Over the past 12 months, organizations have heard the phrases: “ransomware going up,” “hardening cyber insurance market,” “softening security controls,” “reduction in coverage,” “coverage exclusions” and more. The popularity of these phrases suggests that the industry is in disarray or that this market is still experiencing constant change alongside the equally evolving threat landscape. These concepts also validate the value of a comprehensive cyber risk management program with the inclusion of cybersecurity assessments, controls and insurance.

The growth of the cyber insurance market overall can be attributed to the significant rise in the frequency and severity of cyberattacks, growing cybersecurity awareness, evolving compliance and regulatory changes and a higher demand for more financial protection against new cybersecurity threats.

Rise in Attacks

According to an Optiv Vertical Risk Report released in July 2023, the healthcare industry is one example vertical that has seen a dramatic increase in ransomware activity, business email compromise threats and data leaks by opportunistic hackers. As the report states, “Ransomware groups and affiliate programs, such as Lock Bit 3.0, Cl0p, and Vice Society, have been observed and reported to compromise and leak data associated with healthcare institutions including hospitals, private practice offices, and pharmaceutical companies.” Although healthcare organizations have enhanced their cybersecurity posture, this vertical remains a popular target due to the greater likelihood of victims paying a ransom to avoid critical data breaches or system downtime. Health insurance organizations are evaluating their risk management programs to determine whether the financial risk transfer of a cyber event can withstand these larger demands. Cyber insurance carriers are also adjusting their expectations and requirements to extend to the effectiveness of the cybersecurity policies and procedures.

Growing Awareness

Humans are still the most actively engaged portion of business practices. Cyber insurance also recognizes that the requirement of awareness training has enhanced the underwriting process. For this reason, some insurance companies may provide value-added cybersecurity awareness training to increase client opportunities. However, insurance exists to cover the financial losses resulting from errors that occur from a cyber event. Working alongside strategic partners, cyber insurance may continue to grow based on this fact alone. This is because security professionals will need to continually monitor and mitigate cyber risks, such as misconfigured devices or software vulnerabilities. Human interaction with the internet is a valuable component of enterprise management, and cybersecurity training is a crucial part of understanding human error. Since human error is inevitable, cyber insurance helps organizations to minimize their financial losses.

Regulation Changes

Compliance has propelled industry changes for decades. This is also true regarding cybersecurity and modern-day business operations. Certain industries require third-party vendors to have insurance, and insurance requires standard controls to be in place prior to obtainment. Plus, certain controls require additional management and guidance. These overlapping changes are designed to enhance the industry sectors. For this reason, the cyber insurance industry continues to see added growth and change.

Demand for Financial Protection

The financial component is one of the most compelling aspects of cyber insurance, including the higher expected costs of the policies and the higher demands for protection. Cyber insurance is designed to help protect an organization from significant financial losses resulting from a cyber event. Costly expenses such as forensic investigations, legal fees and credit monitoring services may be covered under the policy. Fears of a catastrophic event can also force national leaders to evaluate the financial impacts and feasible options of a federal cyber insurance back stop. Many cyber insurance policies now contain warfare exclusions along with the nuances of systemic risk to an insurer. These financial components also are impacting the overall cyber insurance market.

Strategizing for the Future

As Forrester analysts underscore in their blog summary of the National Cybersecurity Strategy, “The call for a federal response to support the existing cyber insurance market is welcomed. This kind of subsidization, however, could be costly to the government, much like individual flood insurance. If exploration moves to enactment, reforms will be needed in the future. Meanwhile, organizations must address the current reality of cyber insurance market dynamics and increasingly stringent requirements for obtaining cyber insurance policies.”

It is an understatement that business decision makers are perplexed about cyber insurance. Business entities need to understand that cyber insurance should remain a part of the overall risk management approach, along with risk assessments and mature cyber controls. Heeding advice from strategic cyber partners and insurance brokers will assist insureds to make more informed decisions to handle the evolving market trends. Learn how to plan for the future with Optiv’s Cyber Insurability Services.