Cyber insurance price hikes stabilize as insurers expect more from CISOs

Cyber insurance costs have stabilized over the past year following a period of rate hikes driven in large part by increased ransomware attacks.

During the past few years, insurance payouts exceeded 70% of premiums, resulting in an unsustainable business environment for cyber insurers. Insurers responded to the burden of higher claims by raising premiums far above inflation levels, while imposing stricter underwriting requirements and, in some cases, coverage limitations.

As a result, insurance premiums rose 50% in 2022, according to Fitch Ratings, and while costs continue to rise, the increments CISOs are encountering for cyber insurance have slowed of late.

“We’re now seeing a decline in ransomware incidents and payments, which is helping to stabilize costs,” says Michael Robert, a cybersecurity specialist at GTA Bloom.

Insurers’ strict underwriting requirements and their insistence on better cyber hygiene practices from potential clients have also played a role in stabilizing the market, industry experts report.

“Now that we have passed the hard market, we are able to offset some of the need for rate and lessen the coverage limitations, as we’ve seen cybersecurity posture improve across most industries and revenue bands,” Emma Fekkas, regional vice president of underwriting at Cowbell Insurance, tells CSO.

“While strict underwriting requirements have not really changed, we are seeing better cybersecurity hygiene in companies seeking cyber insurance,” she adds.

Risk mitigation in an era of escalating cyber incident costs

Cyber insurance is a specialized form of insurance designed to protect businesses from financial losses and liabilities arising from the effects of ransomware or other forms of cyberattack and data breaches.

Policies typically cover business interruption losses due to cyberattacks, the cost of recovering systems, legal fees, infosec consultant charges, the cost of notifying customers, and even (in some cases) ransomware payments — themselves still a contentious topic in among CISOs.

And the costs associated to data breaches continue to rise. According to research from IBM, the average cost of a data breach jumped by 10% this past year, to US$4.88 million.

 Ransomware has, by far, been the leading cause of cyber insurance losses, according to a cyber insurance trends report by insurer Munich Re, which notes that manufacturing has been the sector with the highest number of ransomware claims. Zscaler Threat Labs’ 2024 Ransomware report confirms manufacturing is the most targeted industry for ransomware, followed by healthcare, technology, and education.

A 2024 study by Chainalysis showed that ransom crypto payments nearly doubled in 2023 to US$1.1 billion, up from US$567 million in 2022. Other costly attack vectors were business email compromise (BEC) and supply chain attacks.

Cyber insurance policies evolve

Businesses typically need to demonstrate strong cybersecurity practices to get cyber insurance coverage, and these baselines have been elevated as cyber events become more frequent and costly.

Keith Povey, security evangelist at enterprise security monitoring tools vendor Panaseer, tells CSO: “Insurers have had their fingers burnt on big payouts and are asking for more assurances from customers — some won’t even give a quote unless companies can prove a certain baseline of security.”

Moreover, ransomware attacks have changed the market by pushing insurers to implement stricter underwriting processes, according to James Harrison, global head of insurance at commercial data analytics firm Dun & Bradstreet.

“Many insurance policies no longer offer full coverage for ransomware events, instead capping coverage for ransom payments,” Harrison says. “Data-driven risk assessments are now a key tool for insurers, allowing them to identify cyber vulnerabilities within businesses. This means personalized policies can be adapted to a company’s specific risk exposure.”

Regional differences on cyber insurance

Overall, the global cyber insurance market reached US$14 billion in 2023 and is estimated by Munich Re to further double to US$29 billion by 2027. Still, regional differences in prevalence of coverage and regulatory and legal contexts remain.

For example, according to data presented at the Zywave conference in London earlier this year, the number of companies insured against cybersecurity risk was estimated to be 20% in the US, 12% in Germany, and 10% in the UK.

That US cyber insurance figure is bigger because of the great maturity of the market there, as well as the greater risk US companies face from class-action lawsuits arising from data breaches than their European counterparts, observers say.

“There has been a much higher uptake of cyber insurance in the US than in Europe,” according to Claud Bilbao, UK regional vice president of sales and distribution at Cowbell Insurance. “This has been driven by a number of key factors, most notably the differences around approach to litigation and legal risk, the regulatory environment, cyber awareness, as well as insurance market maturity.”

Rick Betterley, author of The Betterley Report and an expert who has researched cyber insurance since 2000, adds that US corporate insurance advisers are more proactive when it comes to selling cyber insurance coverage.

“I suspect a broker in the US is more worried about getting sued by a client for not informing the client about cyber risk and insurance than in other countries,” Betterley, president of Betterley Risk Consultants, tells CSO.

Both US and European cyber insurance markets are expected to continue growing as cyber threats increase and awareness of risk management through insurance becomes more widespread.

“The US cyber insurance market is larger, more mature, and characterized by higher uptake,” says Cowbell’s Bilbao. “In contrast, Europe’s market is developing, with GDPR being a key driver of growth, but with slower uptake due to less perceived risk and lower market maturity.”

Another factor that may impact regional differences is that large companies sometimes need to contract with more than one cyber-insurance provider to cover their desired liability. With cyber insurance more prevalent in the US, this may mean more policies in play among its larger enterprises.

“A larger company may wish to buy higher limits than any single insurer will offer,” Betterley says. “So in order to achieve the desired limits they might buy a base limit (i.e., $25 million) and layer another limit (say, $10 million) on top of that for a total of $35 million. Large companies in the US often buy several hundred million dollars of limits.”

Regulations also driving cyber insurance uptake

Regulation, and in particular the expansion of the NIS2 framework, are key factors driving the expansion of cyber insurance in Europe.

NIS2 (Network and Information Systems Directive 2) comes into effect in October 2024, expanding the scope of sectors and entities covered by the EU-wide regulation.

NIS2 imposes stricter cybersecurity requirements and risk management measures on organizations in 15 critical sectors instead of the previous seven and places a greater emphasis on security supply chains and the overall security of suppliers.

More businesses, many of them small to midsize, in multiple sectors across Europe will need to comply with the directive. Organizations may turn to cyber insurance to help manage the financial risks associated with potential non-compliance or security incidents covered by NIS2.

Moreover, cyber insurance providers often offer risk management services that can help organizations improve their security maturity.

“If a company follows a cybersecurity framework, such as NIS2, there are processes an organization needs to put in place to comply — for example, crisis management, incident response, forensic services, etc. — as preparation for a potential cyber incident,” Tony Anscombe, chief security evangelist at ESET, tells CSO.

“These services or skill sets are not necessarily something you have to hand in operational teams, but they are typically provided by cyber insurers as part of the policy,” Anscombe says.

Any regulation that requires information disclosure — including but not limited to NIS2 and GDPR as well as US regulations such as the California Consumer Privacy Act — or that require incident response create a rationale for companies to invest in cyber insurance as part of their plans to improve their overall cybersecurity maturity.

Other experts agree that regulations play a big role in motivating CISOs to buy cyber insurance.

“Regulations that impose costly response obligations on the breached organization make for a compelling reason to buy insurance”, Betterley says.

Most larger companies follow a framework or standard, such as ISO 27001, for risk management. When companies follow a framework, they are naturally developing more mature security architecture and policies, making them easier to insure.

“If a company does not follow a framework, they may be required by the insurer to implement additional protection and respond to any concerns the insurer highlights,” ESET’s Anscombe says.

CISO liability becomes a factor

Recent US federal legislation and regulatory enforcement from the SEC has put CISOs in the firing line, facing the threat of legal action if their organizations’ actual security posture fails to match the assurances reported to investors.

“This has increased jeopardy, and cyber insurance is evolving to encompass individuals as well as their employers,” according to Panaseer’s Povey. “Many CISOs are now considering personal indemnity insurance and asking for it as part of their contract so they’re covered in the event of a lawsuit”.

Doubts remain about whether CISOs are protected by employers only as long as they work for them, or for life. “We’re approaching a scenario where CISOs could leave their company and then face a lawsuit from their ex-employer for security failings,” Povey warned.