Cyber insurance explained: Costs, terms, how to know it’s right for your business

What is cyber insurance?

Cyber insurance, also known as cyber risk insurance or cyber liability insurance coverage (CLIC), is an insurance policy that helps cover costs associated with data breaches or cyberattacks. Cyber insurance mitigates the risk exposure of a business by offsetting costs involved with damages and recovery from a cyber event. Policies typically include underwriting requirements and coverage limitations, and provide cyber defense baselines necessary for coverage.

What does cyber insurance cover?

“In its rawest and simplest form, cyber insurance provides cover for everything that happens following a cyberattack, including financial, operational, reputational, and personal protection,” says Ed Ventham, co-founder of UK-based specialist cyber insurance brokers Assured.

Cyber insurance policies are becoming more diverse as the market matures, and the finer details regarding what one policy covers often differs from another depending on several factors. Nonetheless commonalities across most cyber insurance policies include:

• Losses resulting from business interruption (lost revenue from systems being down or encrypted)
• Contingent business interruption (lost revenue from systems being down due to a third party’s failure, such as an IT vendor)
• Digital asset destruction
• Data retrieval and system restoration costs
• System failure
• Cyber extortion/ransomware
• Social engineering and cybercrime, and network security and privacy liability
• Incident response
• Crisis services
• Legal and regulatory expenses

According to a recent report by NetDiligence, incident response accounts for the largest cost in a claim.

“Many businesses, especially small to midsize, do not have the resources on hand to respond to an incident,” says Tony Anscombe, chief security evangelist at ESET. “Typically, an insurer will have a team in place to assist as needed.”

Cyber insurance also often offers financial protection from litigation in the wake of cyber incidents.

Emma Werth, RVP of underwriting for the East Coast at Cowbell, a provider of cyber insurance for small and midsize enterprises, says that insurance helps breached organizations claw back notification and legal costs.

“There is an increasing trend of ‘data breach ambulance chasers’ with class-action lawsuits regarding data breaches on the rise,” Werth explained. “Notification costs and ancillary services, such as credit monitoring, are becoming increasingly important due to these claims.”

In the past few years, insurers have significantly narrowed coverage definitions, requiring stricter adherence to security standards.

“Many insurers now carefully assess a company’s cybersecurity posture before offering comprehensive coverage, and some risk areas — like certain types of ransomware payments — may be excluded altogether,” said Sami Dhifi, cyber risk services lead at global management consultancy Alvarez & Marsal.

Cyber insurance costs, terms, conditions

Leading the trends affecting demand for and cost of coverage, policy terms and conditions, requirements, and limits is ransomware.

Ransomware has been the single biggest loss vector for insurers reaching a point where payouts exceeded 70% of premiums. Insurers responded by not only raising premiums but imposing stricter underwriting requirements and, in some cases, applying coverage limitations.

“The 2020/2021 ‘ransomware pandemic’ shaped the pricing of the ‘hard market,’ as ransomware groups were moving faster than regulation and security,” says Assured’s Ventham. “Today, security thresholds have caught up. A large part of this has been driven by insurance,” as the standards and requirements to purchase cyber insurance are much higher than before.

The cost of cyber insurance premiums rose dramatically in 2021 and 2022, driven by a surge of ransomware-related claims that put a strain on insurers and threatened the viability of the market. Insurance premiums rose 50% in 2022 before a more recent decline in ransomware incidents and payouts helped to stabilize costs.

Matthew Bell, owner of IT consulting and services firm Bell ICT, says increased competition in cyber insurance is also helping to drive down price pressures despite the continuing prevalence and severity of ransomware.

“Ransomware attacks continue to increase but surprisingly this hasn’t resulted in increased pricing,” according to Bell. “This pricing stabilization is driven by more MGAs [Managing General Agent, a specialized type of insurance intermediary] and insurers entering the market.”

As for conditions, exclusions lists that could void coverage or see claims denied or reduced because of fine print are on the rise, according to Delinea’s 2023 State of Cyber Insurance report, based on a survey of more than 300 organizations. These include lack of security protocols (43%), human error (38%), acts of war (33%), and not following proper compliance procedures (33%). Lack of security protocols is the top reason smaller organizations have had claims denied (40%), while human error is the top reason larger organizations have had claims denied (48%).

The Delinea report also indicated that not all costs involved in a data breach may be covered, with policies least likely to pay for lost revenue, regulatory fines, legal fees, and ransomware payments. Respondents said expenses most likely to be recouped were those spent on data recovery. However, data recovery can mean different things to different insurers and in different situations.

Cyber insurance security control requirements

Organizations applying for cyber insurance policies must display that they can meet security control requirements that insurers look for when considering a potential policyholder’s risk status. Insurers typically assess security controls by asking applicants to complete detailed questionnaires.

“Insurers understand risk and if they require the insured to have MFA [multifactor authentication], managed detection and response, and the many other requirements, this is because it statistically reduces their risk of a claim being made,” ESET’s Anscombe tells CSO.

Security advisors and consultants say they see insurers asking more questions of those seeking insurance policies. They’re requiring proof that applicants have achieved certain levels of security hardening, such as SOC 2 compliance. They’re reviewing security strategies and policies as well as security training and awareness programs. This in turn has required more involvement from enterprise security leaders in the insurance procurement process.

“If you want to get your claim, you usually have to use their panel of vendors or follow their procedures,” says Michael Pisano, a managing director at global consulting firm Protiviti. For example, they will be required to have detailed response and recovery plans in place — in the event of an incident, insurers want clients to meet specific requirements, such as which lawyers should be used and what forensics should be performed, and by whom. As a result, he says CISOs need to understand those requirements and incorporate them into their playbooks.

Even then, there is no guarantee that insurers will cover the losses, experts warn, requiring organizations to prove that their security teams followed through on all plans and continuously maintained the security levels they described when getting their policies.

Cyber insurance exclusions for state-backed cyberattacks

In August 2022, insurance marketplace Lloyd’s of London announced it would introduce cyber insurance exclusions for “catastrophic” state-backed attacks. In a market bulletin published on Aug. 16, 2022, Lloyd’s stated that while it “remains strongly supportive of the writing of cyberattack cover” it recognizes that “cyber-related business continues to be an evolving risk.” Therefore, the company moved to require all its insurer groups to apply a suitable clause excluding liability for losses arising from any state-backed cyberattack in accordance with several requirements.

The policy to add a clause excluding liability for losses arising from any state-backed cyberattack in standalone cyberattack policies came into effect at the end of March 2023.

Speaking to CSO, Jonathan Armstrong, lawyer and partner at compliance firm Cordery, says the biggest issue organizations and CISOs face in relation to the exemption put forward by Lloyd’s surrounds accurate attack attribution. “Whilst with specialist help you can often say that there are indicators of nation-state involvement, we know it’s hard to be certain. It’s these difficulties which are likely to lead to litigation, as the insurers may think there is nation-state involvement, but the insured might think this is not the case,” he says. Putting proper procedures in place will be key, and to get attribution right an organization will need proper and effective monitoring on its systems to assist in an investigation, Armstrong adds.

However, Assured’s Ventham says state-backed cyberattacks are excluded only if the threshold for “war” or “cyber war” is met — a condition never met even by the most destructive state-backed cyberattacks ever recorded.

“War is typically defined in cyber insurance policies in its most traditional sense, think physical acts of war (invasions, boots on the ground),” according to Ventham. “Cyber war is typically defined as a state-backed cyberattack (or series of state-backed cyberattacks) that seriously impacts another state’s ability to function or seriously impacts its defence capabilities, for example.”

Ventham concludes: “For clarity, no cyberattack in history, not even the NotPetya attacks in 2017, would have triggered the war exclusion found in cyber insurance policies.”

There is some disagreement, even among specialist cyber insurers, on whether war exclusions ought to concern business leaders because they might become an issue in potential claims.

Cowbell’s Werth tells CSO that war exclusions are still very much a feature of many cyber insurance policies.

“We’re noticing a growing trend of carriers introducing ‘War Exclusions’ onto their policies to exclude state-backed cyberattacks, with varying degrees of coverage reinstated through ‘carvebacks’ for cyber terrorism,” Werth explains. “A carveback is an exception to an exclusion that restores coverage in specific scenarios, meaning that while state-sponsored attacks may generally be excluded under war clauses, cyberterrorism might still be covered under certain conditions depending on the policy’s wording.”

Werth adds: “These exclusions started during the hard market and have become relatively commonplace across cyber insurance offerings.”

Lloyd’s markets continue to apply the war exclusion to their policies meaning all state-backed cyberattacks are excluded.

“Company markets (non-Lloyds) have the freedom to not include a war exclusion, however, in nearly all cases we see some form of exclusion which is tantamount to the Lloyd’s war exclusion,” according to Bell.

Cyber insurance statistics

Databarracks’ Data Health Check — an annual survey of 500 UK IT decision-makers — found that while more organizations than ever have cyber insurance, the number of claims is down.

Two-thirds (66%) of those surveyed report having insurance specifically for cyber in 2024, rising from 51% over the past two years. But as more organizations take out policies, just 36% made a claim this year, falling from 58% in 2022.

In previous years, the majority of organizations chose to pay out in the event of an attack but this year twice as many organizations were able to recover data from backups rather than meeting the demands of ransomware groups.

The amount organizations are claiming against their cyber insurance policies has also decreased, with claims over £1 million decreasing from 48% to just 16% in 2024.

A separate survey of 300 IT decision-makers from security vendor Delinea paints a contrasting picture. It found that cyber insurance claims remain high, with 62% of respondents filing a claim in the past 12 months. Notably, over 27% of these respondents have filed multiple claims.

How to assess your cyber insurance needs

Once a company has understood the state of the current cyber insurance market and the scope of coverage, it can then explore whether a policy will be of benefit.

Assured’s Ventham offered a checklist for how organizations should go about assessing their cyber insurance needs:

• What would be the impact if you had a cyberattack that took your business offline for a day, a week, or a month, etc.?
• How quickly would you prevent that attack from spreading?
• What risk can you afford to take on yourselves?
• How prepared are you to respond to an incident?
• What are you looking for in a cyber insurance partner? Is your insurer addressing your risk and concerns? Are you confident they will pay out?

Richard Seiersen, chief risk technology officer at Qualys, who previously worked in the same role for cyber insurance provider Resilience, says organizations need to quantify what they stand to lose from potential attacks, ransomware in particular.

Losses fall into three categories: extortion, business disruption and potential data breach.

“As a defender you are exposed to all three of these loss classes,” according to Seiersen. “Keep in mind that around 70% of ransomware attacks include data breach, but that more modern attacks may be data breach-only to motivate extortion.”

You will also have to assess the current state of your security operations and be prepared to make investments to improve those operations should an insurer require you to do so after performing a pre-insurance audit.

“Many insurers will now conduct a pre-insurance scan of public-facing infrastructure and assets,” ESET’s Anscombe says. “The scan will highlight any existing weaknesses, such as unpatched servers, public facing RDP [Remote Desktop Protocol] servers, expired certificates, and the like.”

While inspections of internal systems is typically excluded from these audits they nonetheless offer insurers insights into a potential client’s security maturity, allowing them to assess their risk profile.

The process of meeting the insurers requirements should, at least in theory, reduce the risk for a company whether they opt to adopt insurance or not.

“Insurance firms could be at the forefront of a new wave of ‘baseline standards’ which could be much more dynamic and responsive to the threat landscape than any international standard or industry regulator,” Proofpoint’s resident CISO Andrew Rose adds.

Is cyber insurance worth it for your business?

Insurance policies can help organizations recover following a successful attack and can help reduce risk. They can also enable organizations to earn business, as many organizations require it from their vendors and partners.

Even so, some organizations find they can’t justify paying the premiums; some — particularly small and midsize enterprises — find they can’t meet the controls insurers now require. Still others decide they’re better off investing in their security programs rather than in insurance.

“You have a decision to make as a business what you can afford. It’s a cost-benefit analysis,” says Protiviti’s Pisano.

To make this decision, CISOs are being called to work with risk, legal, and other executives to evaluate their organization’s cybersecurity postures, articulate the threat landscape, quantify risks, and make recommendations on the best path forward, he says.

For some, the decision ends up being to avoid making the cyber insurance investment.

More on cyber insurance:

• Cyber insurance price hikes stabilize as insurers expect more from CISOs
• 17 cyber insurance application questions you’ll need to answer
• 7 reasons to avoid investing in cyber insurance
• Cyber liability insurance vs. data breach insurance: What’s the difference?
• What you should know when considering cyber insurance
• How cyber insurance shapes risk: Ascension and the limits of lessons learned
• Time and effort to obtain cyber insurance increasing for US businesses

This article was originally published on Oct. 5, 2022, and has been updated since.