations.

  • First, there must be “buy-in” at the top; in other words, everyone at the executive level should understand and agree that cybersecurity risk is not just an IT problem.
  • Second, the threat landscape for the company must be adequately assessed and all risks known and named.
  • Third, you need to get a sense of your employees’ risk. What percentage of your employees click on phishing emails or other malicious links. Have you had a business email compromise attack and wired money to the wrong bank? Do you have an insider threat problem?
  • Fourth, you need to view your employees as your first line of defense. The attackers, the criminal gangs, and APT groups are the problem; your employees need to be engaged as part of your defense.
  • Fifth, there must be investment in a good cybersecurity training program. Your cybersecurity training program should adapt to the evolving threats to your environment. It should have continuous learning built in and adapt to your staff as they learn more and progress. Your staff should be able to see the progress they have made, so they know they are improving.

What Can CYRIN Do?

At CYRIN we know that training is critical to keeping and maintaining best practices when it comes to cybersecurity. Training or lack of it will have consequences. Government, education, industry, basically all parties to the situation can become part of the solution.

We continue to work with our industry partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.

For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.

In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits.

The best time to plan and prepare is before the attack. Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required.

Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!

Image: chainatp



You Might Also Read: 

Electric Vehicle Charging Stations Are Here - Will Cyberattacks Follow?:

DIRECTORY OF SUPPLIERS - Cyber Insurance:


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

 

 

« Resilience As Regulation: Preparing For The Impact Of CER
Revolutionizing Legal Research & Document Analysis With RAG Technology »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Booz Allen Hamilton

Booz Allen Hamilton

Booz Allen Hamilton is a management & tech consulting firm. Technology services include cloud computing, cyber security, systems development and integration.

Cryptus Cyber Security

Cryptus Cyber Security

Cryptus Cyber Security is an Information Security Training company providing advanced training and services to IT Professionals.

CSIRT Panama

CSIRT Panama

CSIRT Panama is the national Computer Incident Response Team for Panama.

PRODAFT

PRODAFT

PRODAFT, Proactive Defense Against Future Threats, is a cyber security and cyber intelligence company providing solutions to commercial customers and government institutions.

Cybercrime Investigation & Coordinating Center (CICC)

Cybercrime Investigation & Coordinating Center (CICC)

The Cybercrime Investigation and Coordinating Center (CICC) is an attached agency of the Philippines Department of Information and Communications Technology (DICT).

Relution

Relution

Relution is the Unified Endpoint Management platform for innovative companies and educational institutions. It enables you to manage your mobile apps and devices easily and securely.

Cynterra

Cynterra

Cynterra is a next generation cloud cyber security and data analytical service provider offering cloud security compliance, data protection, visibility and threat protection services.

CryptoSec.info

CryptoSec.info

CryptoSec.info is a web resource focused on educating the beginners in the cryptocurrency space on how to properly secure their online assets from hackers and scammers.

ComoNExT Innovation Hub

ComoNExT Innovation Hub

ComoNExT is a Digital Innovation Hub and a startup incubator with a focus on the issues of digital transformation and Industry 4.0.

SAIFE

SAIFE

SAIFE has adapted a Software Defined Perimeter approach and paired it with a Zero Trust model that defines access by the user, their device, and where they are located.

Infinidat

Infinidat

Infinidat delivers enterprise-proven solutions for data storage, data protection, business continuity, and sovereign cloud storage.

Cyral

Cyral

Easily observe, control, and protect your data endpoints in a cloud and DevOps-first world. Discover Data Mesh Security with Cyral.

Yogosha

Yogosha

Yogosha is a crowdsourced cybersecurity platform enabling a win-win collaboration with the most talented hackers to detect and fix vulnerabilities on your most critical systems.

Mode Solutions

Mode Solutions

Mode guarantee IT performance where you need it most, creating seamless and secure solutions that will alleviate pressure from your business.

ImagineX Consulting

ImagineX Consulting

ImagineX Consulting is a cybersecurity-focused boutique technology consultancy whose mission is to help our clients #BeBetter by reducing their corporate risk.

Backslash Security

Backslash Security

With Backslash, AppSec teams gain visibility into critical risks in their apps based on reachability and exploitability.