Rethinking Cyber Insurance

Until recently, the underwriting process for cyber insurance was relatively unsophisticated. Insurance company underwriters didn’t have enough data to accurately gauge and price cyber risk, so most applicants filled out a very basic form and received coverage. Because it was easy to get, cyber insurance quickly became de rigeur. The policies were profitable for brokers and carriers, while customers were satisfied to transfer at least a portion of the risk off their balance sheets.

Most companies continue to recognize the value of a cyber insurance that helps defray the costs of a computer breach. However, changes to the cyber threat landscape are making these policies harder to obtain and narrower in the coverage they offer. As a result, even when a company has cyber insurance, it may not cover the totality of its losses due to a cyberattack.

Against this backdrop, Mimecast’s The State of Email Security 2023 (SOES 2023) report reveals stark differences in how companies view cyber insurance and the role that it plays. Participants in the study are sharply divided over whether these policies can serve as a substitute for developing a comprehensive cyber preparedness program.

The Shifting Cyber Insurance Landscape

In recent years, the volume and risks associated with a cyber breach have continued to mount, and the number of ransomware attacks in particular has exploded. As this was happening, many of the cyber insurance policies that were written provided coverage for the cost of investigating and recovering from a ransomware event, including the cost of the ransom, if it was paid. This disincentivized companies from investing more in cybersecurity, even as the threat level kept rising. Money that could have gone towards improving  businesses’ cybersecurity postures was spent elsewhere, leaving the insurance carriers on the hook for hundreds of millions of dollars of ransomware costs, which accounted for 75% of all cyber insurance claims in 2021.[1]

Unsurprisingly, this led insurers to become more selective about what they will cover and to whom they will provide coverage. The cost of policies has risen and — even more concerning from the standpoint of the insureds — coverage limits have not kept pace with the scope and scale of the losses they might incur from a cyberattack.[2]

The days when insurance companies were willing to accept the entire risk of a data breach or fraud are over, and carriers now expect customers to proactively reduce their exposure to these threats. A recent report from the cyber insurance company At-Bay provides a window into this current state of affairs.[3] At-Bay’s analysis of email-related claim filings submitted by its 40,000 small and midsize business policy holders between mid-2018 and May 2022 found that: 

• There’s a significant difference in claim frequency among insureds using different email security solutions. The gap between the best and the worst solutions was 53%.
• Those with a Mimecast email security solution reported the lowest number of incidents. On average, those using Mimecast experienced 22% fewer incidents compared to the population of At Bay insureds using an email security solution as a whole.
• Having a top-tier email security solution in place can lower cyber insurance premiums by up to 50%.

Uncertainty Over Cyber Insurance Policies

Mimecast’s SOES 2023 examines the issue of cyber insurance from another angle. The report, which surveyed 1,700 companies in 13 countries, includes interviews with IT and cybersecurity professionals from 255 smaller businesses with 250 to 500 employees at one end of the spectrum and 153 large enterprises with over 10,000 employees at the other. The results reveal little consensus about cyber insurance: While half (50%) of the companies interviewed were skeptical of the value of these policies as comprehensive protection from cybersecurity threats, almost as many (48%) consider them important additions to their safety net.           

Different industries have widely divergent viewpoints on this question. Less inclined to rely on cyber insurance policies alone are respondents who work in energy (73%), construction (65%), consumer services (65%), and business services (61%). But the majority of respondents in the IT and telecom (55%), healthcare (66%), and media and entertainment (66%) industries strongly agree that insurance provides a good degree of protection.

This split of opinion also holds true for companies of different sizes. A majority (59%) of midsize companies (500 to 1,000 employees) view cyber insurance as an integral part of their cyber preparedness, while six in 10 large enterprises do not.

Regardless of company size or sector, there is strong agreement among those respondents who are inclined to reduce their reliance on these policies that they will need to compensate by investing more heavily in their own cybersecurity defenses (88%).

The Bottom Line

An insurance policy cannot replace a company’s own cyber preparedness plan. While it may make financial sense to insure against cyber risk, even the best cyber insurance can only compensate for damage that’s already been done; it can’t prevent the damage from occurring in the first place. Only an organization’s own cybersecurity defenses can do that. Read more about how companies of all sizes are contending with today’s heightened cyber risks by downloading Mimecast’s SOES 2023 report. 

[1] “Best’s Market Segment Report: Ransomware and Aggregation Issues Call for New Approaches to Cyber Risk,” AM Best

[2] “Rising premiums, more restricted cyber insurance coverage poses big risk for companies,” CNBC

[3] “Ranking Email Security Solutions,” At Bay