As cybersecurity insurance premiums rise, what can businesses do to cope?

Few threats to the business community are as rapidly increasing and evolving as that of cyberattacks. One day it’s ransomware or social engineering, the next it’s phishing, hacking or patch problems. In the past, the silver lining for businesses tackling this issue has been cyber insurance, providing a level of financial protection from an invisible enemy. But technology is constantly changing, and new challenges are emerging in the market.

According to the National Association of Insurance Commissioners (NAIC), insurers wrote approximately $4.1 billion in cyber premiums in the United States in 2020, with $2.75 billion in direct written premiums by domestically domiciled insurers, the latest year for which figures are available.

Globally, the data company Statista estimates that cyber liability accounted for $8 billion in premiums in 2020 and could grow to more than $20 billion by 2025.

From our department’s involvement on the NAIC’s Cybersecurity Working Group, it is encouraging to see a large, competitive market that ensures that businesses have access to the protections they need. However, whether that trend continues will depend on premium affordability, and there is some current distress in the market, along with signs that point to significant challenges in the coming years.

Not long ago, insurers were swarming into the cyber insurance market and laboring to persuade businesses that this was an essential coverage that could be purchased at affordable rates. Now, because of the evolving and complex nature of cyberattacks compounded by the increasing connectivity of our devices, an uptick in cyberthreat activity and swelling claims, the industry is struggling. The potential for simultaneous losses across many policyholders is a serious threat. We are seeing market contraction, increasing premiums, shrinking capacity as some carriers jump out of the market, and underwriters insisting on strict risk controls before writing a policy.

So how can insurers and businesses face these challenges and ensure a vibrant marketplace in the future? The key is for both sides to appreciate their shared responsibility.

It’s critical for businesses to make necessary investments in their technology, training and expertise to ensure a mastery of cybersecurity basics. Strong controls should be put into place, such as regular awareness training, ensuring safe VPN connections, and multifactor authentication. While insurers do not typically scrutinize specific technologies, they do want to understand how a business crafts risk management strategies using existing technology and internal standards.

A business’s risk manager is critical for any organization, and needs to be prepared to address the threats, and ensure that resources are ready to respond.

By making these investments and formulating internal cybersecurity protection strategies that can move at a moment’s notice, the business community can help keep cyber insurance rates in check.

Similarly, insurance carriers must ensure that their underwriters are gaining the appropriate experience and confidence in pricing coverage to increased competition and are drawing new entrants into the market, which will produce premium moderation. They must update their actuarial models, some of which are based on underwriting data from the last decade, to evaluate how relevant the information is moving forward, especially given the increased protections the business community is undertaking. They also must find strategies to control their losses through limits, deductibles, and reinsurance.

Finally, there must be a recognition in the insurance industry that our state and national economy will be hobbled if businesses are unable to access the products they need to protect themselves. While reforming these products is necessary, exiting the market entirely for this coverage is not in the best economic interest of the country.

The business community and insurance sector can take steps together to ensure that the cyber insurance market not only stabilizes from an affordability perspective but thrives into the future.

While having insurance is commonsense for any business, it does not absolve a business from its own responsibility. Cyber insurance is not a replacement for basic cyber hygiene.

Christopher Nicolopoulos of Bow is the commissioner of the NH Department of Insurance, and D.J. Bettencourt of Salem is the agency’s deputy commissioner.