At the beginning of March, I asked - Have you seen the price of cyber insurance? 😱
At that time, insurance premiums were doubling or more, and we predicted:
So 6 months later... Were we right?
Premium increases aren't climbing "as quickly" 😒...
I'm not sure - "it's not a triple-digit increase" - is a cause for celebration, but it is the world we live in.
As predicted, industry-wide exclusions have started to be introduced. Over the summer, you may have missed the Director of Underwriting at Lloyds of London instructing syndicates on cyber insurance policies. Specifically, all cyber insurance policies must include "a suitable clause excluding liability for losses arising from any state-backed cyberattack".
Naturally, the question - How do I know if it's a state-backed cyberattack? - quickly arose. Attribution of cyber attacks is always tricky. And rarely possible without months of research, international collaboration, and government investigatory powers.
There are likely to be many difficult conversations ahead. With - How do you know? - as the crucial question to determine if you have insurance coverage or not.
But businesses are regaining control...
Unfortunately, the cyber insurance premiums of yesteryear are certainly a thing of the past. We won't see them again.
However, a positive sign from the US cyber insurance market is that "insurers have begun to calibrate underwriting and pricing strategies on an account-by-account basis". Meaning if your business has done the excellent work of implementing robust security controls - your premium may stabilise, albeit at an inflated price.
The forecast looks bleak for companies that haven't started getting basic cyber hygiene in place. Marsh expects continued significant premium increases and challenges in getting cyber insurance in the first place.
Never-ending price increases cannot be tolerated. And we're starting to see the pendulum swing back from buying cyber insurance as a default business purchase to a more calculated, considered decision.
In August, The Information reported that JP Morgan is moving to self-insure more of its cyber risk. It's a route we've seen some of our largest customers take this year after carefully considering the numbers.
While it's dressed up as 'self-insurance' by the insurance industry, the plain truth is companies are choosing to accept more cyber risk. That said, after a ransomware attack, you need to have cash on hand to pay for the clean-up and to get your team back to business.
Sophos estimate it costs (on average) $1.4M to recover from a ransomware attack in 2022. While impressive, it's not a helpful number... How many employees does the average business have? How big is the infrastructure?
At Fresh Security, we've helped several mid-sized businesses (~200-500 employees) respond to ransomware attacks in the last year. From our experience, we see insurers paying £1000+ per employee to recover.
Recently, a new customer told me, "Cybersecurity is a cost you're going to pay. The only question is whether you pay it before an attack or after."
Our £1000+ per employee recovery estimate seems remarkably close to the $1,300+ average cybersecurity budget calculated by Deloitte.
I think our new customer may have a point. 😀 👍