Numerous high-profile cyberattacks and ransomware attacks have been reported at companies around the world in 2021. Cyberattacks have hit industries from meat processing to health care, as networked computing systems have become an integral part of business, nonprofit, and government operations everywhere. As these attacks continue, the role of cyber insurance in helping to protect companies has become more prominent.
In this midyear 2021 market update, AdvisorSmith examines the major trends in the cyber insurance marketplace, from pricing to coverage. With the rise in attacks and risk exposure for insurers, major changes have started to take place in the cyber insurance market, beginning in 2020, and carrying through to 2021.
Get a quote on Cyber Insurance
Average Cost of Small Business Cyber Insurance in 2021
Based upon our review of cyber insurance premium costs, rate filings, and surveys of insurance brokers, AdvisorSmith estimates that the average cost of cyber insurance for small businesses has risen approximately 7% for 2021 policies, leading to estimated average annual premiums for small businesses of $1,589 for $1 million in cyber liability coverage. This pricing is based upon coverage for low-risk businesses with up to $1 million in revenue.
Our annual cyber insurance cost analyses showed that in 2020, the average cost for cyber insurance was $1,485 per year, which was slightly lower than in 2019, when average costs were $1,501 per year. A jump of 7% for premiums in 2021 is significant and clearly reflects the growing risks of insuring against cyber and ransomware attacks.
Major Trends in the Cyber Insurance Market
As the cyber insurance market continues to evolve, and news of cyberattacks making headlines on an almost daily basis, our analysts have noted a few major trends in the cyber insurance market:
- Cyberattacks are on the rise, with attacks becoming more frequent and losses becoming more severe.
- Ransomware accounts for a higher proportion of losses, with victims paying a 311% increase in ransoms in 2020. In 2021, there were major ransomware attacks on Colonial Pipeline, a major gas pipeline, JBS Foods, one of the largest meat processing companies in the world, and even AXA, a major provider of cyber insurance.
- Demand for cyber insurance has increased, especially from midsize and large enterprises. According to data from a leading insurance broker which services primarily enterprise clients, the percentage of their clients with cyber insurance increased from roughly 25% in 2016 to just under 50% in 2020.
- The number of cyber insurance policies written nationwide has increased from 2.2 million in 2016 up to 3.6 million in 2019. Premium volumes increased from $2.1 billion in 2016 up to $3.1 billion in 2019.
- The number of insurers in the cyber insurance market increased by 35% between 2016 and 2019, but the market is quite concentrated, with 10 U.S. insurers accounting for 70% of premiums written in the cyber insurance market.
- Premiums for cyber insurance have increased the most for midsize and large companies, with estimated premiums rising by approximately 20% for this market segment.
- Insurers in some high-risk sectors are reducing their exposure by reducing coverage limits or reducing coverages, and also placing lower limits on ransomware payouts. Some of the industries where insurers have reduced their exposures include health care and education.
- Some insurers have been reducing their cyber risk exposure by adding more restrictive policy terms and including additional exclusions to their cyber and non-cyber policies.
What does cyber insurance cover?
Cyber insurance covers financial losses from data breaches, hacking, viruses, denial of service attacks, and other similar cyber events. Cyber threats such as social engineering fraud and phishing may be covered by a cyber policy, depending on the insurer. Cyber insurance has two major components: third-party liability coverage and first-party coverage.
First-party coverage protects your company when you incur expenses from a data breach or when your company is hacked. You may choose to purchase either or both types of coverage.
Third-party coverage provides protection when a customer, vendor, partner, or other party sues you for allowing a data breach to happen.
First-party coverage provides protection against the financial losses your business incurs due to a data breach, hack, or other cyber event.
First-party coverage can provide for the costs of responding to and recovering from a data breach. These costs can include:
- Notifying your customers or employees affected by the breach
- Providing credit monitoring services to those affected
- Hiring technical consultants or lawyers
- Advertising and public relations costs
If your company’s electronic data is lost, damaged, or corrupted due to a hack, virus, or denial of service attack, you can be covered under first-party coverage. This coverage also extends to data belonging to others stored on your systems.
First-party coverage will reimburse your company for the costs to restore or recover the lost or damaged data, as well as the costs to hire consultants to help you restore or repair your data.
Business income insurance, also known as business interruption insurance, is also available on many cyber insurance policies. A typical business income insurance policy that is attached to a commercial property policy only covers perils that cause physical damage. Usually, commercial property coverages do not provide coverage for electronic data.
If the loss or destruction of data leads to a disruption in your ability to do business, this coverage can pay for the loss of business income your business experiences.
First-party coverage can also cover cyberextortion. If your business is threatened with damage to your computer systems or networks unless you pay a ransom, this insurance can provide coverage.
First-party coverage can also provide coverage for the money you spend to respond to the extortion demand, in addition to any ransom you pay. The insurer’s consent is usually required before you pay these expenses.
Third-Party Liability Coverage
The third-party liability coverage provided by cyber insurance provides protection against lawsuits filed by clients or others against your business as a result of a breach of their security or privacy. These lawsuits can accuse your business of failing to adequately protect data you possess that belongs to customers, employees, vendors, or others.
Some of the claims and costs that third-party liability may cover include:
- Legal expenses
- Network security claims
- Privacy claims
- Employee privacy liability
- Regulatory fines
What are the most frequent cyber insurance claims?
The most frequent causes of cyber insurance claims are hacking, ransomware, phishing, and employee negligence. Having cyber insurance can protect your business against the financial consequences of some of these common cyber threats.
Hacking claims account for some of the most common cyber insurance claims. If a hacker breaks into your company’s computer network and steals data, your company may be liable for a variety of costs to recover from and mitigate the damage from the hack. These costs may include forensic services to determine the cause and extent of the hack, legal costs to defend against third-party lawsuits related to the hack, notification and credit monitoring services for affected individuals, public relations costs, and regulatory fines and penalties.
Ransomware attacks occur when malicious software is installed on your company’s systems and your company’s data or critical software is threatened unless you pay a ransom. In these cases, cyber insurance can pay for the costs of the ransom so that your company’s data or systems can be recovered. Many cyber liability policies provide very limited coverage for ransomware or cyber extortion attacks, with coverage sublimits as low as $25,000, even when the cyber liability policy has a much higher total limit.
Phishing attacks induce your employees to disclose passwords or other login credentials to hackers. These attacks can happen when employees click on malicious links embedded in emails or on the web. They can also occur over the phone when your employees are tricked into disclosing passwords or other sensitive information. With phishing attacks, criminals can log into your company’s systems and steal data or conduct unauthorized financial transactions.
Employee negligence claims can arise from something as simple as an employee losing a laptop that contains sensitive customer or employee data. In the case of employee negligence, your company could be liable for lawsuits related to lost data, notifying affected individuals and providing them with credit monitoring services, public relations costs, and fines and penalties.
Purchasing Cyber Liability Insurance
There are a variety of insurers and brokers in the market, and it may be difficult sorting through all of the options. AdvisorSmith analyzed a variety of cyber policies and determined the best cyber insurance companies for small businesses. To determine the best cyber insurers, AdvisorSmith considered a number of factors, including financial strength ratings from AM Best and Standard & Poor’s, customer satisfaction data from several J.D. Power studies, complaint ratings from the National Association of Insurance Commissioners, available features and options, and availability of information and ease of use of the insurers’ websites.
|1||Hiscox||4.9 / 5.0|
|2||Chubb||4.8 / 5.0|
|3||The Hartford||4.7 / 5.0|
|4||AIG||4.7 / 5.0|
|5||CNA||4.6 / 5.0|
|6||Arch||4.5 / 5.0|
|7||Hanover||4.5 / 5.0|
|8||Intact||4.4 / 5.0|
|9||Beazley||4.3 / 5.0|
|10||Axis||4.3 / 5.0|
As ransomware and cyberattacks hit businesses at an ever-increasing pace, the cyber insurance market continues to adapt and change with the growing risks. The impact on businesses is now evident in premium increases and reduced coverage, but it will be interesting to see what is in store for the rest of the year. Stay tuned for our annual cyber insurance cost update, which will be released in early 2022.
- AdvisorSmith, Average Cost of Cyber Insurance
- U.S. Government Accountability Office, Cyber Insurance, Insurers and Policyholders Face Challenges in an Evolving Market, May 2021
- Institute for Security and Technology, Combating Ransomware
AdvisorSmith spoke with the following experts to provide critical insight on cyber insurance for business owners.
- Associate Professor of Computer Science
- Stony Brook University
- Professor of Computer Information Systems
- The University of Akron
- Professor of Risk Management and Insurance
- Old Dominion University
- Professor and Chair, Risk Management & Insurance
- University of Calgary
- Associate Professor, Computer Science and Information Technology
- Trine University
Q. Where do you see the cyber insurance market trending, and what are the main insurability challenges?
John: The direction of the cyber insurance market is a mixed bag right now. In the short term, I see tremendous growth opportunities. Many companies, especially small businesses, are woefully unprepared in terms of cybersecurity. When you combine that with the increase of data privacy laws, such as the General Data Protection Regulation (GDPR) in the European Union, California Consumer Privacy Act of 2018 (CCPA), Stop Hacks and Improve Electronic Data Security (SHIELD) Act in New York, as well as the myriad of privacy laws being implemented in all 50 states, businesses have liabilities of which they might not be aware. Some of these laws have stiff financial penalties if customer data is compromised.
Because of these additional liabilities, it is in the best interest of all businesses to acquire some level of insurance.
That being said, cybercrime has morphed into cyber warfare. As nation-states such as Russia, China, and Iran militarize the cyberattacks, they will—and are—becoming more sophisticated. With that, the damage to our economy will become greater, which means insurance companies will be paying out more in claims. That may lead to the cyber insurance market becoming unsustainable. At some point very soon, there will need to be a national policy implemented and that will affect the cyber insurance industry.
Nick: The main insurability challenge is to estimate both the amount of risk of any given network/company, as well as the level of necessary insurance. Estimating the replacement cost of a car or a house is significantly easier than estimating the cost of an intrusion that compromised the data of a few millions of users.
Michael: I see the cyber insurance market hardening, meaning becoming more expensive for policyholders. Cyber insurance is difficult to price for insurers, so they protect themselves by putting sublimits on the amount of coverage available for types of cyberattacks that have recently caused major losses. In short, it might be more difficult to buy high insurance limits for ransomware attacks, ransomware coverage may be excluded from cyber insurance packages, and, if available, the coverage for ransomware could become more expensive.
Anne: What we’ve seen from the time cyber insurance was first offered is that demand keeps increasing, and insurers have been trying to, over time, develop the right analysis tools and insurance policy wordings to make things work. Demand will continue to increase, and the tricky part for insurers is understanding what part of the risk is actually insurable.
One of the characteristics of risk that is important for insurability is you have to be able to determine when a loss occurs, and you have to be able to measure the loss. With cyberattacks, sometimes companies don’t know for months that they’ve even been breached. This lag time creates problems in determining when a loss has occurred. Additionally, measuring the loss and determining the economic value of stealing people’s private information, in some instances, is very difficult to actually put a dollar figure on. Both of these issues are problematic.
When you think about insurance—insuring cars or homes—we have lots of data, and we can calculate what an appropriate premium is. With cyber insurance, this is very difficult to do because of the nature of the attacks.
Bill: Cyber insurance is a growing industry. Businesses already purchase liability insurance to protect themselves when a customer is injured onsite. Cyber insurance is becoming a common way to protect the business when a customer’s sensitive information is compromised.
Businesses can manage risk in several different ways: avoid the risk, mitigate the risk, accept the risk, or assign the risk. A business can avoid the risk of cyberattack by not having an online presence. The business can mitigate, or lower, the risk by taking actions to lessen the impact of a cyberattack. The business can accept the risk and pay all of the expenses associated with a cyberattack. With these first three ways to manage risk, the business may have a large financial outlay to recover from a cyber attack. With the last way to manage risk, a business can assign the risk by purchasing insurance.
Cyber insurance will cover the business’ liability due to a cyberattack, including the costs associated with helping their customers recover from the leak of sensitive customer information. These expenses may include credit monitoring services and identity theft recovery services for the affected customers.
In the case of a ransomware attack, the business’ data, and possibly all of its customers’ information, is being held hostage until a ransom is paid. The cyber insurance would pay the ransom to once again give the business access to its own data! Without the insurance, the business would either need to pay the ransom itself or use a system backup to restore the data. In some cases, an older backup will need to be used because the more recent backup copies have also been compromised by the ransomware’s malicious software.
Cyber insurance does not cover all losses. For example, a breach of the system can hurt the reputation of the business resulting in lost customers, and lost potential income, due to poor public perception.
Even with insurance, businesses need a layered approach to protect access to the networks, protect customer information, and a plan for recovering from future cyber attacks.
Q. Should small businesses be concerned about cyber risk?
Nick: The vast majority of cyberattacks are opportunistic and driven by profit. In the same way that individuals can get their accounts hacked even though these individuals may not be particularly popular or wealthy, a small company can also get hacked, not necessarily because attackers want to go after that specific company, but because they were one of the many hundreds of thousands of possible targets.
In many ways, if we assume that smaller companies have less secure systems and networks, a reasonable (from an attacker’s point of view) strategy would be to attack thousands of small companies asking for relatively modest sums (e.g. in the case of ransomware) from each one vs. going after a really large company, needing to bypass multiple security systems, to ask a single large ransom.
John: All businesses should be not only concerned about cyber risk, but it should be the number one focus of all businesses. I think it is common for small businesses to think they are too small to be targeted, but that is erroneous and dangerous thinking. The cyberattacks cast a wide net. There are targeted attacks for purposes of cyber terrorism that focus on large companies, but small companies are just as much at risk as larger companies.
While there are many different forms of cyberattacks, the big game is the collection of personally identifiable information (PII) of the employees and customers of a business. That means login IDs, passwords, addresses, phone numbers, Social Security numbers, and anything that can identify an individual. That information is then sold on the dark web and paid for in hard-to-trace cryptocurrency.
I recently read that passwords are going for $12-$39 each on the dark web. So, if I am a hacker, and I see that you have even a small number of contacts and employees, I can still profit from that data.
Small companies are easy targets because the security is often lax because of budgets, lack of knowledge, or both. Good hackers can penetrate thousands of small, under-protected companies faster than they could get into one large, well-protected company. The end result is the same: They have stolen thousands of pieces of PII, and they have sold it on the dark web for thousands of dollars. It is easy money—if you don’t mind a visit from Interpol.
In addition, nation-states like Russia are refusing to extradite the cybercriminals to the country where they committed the cybercrime. This makes it hard to stop the offenders.
Michael: Yes, large businesses typically have dedicated risk managers and chief information security officers (CISOs) whose job is to focus on managing cyber risk. Small businesses do not have such positions, and dealing with cyber risk and buying cyber insurance is often just one duty of an employee with many other duties. Cybercriminals may give up on attacking well-defended large businesses and go after small businesses, which are much easier to successfully attack.
Anne: Everybody has to worry, to be honest, just like we as individuals also need to be concerned about our own cybersecurity. Small businesses can be very vulnerable because they don’t have the resources that larger businesses have. Depending on the business, especially if they store customer information like credit cards, they can just as easily be targeted. One should not assume that you’re not a target.
That being said, the amount of resources spent or dedicated to cybersecurity is going to be proportional to the company size, but it is important to practice good cyber hygiene.
Bill: All businesses with an online presence should be concerned about, and plan for, cyberattacks. The vast amount of sensitive information available via the Internet makes all businesses targets of cyber criminals. All businesses, regardless of size, can become the victims of ransomware, fraud attacks, phishing attacks, and other scams.
Should small businesses be as concerned as large businesses? Yes! Large businesses are a target, not only because of the potential haul of sensitive information, but because the large business is more likely to be known to the public and potential hackers. However, large businesses are more likely to have the advanced resources to properly protect themselves from cyberattacks. Small businesses, on the other hand, may be less of a target, but may have systems that are easier to breach. For that reason, small businesses should be just as concerned about cyberattacks as large businesses.
Q. How can a business effectively organize and manage cyber risk?
Nick: One of the key elements of managing cyber risk is asset management. As companies grow, networks, servers, and software also grow. Unless a company has a systematic way of asset management, i.e., knowing the existence, location, and status of each asset, sooner or later, one of these assets will be forgotten.
A forgotten asset is an asset that never receives security patches and is not monitored for signs of intrusion. Most of the high-profile attacks that we eventually find out about, start with the exploitation of a forgotten asset (such as a server running an outdated piece of software) that was vulnerable to a well-known attack.
For example, the 2017 Equifax hack that compromised the data of hundreds of millions of U.S. consumers started with the exploitation of a two-month-old vulnerability on a server in Equifax’s internal network. Due to the asymmetry of cybersecurity, this “game” favors the attacker.
To defend itself, a company needs to protect all of its systems, whereas, to be successful, an attacker needs to discover just a single vulnerable system. Comprehensive asset management (combined with other techniques such as penetration testing and intrusion detection) are necessary components of a modern defense strategy.
John: The first and best thing for all businesses to do is to regularly back up data. Ideally, this should be done daily if not more often. Use a hybrid approach: Save your data in the cloud and have an air-gapped (removable hard drive that is used to back up data and then immediately removed from the machine) backup that is kept locally. For the local backup, it is good to have two devices that are never in the same place at the same time. I use three. This will allow for quick recovery in the event of a disaster, but more importantly, if you have your data secured and air-gapped, you will not have to pay the ransom because you can restore the files immediately.
Secondly, educate yourself and your employees about cybersecurity. Learn about phishing emails and social engineering. Develop and enforce cybersecurity best practices such as strong passwords, two-factor authentication (TFA), and computer usage policies. These will be inconvenient for many, but they reduce your risk and liability considerably. Many of these privacy laws are built around the National Institute of Science and Technology (NIST) Special Publication SP 800-171 found here.
Finally, realize that this is a non-partisan issue. This is happening to everyone, every day, all of the time. Both sides of the fence, urban and rural, in all states.
Many businesses spend money on cameras, security guards, alarm systems, and perhaps even personal protection in the event something might happen. Cybercrime and cyber warfare are happening, and cybersecurity is an investment you must make in addition to the physical security measure.
Welcome to the 21st century.
Michael: Companies without specialized cyber risk management expertise will need to rely on insurance brokers to put together a sufficient cyber insurance package. So choosing a broker that has expertise in cyber is important. The main way cyber attackers penetrate a company, especially for ransomware, is by sending out a phishing link to employees and hoping one of the employees clicks on the link. Businesses should offer regular training to their employees on how not to become a victim of a phishing attempt.
Anne: First, get a handle on the situation. Know your computers, make sure you’re not vulnerable in easy ways in terms of networks, employees using their own computers, etc. You need to take an assessment of things. How is IT used in your company, and what are some of the vulnerabilities?
A big issue that companies are worried about right now is third-party vendors and the ways that third-party vendors can compromise different IT systems. That’s something that small businesses should pay attention to. Companies must also be very clear on what IT security management or cyber risk management protocols are in your company, so you know that employees all have the correct information and that it’s enforced in terms of how people behave.
In general, don’t assume you’re not at risk, and be aware that it’s a very dynamic environment. As the technology, applications, or suppliers you’re using change, you’ll need to think on an ongoing basis in terms of how your risk may be shifting over time.
Bill: A business can effectively organize and manage cyber risk by having layers of protection. Protection requires resources, with the investment of time having the greatest impact. Businesses need to make the time to configure the systems and train the employees.
Data is the most valuable asset owned by a company. A simple way to protect against the loss of data is to routinely back up the data and keep multiple generations of these backups. There are many backup schemes, but all of them boil down to three steps: make a plan, make the backup, and store the backup offsite.
First, make a plan. Decide what data needs to be saved, how often the data should be saved, and how the data will be restored after the disaster. The longer time between backups, the more potentially lost data.
Second, actually make the backup. It does no good to have a plan that was never implemented. The data can be backed up in real time via an online service or via a RAID (Redundant Array of Independent Disks) system. If a real-time backup system is not possible, the data can be backed up at regular intervals during the day, at the end of the day, or every other day.
Last, store the backup off site so that both the original and backup are not lost in the same disaster. If a disaster were to happen, the backups can be used to restore the data that was lost.
All businesses should secure access to their local area networks (LANs). At a minimum, firewalls should be used to limit the traffic entering and exiting the LAN. Internet traffic between a source and destination is assigned a port address. For example, regular Internet traffic is on port 80, secure Internet traffic is on port 443, and incoming email can be on ports 110, 143, 193, or 195. However, someone can send traffic on any of the 65,536 available ports. By closing unused ports, the firewall restricts traffic into and out of the LAN.
The content of the traffic can be monitored and filtered. The firewall can stop unapproved applications from sending out previously identified sensitive information, like account numbers, as well as stop unsolicited updates that may contain malicious software. By identifying and blocking this traffic, the business has lessened the risk of sensitive information falling into the wrong hands.
All company-owned computers and mobile devices should be secured. These devices should have passwords to limit access, have the latest software updates installed, and have a way to physically protect the device.
Passwords should be unique and strong. Reused passwords put multiple accounts at risk, if compromised. Strong passwords contain upper case characters, lower case characters, numbers, and special characters. The stranger the password looks, the less likely it is that someone will guess the password.
All operating system and application software should have the latest updates installed. Updates close known secure holes. Older versions of the software allow hackers to exploit the holes to gain access to the system or device. By simply applying the latest updates, the systems and devices are less vulnerable to successful attacks.
Devices need to be physically protected to prevent loss and access to the sensitive information available via the device. Onsite servers, network equipment, and desktop devices can be bolted in place. Company-owned laptops used by employees can be secured to a table with a cable when the employee is using the laptop away from the office. Laptops, smart phones, and tablets can be set to delete their contents if an incorrect password is entered too many times.
Businesses should train their employees to not click on links or open attachments in unsolicited email messages. These phishing attacks usually state that an account has unusual activity, a warning stating the account will be shut down if action is not taken immediately, and conveniently provide a link for the recipient to click. The link takes the email recipient to a clone website intended to capture an ID and password. If an email is received from the bank, for example, train the employees to go to the bank’s website instead of clicking the link in the phishing email.
Everyone at the business needs to use common sense to help protect the business’ sensitive information.