“Cyber insurance premiums rocket after high-profile attacks” reports Reuters, as the increasing frequency and magnitude of cyber attacks has caused cyber insurance providers to reevaluate cyber security risk. According to Reuters, the rate hikes have also been accompanied by increased deductibles and caps on coverage at $100 million – a far cry from the cost of high-profile breaches, which can cost more than $200 million.
Organizations that were planning to mitigate cyber security risk with cyber security insurance are in a perilous position. According to some estimates, a company may need as much as $1 billion in cyber insurance to protect its assets, but the maximum coverage available today is $500 million, but most companies will be unable to secure more than $300 million.
According to Stephen Catlin, the head of the largest Lloyd’s of London insurer, cyber attacks are “the biggest, most systemic risk…our balance sheets are not large enough to pay for that.” Catlin has argued that cyber insurance should become a responsibility of the government.
In fact, the government has taken cyber insurance into consideration. The Department of Homeland Security has recommended that “a robust cybersecurity insurance market could help reduce the number of successful cyber attacks by: (1) promoting the adoption of preventative measures in return for more coverage; and (2) encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection.
However, not every organization has implemented these recommendations and may find they are not eligible for coverage. According to Reuters:
AIG offers cyber policies that cover up to $75 million for a cyber attack, but only for companies like top global banks that have are the most adept at securing networks and mitigating cyber risk.
“We have turned clients away,” said Tracie Grella, the global head of professional liability at insurance giant American International Group Inc (AIG.N).
Where does this leave organizations that want to decrease cyber security risk?
The DHS has identified four pillars of effective cyber risk culture:
- Engaged executive leadership
- Targeted cyber risk education and awareness
- Cost-effective technology investments
- Relevant information sharing
The bottom line is that the rising price of cyber insurance will force organizations to adopt stronger security practices, both to reduce the cost of insurance premiums and to further mitigate risk.