Cyber-Insurance Purchases Increasing, Though Market Challenges Buyers

While more businesses are purchasing cyber insurance, risk managers are facing growing difficulties navigating the challenges of the cyber-insurance market, a new survey found.

According to the 12th annual Information Security and Cyber Risk Management Survey from Zurich North America and Advisen Ltd., 86 percent of survey respondents have cyber insurance, with 69 percent having stand-alone cyber policies. Both of those figures are a 3-percentage-point increase from last year's findings and represent the highest percentages since the beginning of the survey.

Still, cyber-insurance buyers are challenged by the market's higher premiums, shrinking capacity, reduced coverage, and altered policy language prompted by the growing frequency and severity of claims, increased sophistication of cyber criminals, and prevalence of new threats, according to the October 26, 2022, survey report.

The survey found approximately 83 percent of respondents saying they've taken steps to assess their cyber risk and 69 percent indicating they've invested in cyber-security solutions to mitigate their risks, with 60 percent confirming that their risk managers and information technology (IT) professionals work together to monitor the risk.

"This year's results indicate some signs of progress in building cyber resilience, with the vast majority of respondents having taken steps to assess their risk and invest in related solutions," the survey report says.

"Yet, there is still room for improvement. Less than two-thirds of respondents confirmed that their organization's risk managers and IT professionals work together to monitor cyber risk," the Zurich/Advisen report says. "Additionally, while more than three-quarters of respondents reported having cyber incident response plans, a significantly smaller group tests these plans regularly. Furthermore, despite many respondents listing employee training as a high priority, just two-thirds offer this training one or more times a year."

In terms of exposures, the survey found data breach and cyber extortion/ransomware remaining the top coverage expectations among organizations, the result of a surge in such events in recent years, the report suggests. Some 94 percent of respondents cited data breach as a form of coverage they expect to be included in their cyber-insurance policies, while 93 percent mentioned cyber extortion/ransomware.

Other frequently cited exposures included data restoration at 87 percent, business interruption at 75 percent, system failure at 72 percent, and bricking at 70 percent, according to the report.

The survey found that 54 percent of respondents who had experienced a claim reported it to their cyber insurer, with more than 70 percent of those recouping costs from the insurer, with a portion of claims still in process.

In terms of cyber-security priorities, 62 percent of those surveyed cited enhancing employee training as a top priority over the next year, with 58 percent mentioning conducting a cyber-security assessment/audit/gap analysis, and 49 percent citing conducting a tabletop exercise.

Most respondents indicated they are either moderately—43 percent, very—41 percent, or extremely—6 percent—prepared for a cyber event.

Some 81 percent of survey respondents said their organizations have cyber-incident response plans in place, with nearly 60 percent saying they test those plans regularly for multiple scenarios. "Even though all organizations should have such plans, this year's findings represent progress over previous years," the report says.

Nearly half of respondents—48 percent—said they developed their cyber-incident response plans with the help of cyber-security vendors, while 46 percent said they received assistance from internal parties. Only 17 percent said they sought help from their cyber-insurance providers.

While the percentage of respondents who agreed that their cyber-insurance policies are written in a "clear and easy-to-understand manner" increased in 2022, one-third of respondents still disagreed or completely disagreed with the statement, though that's down from 37 percent in 2021, 34 percent in 2020, and 40 percent in 2019, the report says.

More than half of respondents—52 percent—said their cyber-insurance policies meet their organizational needs and provide value, though 61 percent said their coverage meets some but not all of their organizations' needs.

Some respondents indicated their organizations have sought the assistance of outside parties to address cyber risks, with 64 percent saying they've partnered with outside firms to strengthen their cyber security.

Ongoing global geopolitical conflicts have led some organizations to reassess their cyber insurance needs and risk mitigation efforts in anticipation of an elevated risk of threats from nation-states, the report says. "Such conflicts have also posed questions regarding which parties are responsible for handling losses from cyberwarfare," the report says. "Against this backdrop, insurers are calling for increased public-private partnership to address the prospect of large-scale, nation-state cyberattacks, which may cause losses too deep for organizations and insurers to absorb."

The report suggests that as cyber exposures shift and the cyber-insurance market fluctuates, it's important that organizations focus on what they can control. Those factors can include identifying critical assets, assessing potential vulnerabilities, creating protective security procedures, and adopting policies that can help support business continuity after cyber attacks, the report says.

"When organizations, risk managers, and their insurance providers take a collaborative, proactive approach to managing possible threats, they can truly make a difference in preventing and mitigating cyber losses," the report says.