1. What exactly is cyber insurance?
“Similar to the kind of insurance you might get for a phone or car, cyber insurance is a policy designed to help cover the costs associated with a cyber incident, breach, or specific type of attack. It allows a proportion of the cost incurred – whether that’s from money being stolen or meeting a ransomware demand – to be transferred to the insurance provider. Certain policies may also cover recovery costs, including legal fees and investigations into incidents. While many entry-level policies only cover first-party losses, a growing number are also covering costs for third parties due to an ongoing rise in supply chain attacks.”
2. Why should businesses have a cyber insurance policy? What are some of the key benefits?
“With almost a third of businesses falling victim to a cyber attack in 2023, being targeted is no longer a matter of if, but when. Ransomware attacks are also on the rise, with our research showing ransomware demands have increased by 20% in the last year alone. Having an effective cyber insurance policy can protect businesses from the costs associated with these types of attacks, reducing their financial losses, and allowing them to recover more quickly. This is particularly crucial in the current economic climate, with many businesses (particularly SMEs) unable to shell out hundreds of thousands – or even millions – on ransomware payments. By improving recovery time, the added protection of cyber insurance can also minimise some of the wider impacts of an attack, including damage to reputation and loss of customer data.”
3. Will cyber insurance ever become mandatory?
“The ongoing rise in attacks, combined with the deployment of increasingly sophisticated threat tactics, effectively means cyber risk (the likelihood of being targeted) is increasing for businesses. While barriers to obtaining cyber insurance remain, including cost and a lack of education about how these policies work, we’ll likely see more organisations investing in cyber insurance products over the next few years. With the market already having tripled over the past five years, I think we could well see cyber insurance, like car insurance, becoming mandatory within the next decade.”
4. What impact do you believe this will have on the channel?
“The introduction of mandatory cyber insurance will mature the market in line with channel-first cyber firms, such as Arctic Wolf. Alongside this, it will also create new revenue for channel and consulting businesses, like KPMG, by increasing demand for services offering advice on how cyber insurance policies can be chosen and delivered. However, it’s also important to remember compulsory introduction means every reseller will have to invest in cyber insurance – despite premiums rising by more than 10% in the first three months of last year. This could have a knock-on impact for businesses already struggling financially in the current climate – particularly SMEs with smaller budgets.”
5. How can businesses balance investing in a cyber insurance policy with the need to cut costs?
“While premiums are rising, choosing a policy tailored to what you really need can lower these costs and make cyber insurance more affordable. This can be done by simply running a risk assessment of your organisation using tools such as the NCSC’s Cyber Assessment Framework, identifying the gaps in your line of defence, and choosing a policy offering the right level of coverage. Ensuring you have a well-documented Incident Response (IR) plan can also help businesses prove they have an effective strategy for responding to a cyber incident to their provider. With over 60% of attacks caused by insider threats, providers may also lower their premiums to businesses with an effective cybersecurity training and awareness programme in place, reducing costs further.”
6. How will the cyber insurance market evolve in 2024 and beyond?
“Whether it becomes mandatory or not, cyber insurance is here to stay. We know attacks are rising, tactics are evolving, and the profile of your typical ‘hacker’ is changing day by day. While this makes it difficult to predict exactly where the market will be in thirty years' time, we must ensure businesses, both within and beyond the channel, are sufficiently protected.”