Recently, credit rating agency S&P Global issued a report predicting that the costs of cyber insurance coverage will increase dramatically over the next two years, and in some markets may double.
Cyber insurance generally covers a business' liability for a data breach involving sensitive customer information, such as Social Security numbers, credit card numbers, account numbers, driver's license numbers, health records, or other sensitive information. Depending on the policy’s coverage, a business can help offset costs associated with ransomware attacks, business email compromise, social media engineering/phishing attacks, hiring of cyber experts, and loss of business.
The pandemic catalyzed businesses’ use of technology across industries and sectors: digital store fronts, remote workforces, telemedicine, and all the myriad ways we have relied on technology to support the need to quarantine. And while technology has helped during a difficult time, it has also brought an increased risk of cyber attacks. The 2021 “Cost of a Data Breach“ report form IBM found that the average global cost of a breach is $3.86 million. While the actual cost varies greatly depending on the type and size of company affected, this figure underscores the huge risk potentially associated with a breach.
As a result, S&P reports that companies have turned to insurers in record volumes to help address the risks associated with new (and existing) technologies, both through requests for larger policy limits, and more inclusions in a policies’ terms and conditions. With more policy holders, and greater frequency of cyber incidents during the pandemic, it’s not surprising that some insurers reported paying out cyber related claims in 2020 and 2021 at a rate exceeding any prior year.
S&P expects that the technological changes that companies have made in response to the pandemic will remain, and predicts that insurers will react to this “fundamentally changed” risk level by restructuring cyber insurance offerings, both through rate increases, and adjusting policy exclusions. Some insurers may also reduce their pay-out limits, especially in relation to ransomware attacks.
All companies that store or otherwise process data should carefully review their cyber insurance policies, and understand the obligations/carve outs therein.