Be Prepared for the Cyber Insurance Trends of 2022

January 28th, 2022

Last year, cyber insurance became an essential cornerstone of every information security program, but the cybersecurity insurance market continues to change due to rapidly evolving cyber threats. It can be challenging to stay ahead of risks amidst ransomware demands increasing in size and frequency, and supply chain attacks are facilitating one-to-many attacks.

Be Prepared for the Cyber Insurance Trends of 2022

Coverage Denials and Claims Rise

With cyber threats like ransomware continuing to track upward and the supply chain and third-party vendors under direct attack, the cyber insurance market is on high alert and their risk model for coverage is changing. According to one insurance provider, price increases, coinsurance, and sub limits on coverages will continue through 2021.

With this sea of change comes a dose of reality: premiums are much higher, and coverage may be reduced or denied altogether. Claims have become more complex and in addition to addressing ransomware payments it must now consider IT forensics, legal costs, business interruption and funds for data restoration. Businesses will find themselves, their risk profiles, and those of their customers under close scrutiny, with detailed assessments and other documentation necessary to be considered for coverage. 

Want to know how cyber insurance got so complicated and how to keep up with the evolving threat landscape? Watch The Perfect Storm for Cyber Insurance: How did it get so complicated?

Reviewing the Cyber Insurance Evolution in 2021

Last year, we saw cyber threat tactics evolving. Ransomware demands increased in size and frequency, and supply chain attacks took the spotlight, facilitating one-to-many attacks that affected IT providers, software vendors, service providers, and users. A 2021 Coalition Cyber Insurance Claims Report shows that social engineering incidents were up 51% over the first half of 2020. According to the report, it will be more challenging to qualify for cyber insurance, and the implementation of many common cybersecurity controls will be required as a condition of coverage. In response, the industry hardened - the risk model for cyber insurance quickly adjusted to these issues, resulting in higher premiums and coverage reductions. Some insurers have pulled back on their coverage altogether, and pricing has increased from 40 to 60%. Many organizations faced the possibility of losing an existing or prospective client if their cybersecurity posture wasn’t strong enough or if they were unable to receive cyber insurance.

Claims have become more complex, and in addition to addressing ransomware payments, coverage must now consider IT forensics, legal costs, business interruption, and funds for data restoration. Businesses will find themselves, their risk profiles, and those of their customers under scrutiny, with detailed assessments and other documentation necessary to be considered for coverage. While it’s ultimately up to the underwriters, there are steps your organization can take so you are less likely to be denied cyber insurance coverage. Be prepared to prove your cybersecurity program, which should include assessments, testing, policies, training, detection, and response, is in line with your potential risk.

The chances of a sophisticated cyberattack happening to you increase without a comprehensive cybersecurity program that promotes continuous improvement. Managing multiple single-point cyber solutions to have a comprehensive program may not be possible due to the strain on the IT team. Many businesses are looking to purchase cybersecurity insurance to help mitigate the risks of ransomware and meet business demands but face stringent cybersecurity requirements to be eligible.

In 2022, cybersecurity requirements will shift even further as policyholders must prove that the controls they claim are in place are indeed there. To maximize the chances of coverage, organizations will need to keep detailed records of their cyber insurance requirements and demonstrate that there are tools in place to remediate risks continuously. Organizations that cannot verify proper controls will not be renewed, even if the company has had a longstanding policy in place. While the costs are becoming increasingly expensive for both insurer and the insured, doing nothing to prepare has far-reaching implications.

The Ideal Solution for Cyber Insurance in 2022 

Taking the lessons learned from 2021, organizations should approach the new year with robust cybersecurity programs that are scalable and promote continuous improvement to address evolving threats. Begin with a risk assessment to identify missing controls before seeking or renewing coverage and ensure your program can check all the boxes on a cybersecurity insurance questionnaire and more. This program should include a few key elements, such as:

Awareness Training

A strong company culture is vital to instill your company’s values throughout its leadership, management, and employees. With organizations increasingly becoming reliant on technology, it is more important than ever to instill a cyber-smart culture. A cyber-smart culture means an organization is continuously working to build a general understanding of cybersecurity and awareness of cyber threats. The best way to prevent a cyber-attack is knowing how to recognize a threat, and what actions to take once one is identified. Cyber-attacks are continuously becoming more sophisticated; therefore, companies need to keep awareness training an ongoing process instead of a one-time project.

Find out how your employees can be Champions of Data Privacy

Managed Detection and Response Technology

Breach Detection and Response (BDR) technology is a crucial part of every business cybersecurity posture, enabling businesses of any type to immediately identify potential threats to their network, systems, and devices, and quickly stop the attack. The best way to avoid losses from a data security breach is to detect and prevent these attacks from spreading rapidly. It significantly reduces the risk of operational downtime and potential loss of business by rapidly addressing active cyber incidents, consistently monitoring for vulnerabilities, and strengthening the overall cybersecurity posture.

Vulnerability Scanning

Organizations without internal security teams are often the target of cybersecurity attacks because they typically have far less data protection than large enterprises. Therefore, it can be much easier for cybercriminals to exploit them as entry points into connections they have with large enterprises, government organizations, partner networks, or consumers. That’s why it’s critically important that businesses of all sizes regularly run vulnerability scans, as vulnerabilities are numerous, constantly emerging, and hard to keep track of, making them fertile grounds for bad actors looking for new ways to exploit.

Cyber insurance is a critical risk mitigation measure—but it can’t stand alone. Organizations need to focus on both prevention and mitigation. One way to do this is by proactively working to secure their environment and closely following the controls of their cyber insurance or service assurance provider.

More Cyber Insurance Readiness Resources:

Resource: Cyber Insurance Readiness Checklist

Video: Understanding Cybersecurity Insurance

Webinar: The Perfect Storm for Cyber Insurance: How did it get so complicated?

Blog: Getting Cyber Insurance Policy Coverage: Where to Start

Blog: The Cost of Operating Without Cyber Insurance

Blog: Why You Can’t Rely on Cyber Insurance Alone

Your cart