The frequency and severity of cyber attacks are increasing, making cyber insurance an essential element of businesses’ approach to achieving cyber resiliency. Yet widespread misconceptions around cyber coverage prevail, which might leave some organizations without the coverage they believe they have.

The rapid digital evolution that was underway before 2020 was dramatically accelerated by the COVID-19 pandemic. The increased reliance on remote work and online business continues and increases businesses’ exposure to cyber risks, as well as criminals’ eagerness to take advantage. Further, organizations are in the process of a digital evolution. The increased use of smart technology will continue to provide threat actors with additional opportunities. Indeed, the annual cost of cyber crime globally could grow to $10.5 trillion by 2025, up from $3 trillion in 2015.^[1]

Ransomware attacks surged globally in the first half of 2021 to $304.7 million, surpassing 2020’s full-year total of $305.6 million.^[2]

Despite the growing risk, however, many organizations still aren’t buying stand-alone cyber insurance. Instead, they’re relying on traditional property and casualty coverages, some of which may not affirmatively grant or exclude cyber coverage. In the event of a loss, this “silent cyber” coverage might not actually pay on the claim. Many specific perils might be left uncovered, leading to disputes between the policyholder and insurer.

The Impact of Ransomware Attacks

A recent report from the U.S. Government Accountability Office found that cyber insurance take-up rates increased from 26% of insurance buyers in 2016 to 47% in 2020.^[3] Despite that growth, more than half of insurance buyers still aren’t making stand-alone cyber coverage part of their risk management program.

For many organizations, the growing ransomware threat, and the news it generates, is giving them reason to finally consider stand-alone cyber coverage. Previously, many might have mistakenly believed that the nature of their business, or its size, made them safe from cyber attacks — they didn’t handle customers’ personal or credit card information, for example, or they felt threat actors would think they were too small and not worth the attention.

Now, though, ransomware attacks make it clear that those businesses potentially face other very real exposures: the threat of business interruption, loss of customers, reputation damage and more. Businesses can no longer rely on an assumption of coverage for cyber attacks simply because it isn’t specifically excluded in a traditional property and casualty policy.

Risky Business, Bad Strategy

Relying on silent cyber coverage might be not only risky but also a fundamentally flawed strategy. Many insurers are concerned about aggregations of cyber risks in coverage lines that aren’t designed to address them. At the same time, they’re under pressure from regulators and ratings agencies to address their silent cyber exposures.

In response, and as the frequency and severity of cyber attacks increase, it’s becoming more and more common for insurers to specifically exclude digital coverage from traditional property and casualty policies. As that happens, silent cyber might simply cease to exist in the next round or two of insurance renewals.

Thinking About Stand-alone Insurance

Cyber insurance might not cover every risk associated with cyber attacks, but it will cover many of them. For smaller organizations without a large cyber security budget, working with a broker and a cyber insurer can provide access to expertise, the ability to benchmark cyber security efforts and access to vendors that can help them mitigate cyber risks or respond to an attack.

In moving from silent cyber to stand-alone coverage, it's important to consider how that coverage fits with the organization's broader insurance program and risk-management effort.

In Canada and the US, cyber coverage policy language tends to differ among insurers, so buyers should work with a skilled cyber insurance broker that can help them be certain that the policy they purchase covers the exposures they intended to insure.

The current hard insurance market also applies to the market for stand-alone cyber. Many risk managers might want to undertake a risk quantification study before making their purchase to help them decide which limits fit the organization’s overall approach to total cost of risk.

Entering the Cyber Loop

As cyber risks grow and evolve, cyber insurance has become something organizations need to consider in the same way they think about buying property or casualty insurance to protect the business. And the cyber threat should get attention at the C-suite, or even the board level, as the organization looks to take a coordinated approach to addressing cyber risks across various stakeholders.

That organization-wide look involves assessing the risk, determining the threat to the company’s balance sheet and then deciding how best to address the cyber exposure through risk mitigation and risk transfer.

Cyber insurance is only part of the solution for addressing the cyber threat, however. In fact, managing cyber risk effectively isn’t a linear process — it’s a circular one. And organizations that do it right enter a continuous “Cyber Loop.”

Many organizations enter the loop at the incident response stage — after they’ve experienced an attack. Wherever an organization enters, however, continuously circling the loop helps an organization address the changing nature of the threat and achieve the best outcomes.

Building Cyber Resilience

As cyber attacks continue to increase and evolve, it’s essential that risk managers, chief information security officers and chief information officers work closely with their brokers to develop a well-rounded cyber security program based on the Cyber Loop while reducing their reliance on silent cyber.

In the process, they need to bring their efforts to the attention of the C-suite and the board to make it an organization-wide priority that will work across silos to address cyber risks. Organizations that do so will be best positioned to achieve cyber resilience.

[1] Cybercrime To Cost the World $10.5 Trillion Annually by 2025

^{[2] Aon’s 2021 Cyber Security Risk Report}

^{[3] “Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market,” U.S. Government Accountability Office}

^{This article has been prepared for informational purposes only and from sources believed to be reliable. Aon does not warrant, represent or guarantee the accuracy, adequacy or completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who relies on it. No one should act on any information contained in this article without appropriate professional advice after a thorough review of the situation. In any case, any recipient shall be entirely responsible for the use to which it puts this article.}

^{This article has been compiled using information available to us up to June 1, 2021.}

^{About Aon: Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.}

^{Cyber-security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.}

^{©2021 Aon plc. All rights reserved.}