Take a look at our mid-year update into the rising average costs of cyber insurance in 2021.
Numerous high-profile cyberattacks and ransomware attacks have been reported at companies around the world in 2021. Cyberattacks have hit industries from meat processing to health care, as networked computing systems have become an integral part of business, nonprofit, and government operations everywhere. As these attacks continue, the role of cyber insurance in helping to protect companies has become more prominent.
In this midyear 2021 market update, AdvisorSmith examines the major trends in the cyber insurance marketplace, from pricing to coverage. With the rise in attacks and risk exposure for insurers, major changes have started to take place in the cyber insurance market, beginning in 2020, and carrying through to 2021.
Get a quote on Cyber Insurance
Average Cost of Small Business Cyber Insurance in 2021
Based upon our review of cyber insurance premium costs, rate filings, and surveys of insurance brokers, AdvisorSmith estimates that the average cost of cyber insurance for small businesses has risen approximately 7% for 2021 policies, leading to estimated average annual premiums for small businesses of $1,589 for $1 million in cyber liability coverage. This pricing is based upon coverage for low-risk businesses with up to $1 million in revenue.
Our annual cyber insurance cost analyses showed that in 2020, the average cost for cyber insurance was $1,485 per year, which was slightly lower than in 2019, when average costs were $1,501 per year. A jump of 7% for premiums in 2021 is significant and clearly reflects the growing risks of insuring against cyber and ransomware attacks.
Major Trends in the Cyber Insurance Market
As the cyber insurance market continues to evolve, and news of cyberattacks making headlines on an almost daily basis, our analysts have noted a few major trends in the cyber insurance market:
- Cyberattacks are on the rise, with attacks becoming more frequent and losses becoming more severe.
- Ransomware accounts for a higher proportion of losses, with victims paying a 311% increase in ransoms in 2020. In 2021, there were major ransomware attacks on Colonial Pipeline, a major gas pipeline, JBS Foods, one of the largest meat processing companies in the world, and even AXA, a major provider of cyber insurance.
- Demand for cyber insurance has increased, especially from midsize and large enterprises. According to data from a leading insurance broker which services primarily enterprise clients, the percentage of their clients with cyber insurance increased from roughly 25% in 2016 to just under 50% in 2020.
- The number of cyber insurance policies written nationwide has increased from 2.2 million in 2016 up to 3.6 million in 2019. Premium volumes increased from $2.1 billion in 2016 up to $3.1 billion in 2019.
- The number of insurers in the cyber insurance market increased by 35% between 2016 and 2019, but the market is quite concentrated, with 10 U.S. insurers accounting for 70% of premiums written in the cyber insurance market.
- Premiums for cyber insurance have increased the most for midsize and large companies, with estimated premiums rising by approximately 20% for this market segment.
- Insurers in some high-risk sectors are reducing their exposure by reducing coverage limits or reducing coverages, and also placing lower limits on ransomware payouts. Some of the industries where insurers have reduced their exposures include health care and education.
- Some insurers have been reducing their cyber risk exposure by adding more restrictive policy terms and including additional exclusions to their cyber and non-cyber policies.
As ransomware and cyberattacks hit businesses at an ever-increasing pace, the cyber insurance market continues to adapt and change with the growing risks. The impact on businesses is now evident in premium increases and reduced coverage, but it will be interesting to see what is in store for the rest of the year. Stay tuned for our annual cyber insurance cost update, which will be released in early 2022.
- AdvisorSmith, Average Cost of Cyber Insurance
- U.S. Government Accountability Office, Cyber Insurance, Insurers and Policyholders Face Challenges in an Evolving Market, May 2021
- Institute for Security and Technology, Combating Ransomware
AdvisorSmith spoke with the following experts to provide critical insight on cyber insurance for business owners.
- Associate Professor of Computer Science
- Stony Brook University
- Professor of Computer Information Systems
- The University of Akron
- Professor of Risk Management and Insurance
- Old Dominion University
- Professor and Chair, Risk Management & Insurance
- University of Calgary
Q. Where do you see the cyber insurance market trending, and what are the main insurability challenges?
John: The direction of the cyber insurance market is a mixed bag right now. In the short term, I see tremendous growth opportunities. Many companies, especially small businesses, are woefully unprepared in terms of cybersecurity. When you combine that with the increase of data privacy laws, such as the General Data Protection Regulation (GDPR) in the European Union, California Consumer Privacy Act of 2018 (CCPA), Stop Hacks and Improve Electronic Data Security (SHIELD) Act in New York, as well as the myriad of privacy laws being implemented in all 50 states, businesses have liabilities of which they might not be aware. Some of these laws have stiff financial penalties if customer data is compromised.
Because of these additional liabilities, it is in the best interest of all businesses to acquire some level of insurance.
That being said, cybercrime has morphed into cyber warfare. As nation-states such as Russia, China, and Iran militarize the cyberattacks, they will—and are—becoming more sophisticated. With that, the damage to our economy will become greater, which means insurance companies will be paying out more in claims. That may lead to the cyber insurance market becoming unsustainable. At some point very soon, there will need to be a national policy implemented and that will affect the cyber insurance industry.
Nick: The main insurability challenge is to estimate both the amount of risk of any given network/company, as well as the level of necessary insurance. Estimating the replacement cost of a car or a house is significantly easier than estimating the cost of an intrusion that compromised the data of a few millions of users.
Michael: I see the cyber insurance market hardening, meaning becoming more expensive for policyholders. Cyber insurance is difficult to price for insurers, so they protect themselves by putting sublimits on the amount of coverage available for types of cyberattacks that have recently caused major losses. In short, it might be more difficult to buy high insurance limits for ransomware attacks, ransomware coverage may be excluded from cyber insurance packages, and, if available, the coverage for ransomware could become more expensive.
Anne: What we’ve seen from the time cyber insurance was first offered is that demand keeps increasing, and insurers have been trying to, over time, develop the right analysis tools and insurance policy wordings to make things work. Demand will continue to increase, and the tricky part for insurers is understanding what part of the risk is actually insurable.
One of the characteristics of risk that is important for insurability is you have to be able to determine when a loss occurs, and you have to be able to measure the loss. With cyberattacks, sometimes companies don’t know for months that they’ve even been breached. This lag time creates problems in determining when a loss has occurred. Additionally, measuring the loss and determining the economic value of stealing people’s private information, in some instances, is very difficult to actually put a dollar figure on. Both of these issues are problematic.
When you think about insurance—insuring cars or homes—we have lots of data, and we can calculate what an appropriate premium is. With cyber insurance, this is very difficult to do because of the nature of the attacks.
Q. Should small businesses be concerned about cyber risk?
Nick: The vast majority of cyberattacks are opportunistic and driven by profit. In the same way that individuals can get their accounts hacked even though these individuals may not be particularly popular or wealthy, a small company can also get hacked, not necessarily because attackers want to go after that specific company, but because they were one of the many hundreds of thousands of possible targets.
In many ways, if we assume that smaller companies have less secure systems and networks, a reasonable (from an attacker’s point of view) strategy would be to attack thousands of small companies asking for relatively modest sums (e.g. in the case of ransomware) from each one vs. going after a really large company, needing to bypass multiple security systems, to ask a single large ransom.
John: All businesses should be not only concerned about cyber risk, but it should be the number one focus of all businesses. I think it is common for small businesses to think they are too small to be targeted, but that is erroneous and dangerous thinking. The cyberattacks cast a wide net. There are targeted attacks for purposes of cyber terrorism that focus on large companies, but small companies are just as much at risk as larger companies.
While there are many different forms of cyberattacks, the big game is the collection of personally identifiable information (PII) of the employees and customers of a business. That means login IDs, passwords, addresses, phone numbers, Social Security numbers, and anything that can identify an individual. That information is then sold on the dark web and paid for in hard-to-trace cryptocurrency.
I recently read that passwords are going for $12-$39 each on the dark web. So, if I am a hacker, and I see that you have even a small number of contacts and employees, I can still profit from that data.
Small companies are easy targets because the security is often lax because of budgets, lack of knowledge, or both. Good hackers can penetrate thousands of small, under-protected companies faster than they could get into one large, well-protected company. The end result is the same: They have stolen thousands of pieces of PII, and they have sold it on the dark web for thousands of dollars. It is easy money—if you don’t mind a visit from Interpol.
In addition, nation-states like Russia are refusing to extradite the cybercriminals to the country where they committed the cybercrime. This makes it hard to stop the offenders.
Michael: Yes, large businesses typically have dedicated risk managers and chief information security officers (CISOs) whose job is to focus on managing cyber risk. Small businesses do not have such positions, and dealing with cyber risk and buying cyber insurance is often just one duty of an employee with many other duties. Cybercriminals may give up on attacking well-defended large businesses and go after small businesses, which are much easier to successfully attack.
Anne: Everybody has to worry, to be honest, just like we as individuals also need to be concerned about our own cybersecurity. Small businesses can be very vulnerable because they don’t have the resources that larger businesses have. Depending on the business, especially if they store customer information like credit cards, they can just as easily be targeted. One should not assume that you’re not a target.
That being said, the amount of resources spent or dedicated to cybersecurity is going to be proportional to the company size, but it is important to practice good cyber hygiene.
Q. How can a business effectively organize and manage cyber risk?
Nick: One of the key elements of managing cyber risk is asset management. As companies grow, networks, servers, and software also grow. Unless a company has a systematic way of asset management, i.e., knowing the existence, location, and status of each asset, sooner or later, one of these assets will be forgotten.
A forgotten asset is an asset that never receives security patches and is not monitored for signs of intrusion. Most of the high-profile attacks that we eventually find out about, start with the exploitation of a forgotten asset (such as a server running an outdated piece of software) that was vulnerable to a well-known attack.
For example, the 2017 Equifax hack that compromised the data of hundreds of millions of U.S. consumers started with the exploitation of a two-month-old vulnerability on a server in Equifax’s internal network. Due to the asymmetry of cybersecurity, this “game” favors the attacker.
To defend itself, a company needs to protect all of its systems, whereas, to be successful, an attacker needs to discover just a single vulnerable system. Comprehensive asset management (combined with other techniques such as penetration testing and intrusion detection) are necessary components of a modern defense strategy.
John: The first and best thing for all businesses to do is to regularly back up data. Ideally, this should be done daily if not more often. Use a hybrid approach: Save your data in the cloud and have an air-gapped (removable hard drive that is used to back up data and then immediately removed from the machine) backup that is kept locally. For the local backup, it is good to have two devices that are never in the same place at the same time. I use three. This will allow for quick recovery in the event of a disaster, but more importantly, if you have your data secured and air-gapped, you will not have to pay the ransom because you can restore the files immediately.
Secondly, educate yourself and your employees about cybersecurity. Learn about phishing emails and social engineering. Develop and enforce cybersecurity best practices such as strong passwords, two-factor authentication (TFA), and computer usage policies. These will be inconvenient for many, but they reduce your risk and liability considerably. Many of these privacy laws are built around the National Institute of Science and Technology (NIST) Special Publication SP 800-171 found here.
Finally, realize that this is a non-partisan issue. This is happening to everyone, every day, all of the time. Both sides of the fence, urban and rural, in all states.
Many businesses spend money on cameras, security guards, alarm systems, and perhaps even personal protection in the event something might happen. Cybercrime and cyber warfare are happening, and cybersecurity is an investment you must make in addition to the physical security measure.
Welcome to the 21st century.
Michael: Companies without specialized cyber risk management expertise will need to rely on insurance brokers to put together a sufficient cyber insurance package. So choosing a broker that has expertise in cyber is important. The main way cyber attackers penetrate a company, especially for ransomware, is by sending out a phishing link to employees and hoping one of the employees clicks on the link. Businesses should offer regular training to their employees on how not to become a victim of a phishing attempt.
Anne: First, get a handle on the situation. Know your computers, make sure you’re not vulnerable in easy ways in terms of networks, employees using their own computers, etc. You need to take an assessment of things. How is IT used in your company, and what are some of the vulnerabilities?
A big issue that companies are worried about right now is third-party vendors and the ways that third-party vendors can compromise different IT systems. That’s something that small businesses should pay attention to. Companies must also be very clear on what IT security management or cyber risk management protocols are in your company, so you know that employees all have the correct information and that it’s enforced in terms of how people behave.
In general, don’t assume you’re not at risk, and be aware that it’s a very dynamic environment. As the technology, applications, or suppliers you’re using change, you’ll need to think on an ongoing basis in terms of how your risk may be shifting over time.