What is Cyber Insurance? A buyer’s guide

Guide to buying cyber insurance

October 19th, 2021 Posted in Information Security

In recent years, the use of cloud applications, electronic communications and smart devices has proliferated across the globe. Businesses have had to adapt and embrace digital business models in order to maintain customer relationships and cement their relevancy in the modern world.  

However, just as digitalisation has changed the nature of how business is conducted, it has also brought with it new risks – and data breaches are now a great concern for companies of all sectors and sizes.  

High-profile attacks and breaches are front of mind in most businesses, from WannaCry in the NHS to ransomware attacks in the private sector. Only recently, the Amazon-owned game streaming platform, Twitch, suffered a major breach, with a large volume of confidential data posted online by the attackers. Read more on the latest statistics as we discuss here just how big a threat online is online crime?

Organisations are increasingly looking to cyber insurance to help mitigate the impact of a breach, should the worst-case scenario occur. In line with this, the cyber security insurance market is expected to reach $17.55 billion in 2033, up from just $4.5 billion in 2017.  

What is cyber insurance?

Traditional business insurance policies pre-date the digital era and the risks of a cyber breach. These corporate policies cover incidents relating to, for example, commercial general liability or errors and omissions, which do not cover data security threats. However, as the risk of data loss, data theft and downtime increased, insurers took note, and many created cyber-related policies – or added cyber-related language to their corporate policies.  

Today, most insurers provide standalone cyber insurance. These policies typically provide cover in the case of exposure to data breaches, Denial of Service attacks, supply chain attacks, ransomware attacks and social engineering scams.   

Typically, cyber insurance comes under the banner of first-party coverage or third-party coverage. First-party coverage focuses on directly protecting the insured clients from potential damages caused by a data security incident. Comparatively, third-party coverage provides liability coverage for organisations that are accountable for a client’s security. 

The scope of cyber policies can vary considerably, and companies should regularly review their insurance arrangements to ensure adequate coverage as the cyber threat landscape evolves. 

The changing cyber insurance landscape

While cyber insurance can help organisations to recover from the impact of a security incident, it is by no means a silver bullet – and the market is currently undergoing significant changes. Indeed, mainstay cyber insurance providers such as AIG, AXA and Chubb have all newly announced changes to their insurance premiums. In the case of AIG, prices are up nearly 40%, while AXA recently made an agreement, in France, to cease writing insurance policies that reimburse customers for ransomware payments.   

These policy edits and spiking prices indicate that the cyber insurance market is on the precipice of disruption. For those companies who have cyber insurance cover, there has never been a more important time to read the fine print of your policy.  

Why is cyber insurance becoming more expensive?

The cyber insurance market is in its infancy. Insurance providers in this space have only come to market in the last 20 years. While some are specialists – solely focused on cyber cover – many providers have bolted on cyber insurance to their wider business offerings. While all sectors must start somewhere, the reality is that there is a lack of historical data that can be used to predict steady premiums.  

On top of this, threat actors are becoming more sophisticated which, in turn, is increasing insurance premiums. Take, for example, the SolarWinds breach or the increasing number of highly targeted business email compromise scams.

In particular, over the pandemic, ransomware reached a new level of notoriety and disruption. Between 2019 and 2020, SonicWall analysis shows that ransomware increased by 170%. As well as this, the average cost of remediation is increasing, up from just over $700,000 in 2020 to $1.8 million in 2021, according to this years’ Sophos report.  

The increasing success and sophistication of these threats are challenging the profitability of cyber insurance providers. For example, a recent report by Hiscox found insured cyber losses of $1.8 billion in 2019, up 50% year over year. Insurance players are struggling because their policies are fit for yesterday’s market. They need to be more dynamic and risk-averse in the policies they offer – which is exactly what players like AXA, Chubb and AIG are doing: learning as they go and adapting their policies so that their companies remain profitable.  

What this means for your business

In essence, cyber insurance players are now starting to charge more for less coverage. While this might sound unfair, insurers aim to offer policies proportionate to the risks faced. In the case of data security threats, the risks are growing by the day, meaning that coverage must also become more expensive. As well as this, demand is also soaring – and the law of supply and demand affects prices. The stats underline this. According to broker Marsh McLennan, clients paid 35% more for cyber coverage in the first quarter of this year than they did in the same period last year. At the same time, demand for standalone cyber policies increased by 24% within a single year.  

Moreover, it’s not just that cyber insurance is becoming more expensive. Insurance providers have also become acutely aware of the role of cybersecurity solutions, data protection and incident response in mitigating the impact of a potential data breach. More than ever, they expect their clients to have their own robust defences (see our blog on Ransomware 101) in place and are increasingly asking their clients to complete detailed information security questionnaires or audits before quoting. Cyber insurance is for the worst-case scenario, not a buffer in itself.  

Resultantly, it’s important your business puts in place adequate measures to protect against data breaches. This could even help to bring your cyber insurance premiums down by lowering your risk profile. As a starting point, we recommend reviewing the National Cyber Security Centre’s (“NCSC”) Cyber Essentials and Cyber Essentials Plus. These are both UK Government-backed standards, which help you to guard against the most common data security threats and demonstrate your commitment to cyber security. For a deeper overview, read our guide on Cyber Essentials 

As well as having the right solutions in place, you also need a plan in place for how to respond to data security incidents. Here, incident response planning is indispensable. Our latest blog also looks at the steps to take in the unfortunate event of a cyber security incident. A solid plan will help you respond to a potential breach calmly and quickly.  

Actions to take

It’s clear that the cyber insurance market is at an inflexion point. If you have cover, we strongly advise that you speak with your insurance provider to establish the scope of your policy, so that you understand the scenarios in which you will be protected and what else may be included (some insurers provide access to incident response specialists, for example). We also advise you to review your security posture, with the aim of becoming as mature and robust as possible. Not only will this help to reduce your premium; it will decrease the chance of a successful breach.  

Looking to the future, as the cyber insurance market continues to evolve, it’s our view the cost of insurance premiums will continue to steadily rise – and also be harder to come by. Insurers will further put the onus on companies to have adequate protections in place before offering protection. In fact, they may even request certifications – such as Cyber Essentials Plus or ISO27001 – in order to offer cover.   

Even then, it’s clear insurers are moving away from becoming a one-stop shop for cyber insurance costs. As we have already seen, in cases where ransomware or state actors are involved, insurers may dispute their role in needing to offer payouts. It’s therefore paramount you put the technical controls and policies in place to protect your company.  

Need help? 

If you need help or advice on how to manage your business’ cyber security, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check your systems are configured correctly. We can also put policies in place and run staff training exercises. Contact us for a friendly chat. 


Written by Marcus Chambers

Marcus is a senior security consultant specialising in cyber security; including strategy, security transformation, risk management, incident response and supply chain assurance. His career started in the British Army where he delivered multifaceted operational solutions often in austere settings. Since leaving the military, Marcus has worked in senior security consulting roles, across numerous sectors. He has three Masters degrees including an MSc in Information Security from Royal Holloway, University of London; he holds ISACA's CISM and CGEIT certifications; is a Chartered Engineer and a graduate of the British Military's esteemed Advanced Command and Staff Course.