39% of UK businesses identified a cyber attack in the 12 months to March 30, 2022. Phishing constituted 83% of these cases; 21% related to denial of service, malware and ransomware.
A sharp increase in cyber incidents over the past two years, particularly ransomware-related attacks, has led to higher insurer losses and a desire, on the part of insurers, to charge higher premiums to cover risks.
In some cases, we are finding here at Gauntlet Group that insurers have lost an appetite to insure cyber risks and have withdrawn from the market. Some have chosen to tighten up policy wordings, or not cover certain cyber scenarios such as social engineering, or insist on the insured having much higher levels of cyber security protection in place.
The insurer response is clear. There was a record 34% increase in premiums in the Q4 2021 alone, with standalone cyber coverage policies increasing in price by 92% across the year. Standalone cyber cover is now the way insurers prefer to cover risks, with too much jeopardy involved within latent ‘silent’ cyber risk exposures in general commercial insurance policies.
Looking at this at face value, it’s easy to draw negative conclusions about the future, if you are a UK business. But are things really as bleak as they look and can businesses take steps that will help reduce the costs generated by cyber activity?
How can cyber insurance premiums be lowered?
Firstly, there is no set fee reduction mechanism in place for cyber, as is the case say with motor and property insurance cover, where there are discounts for non-smokers, no claims discounts, and so on. Nobody will hand you a cyber premium reduction on a plate; you have to earn it.
Cyber premiums are determined according to the industry you operate in with, for instance, financial and healthcare organisations typically paying more, because of the type of data that could be exposed. Premiums are also calculated according to a company’s annual revenue, ways of working, volumes of data collected, stored and processed and, very often, according to how much best practice exists within their organisation.
Cyber risks are relatively ‘new’ to insurers, so early policies placed less emphasis on the latter than is the case now. Having seen so many companies using cyber policies as their only cyber security protection, insurers have rapidly started to shift the balance, forcing businesses to take ownership of their cyber risk management.
Reducing a cyber insurance premium really requires a business to increase its level of self-protection. It means examining risk exposures, focusing on both computer and network security, examining privacy policies and procedures and engaging staff in the fight against the ever-present cyber criminals.
Insurers like to see an audit trail of evidence, which clearly demonstrates the ways in which a business has implemented robust cyber security measures. To offer the best premiums and terms, they want to see best practice not just talked about, but enacted. This is where Gauntlet Group and its network of local brokers adds value, because we help clients pull their audit trail together.
Cyber Security Best Practice
So what does cyber best practice look like to insurers? Some insurers, like Aviva, are building some of it into their policy terms, insisting that, as a condition of receiving cover, businesses take steps such as backing-up systems every seven days, training staff in social engineering tactics, verifying the legitimacy of payees, updating software within 14 days of a new version being issued and updating enterprise-level anti-virus software at least once a month. Notably, they also want to see an “appointed individual” overseeing IT policy and data security.
These conditions are standard. Going beyond these measures can be the way to convince other insurers that a lower premium should reward good practice. These additional measures will almost certainly involve conducting a robust and regular cyber risk audit, with this backed by written policies and procedures and a considered and up-to-date containment and business continuity plan for when data breaches are threatened or experienced.
It also means encrypting sensitive data and keeping the encryption key secure and reviewing and firewalls on a regular basis. It requires the business to record and investigate all security threats and to do that really requires the organisation to know when an intruder has penetrated the system. It’s also about establishing strong access authorisation procedures for all parts of the system and having multi-factor authorisation, if not privileged-access-only, to cover many of these. Having a ‘gapped’ back-up system – in other words, back-up that is not accessible via the main system – is paramount and insurers will want to see that back-up retrieval actually works, through regular testing of data restoration processes.
Regular ‘penetration testing’ is another way to positively influence an insurer’s view of the risk and companies should be actively identifying their own vulnerabilities in this way, carrying out the cyber world’s equivalent of crisis PR ‘red alert’ days.
Cyber Security Accreditation
However, increasingly, it is clear that lowering an insurance premium will mean getting accreditation for all cyber security procedures, by acquiring the Government’s Cyber Essentials or Cyber Credentials Plus certification. Both are schemes available to organisations of all sizes and help businesses protect themselves against a range of common cyber attacks. Whilst the first is largely achieved through internal action, Cyber Credentials Plus involves a technical verification of the measures taken.
What is becoming clear is that the level of self-protection that insurers are now seeking may be beyond the capabilities of many business owners on their own, even if they have an IT department. To really tick an insurer’s box, many businesses will have to look at bringing in external, specialist resources and consultants, to manage their cyber security strategies and help secure accreditations.
You may take the view that insurers are demanding too much, but are they? The latest Government Cyber Security Breaches Survey, published in March, showed that only 63% of large businesses conduct risk assessments and only 61% train staff in cyber security processes. Across businesses of all sizes, this falls to 33% and 17% respectively. Less than a fifth of businesses have an incident response plan. Only 6% have Cyber Essentials Certification and only 1% have Cyber Essentials Plus.
The Real Cost of Cyber Crime
Whilst implementing measures and bringing in external expertise may seem another cost on the balance sheet, it is not just the likely reduction in insurance premiums that can be set against this. The average loss incurred by a large business suffering a cyber attack is £19,400. Across all businesses it is £4200. The average ransomware payout in 2021 was £130,472 – a huge sum to find, if insurance doesn’t pick up the tab.
But then, there are the other costs generated by cyber security breaches. Loss of earning potential during downtime, loss of card payment facilities, websites or other systems, loss of customer goodwill and potential contracts, theft of Intellectual Property and potential non-compliance with Payment Card Industry Data Security Standards are some of the dangers. Then there are possible class actions brought by customers whose data has been compromised, the financial impacts caused by reputational damage and possible fines levied because of GDPR non-compliance and through the punitive action of a whole host of industry regulators.
Given the ever-increasing move towards personally prosecuting company directors for the failings of their organisations, anyone running a business should take a long hard look at their cyber security and assess how to quickly bolster it, through the right insurance, much-enhanced self-protection and working with experts in their field. What appears to be another expense on the balance sheet could actually be a means to save money, avoid business disruption and secure peace of mind for you and your family.
Find out more about Cyber Insurance.
Better cyber protection doesn’t have to cost you more!
Find out how it’s possible to do more with less and mitigate cyber insurance premiums through carefully selected tools, procedures, and certifications. CLICK TO LEARN MORE