Cyber insurance rates inevitably soaring
The claims statistics of the leading cyber insurers show a consistent picture: both loss frequency and loss amount have grown significantly within the past three years. Since the increasing number of cyber attacks has resulted in more and more insurance policies being affected by, insurers are consequently increasing their premiums – in some cases by 50-100 percent.
Insurers set higher minimum requirements
In the past, the loss expenditure occurred in particular as a result of business interruption losses in manufacturing companies. Internationally, consequences are already becoming apparent: One U.S. insurer withdrew completely from cyber coverage for manufacturing in Europe at the turn of the year. Other insurers are raising their rates for existing customers and becoming more selective in issuing quotes. And the number of cyber attacks will not decrease. Therefore, the market for cyber insurance is increasingly hardening. For some industries, it is becoming quite difficult to transfer cyber risk to an insurer. Moreover, insurers are tying the underwriting decision to increased security standards and new requirements that the companies have to meet.
Investment in training and awareness
We are currently experiencing a period in which even medium-sized companies are making huge progress with the digital transformation of their operations. This should inevitably lead to an increase in investment in the necessary cyber security measures and in the technical security infrastructure. The good news: many companies are aware of this. The bad: The biggest “IT vulnerability” in companies and administrations of organizations still sits in front of the screen. The budget to regularly educate employees, for example with phishing awareness training, should grow just as much, if not be set up in the first place. A phishing simulation test of 500 companies by CyberDirekt showed that 18 percent of phishing emails are still opened and 5 percent of the links they contain are clicked on. Yet just one click is enough to cause a million in damage not to mention the loss of reputation. Employees must be trained accordingly and their sensitivity increased.
Guidelines and emergency plans
In addition to regular employee training, insurers will (be able to) demand binding IT security guidelines with documentation and a precisely formulated emergency plan in the future. However, it is precisely with the emergency plan that things become analogous again: What good is the detailed IT crisis manual if it is stored as a PDF and no one can even open a file if the worst comes to the worst?
The phase of market hardening in cyber insurance has implications for the conditions that insurers can impose on policyholders when they take out policies or renew them annually. However, it is existentially necessary and will sooner or later have to become an integral part of risk management for companies. Employee training, adherence to IT security guidelines and a detailed emergency plan can reduce premiums with certain insurers.