The frequency and severity of cyberattacks are increasing, making cyber insurance an essential element of businesses’ approach to achieving cyber resiliency. Yet widespread misconceptions around cyber coverage prevail, which might leave some organizations without the coverage they believe they have.
The rapid digital evolution that was underway before 2020 was dramatically accelerated by the COVID-19 pandemic. An increased reliance on remote work and online business increased businesses’ exposure to cyber risks, as well as criminals’ eagerness to take advantage. Indeed, the total global cost of cybercrime in 2020 was projected at $945 billion, almost double the $500 billion in 2018.
Recently, ransomware attacks have made headlines. Business costs associated with ransomware are expected to hit $20 billion this year, while cyber insurers have reported a 336% jump in claims from 2019 through 2020.
Despite the growing risk, however, many organizations still aren’t buying stand-alone cyber insurance. Instead, they’re relying on traditional property and casualty coverages, some of which may not affirmatively grant or exclude cyber coverage. In the event of a loss, this “silent cyber” coverage might not actually pay on the claim. Many specific perils might be left uncovered, leading to disputes between the policyholder and insurer.
The Impact of Ransomware Attacks
A recent report from the U.S. Government Accountability Office found that cyber insurance take-up rates increased from 26% of insurance buyers in 2016 to 47% in 2020. Despite that growth, more than half of insurance buyers still aren’t making stand-alone cyber coverage part of their risk management program.
For many organizations, the growing ransomware threat, and the news it generates, is giving them reason to finally consider stand-alone cyber coverage. Previously, many might have mistakenly believed that the nature of their business, or its size, made them safe from cyberattacks — they didn’t handle customers’ personal or credit card information, for example, or they felt threat actors would think they were too small and not worth the attention.
Now, though, ransomware attacks make it clear that those businesses potentially face other very real exposures: the threat of business interruption, loss of customers, reputation damage and more. Businesses can no longer rely on an assumption of coverage for cyberattacks simply because it isn’t specifically excluded in a traditional property and casualty policy.
Risky Business, Bad Strategy
Relying on silent cyber coverage might be not only risky but also a fundamentally flawed strategy. Many insurers are concerned about aggregations of cyber risks in coverage lines that aren’t designed to address them. At the same time, they’re under pressure from regulators and ratings agencies to address their silent cyber exposures.
In response, and as the frequency and severity of cyberattacks increase, it’s becoming more and more common for insurers to specifically exclude digital coverage from traditional property and casualty policies. As that happens, silent cyber might simply cease to exist in the next round or two of insurance renewals.
Thinking About Stand-alone Insurance
Cyber insurance might not cover every risk associated with cyberattacks, but it will cover many of them.
So, in moving from silent cyber to stand-alone coverage, it’s important to consider how that coverage fits with the organization’s broader insurance program and risk management effort.
For smaller organizations without a large cybersecurity budget, working with a broker and a cyber insurer can provide access to expertise, the ability to benchmark cybersecurity efforts and access to vendors that can help them mitigate cyber risks or respond to an attack.
In Canada and the US, cyber coverage policy language tends to differ among insurers, so buyers should work with a skilled cyber insurance broker that can help them be certain that the policy they purchase covers the exposures they intended to insure.
The current hard insurance market also applies to the market for stand-alone cyber. Many risk managers might want to undertake a risk quantification study before making their purchase to help them decide which limits fit the organization’s overall approach to total cost of risk.
Entering the Cyber Loop
As cyber risks grow and evolve, cyber insurance has become something organizations need to consider in the same way they think about buying property or casualty insurance to protect the business. And the cyber threat should get attention at the C-suite, or even the board level, as the organization looks to take a coordinated approach to addressing cyber risks across various stakeholders.
That organization-wide look involves assessing the risk, determining the threat to the company’s balance sheet and then deciding how best to address the cyber exposure through risk mitigation and risk transfer.
Cyber insurance is only part of the solution for addressing the cyber threat, however. In fact, managing cyber risk effectively isn’t a linear process — it’s a circular one. And organizations that do it right enter a continuous “Cyber Loop.”
The Cyber Loop comprises four steps: risk assessment, risk quantification, insurance and incident response readiness. Many organizations enter the loop at the incident response stage — after they’ve experienced an attack.
Wherever an organization enters, however, continuously circling the loop helps an organization address the changing nature of the threat and achieve the best outcomes.
Building Cyber Resilience
As cyberattacks continue to increase and evolve, it’s essential that risk managers, chief information security officers and chief information officers work closely with their brokers to develop a well-rounded cybersecurity program based on the Cyber Loop while reducing their reliance on silent cyber.
In the process, they need to bring their efforts to the attention of the C-suite and the board to make it an organization-wide priority that will work across silos to address cyber risks. Organizations that do so will be best positioned to achieve cyber resilience.
 “Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market,” U.S. Government Accountability Office
This article has been prepared for informational purposes only and from sources believed to be reliable. Aon does not warrant, represent or guarantee the accuracy, adequacy or completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who relies on it. No one should act on any information contained in this article without appropriate professional advice after a thorough review of the situation. In any case, any recipient shall be entirely responsible for the use to which it puts this article.
This article has been compiled using information available to us up to June 1, 2021.
About Aon: Aon plc (NYSE:AON) is a leading global professional services firm providing a broad range of risk, retirement and health solutions. Our 50,000 colleagues in 120 countries empower results for clients by using proprietary data and analytics to deliver insights that reduce volatility and improve performance.
Cyber-security services offered by Stroz Friedberg Inc. and its affiliates. Insurance products and services offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida and their licensed affiliates.
©2021 Aon plc. All rights reserved.