Insurers are becoming increasingly strict and expensive when it comes to cyber insurance. These are the reasons. Here’s how you can react correctly to save costs.
IT security: the situation is bleak
“The threat level in cyberspace is higher than ever,” writes Nancy Faeser in the foreword to the BSI publication “The State of IT Security in Germany 2022”. The German Minister of the Interior is right. Every day you can hear or read that a well-known company or authority has been the victim of a cyber attack. The criminal organizations behind them attack small and large companies – and cause immense damage in the process.
Companies are paralyzed for days or weeks, sensitive data is stolen and deleted. High costs are incurred in connection with repairs, ransoms, reputational damage, procurement of new hardware and so on. Some companies even slide into insolvency due to the immense follow-up costs of an attack.
The overall threat situation has reached a level where some experts are even talking about a “cyber war”. We try to avoid such martial language, but it is appropriate to assess the current risks and potential damage in the area of IT and information security as very high. These are risks and potential damage against which you must arm yourself.
The often encountered attitude of “Oh, nothing has happened to us” reflects a certain wishful thinking in German-speaking countries. A behavior that is both naive and grossly negligent! Sooner or later, your company’s IT infrastructure will be attacked. Perhaps it already has been – and you haven’t noticed it yet because you haven’t implemented an attack detection system.
To protect themselves against the high potential for damage, many companies decide to take out cyber insurance. Years ago, when the market was still in its infancy, cyber insurance (also known as cyber risk insurance) was available for little money. This was because the insurers themselves had little experience of the actual losses to be expected at the time.
However, it is now becoming increasingly difficult for companies of all sizes to take out cyber insurance: the requirements for the protective and preventive measures to be implemented and the insurance exclusions are increasing. And cyber insurers are increasing their insurance premiums, in some cases massively.
Why? We explain this in this guide. We also look at the requirements your company must fulfill in order to
- obtain an insurance commitment from a cyber insurer in the first place,
- be able to take out cyber risk insurance at an acceptable price, and
- ensure that the insurance will actually pay out in the event of a claim.
Cover: When should cyber insurance step in?
Cyber insurance covers a wide range of potential losses that can be caused by cyber attacks. This includes covering the costs of data recovery, external support in dealing with the incident and forensic investigation of the crime. The payment of ransom demands in the event of ransomware attacks can also be included in the benefits of cyber risk insurance.
We are deliberately speaking in the subjunctive here, as the insurance benefits can differ significantly between different providers. In addition, insurance companies are increasingly reducing their benefits by explicitly excluding certain loss scenarios from cover or severely restricting the insurance benefits. For example, AXA in France has removed the assumption of costs for ransomware ransoms from its benefits catalog.
Whether and to what extent cyber insurance pays out in the event of a claim depends on various factors. One is the contract that your company concludes with the insurer. The conditions set out exactly when and what will be paid.
In addition, your company must be able to credibly demonstrate that the incident is not due to (gross) negligence. If your IT systems are insufficiently protected in technical and organizational terms, your chances of having the costs of the (consequential) damage covered are poor.
Cost-effectiveness: Is cyber risk insurance worthwhile?
“Cyber extortion remains one of the biggest threats,” writes the BSI in its status report. These threatening assessments are shared by many surveys and studies: ransomware, phishing, DDoS attacks (Distributed Denial of Service) and the like are no longer isolated incidents, but are – unfortunately – part of everyday life in the IT world. And as the number of interconnected systems continues to grow, the potential attack surface for professionally organized attackers is becoming ever larger.
If your infrastructure is successfully compromised, your company can expect high follow-up costs. Even a minor incident can quickly cost several hundred thousand. It is understandable that interest in cyber insurance is growing among German SMEs. The same applies to demand worldwide. At the beginning of 2022, Munich Re estimated the total amount of global cyber premiums at 9.2 billion US dollars. The reinsurer estimates that they will reach a value of around 22 billion dollars by 2025.
However, claims payments are also growing in parallel with demand: In 2021 alone, German insurers paid out 137 million euros through their cyber insurance policies. That was three times as much as in 2020! So: Yes, cyber insurance can be worthwhile, because the threat situation is worsening and the expenses for the consequences are skyrocketing.
Costs: Why is cyber insurance becoming more expensive and more restrictive?
The damage caused by cyber attacks is no longer affordable – that is the opinion of Mario Greco, CEO of Zurich. After all, a successful cyber attack can have catastrophic consequences if it targets critical infrastructure, for example. Just think of the Colonial Pipeline case, an important pipeline operator on the east coast of the USA.
Even without such major disasters, insurance companies are in trouble. “In view of increasing hacker attacks on the German economy, cyber insurers slipped into the red for the first time in 2021,” reports the German Insurance Association (GDV) on its website. “For every euro earned in the sector, expenses for claims and administration amounted to 1.24 euros”.
“The insurance industry has already taken measures to limit the damage,” says heise.de. “This includes increasing insurance premiums on the one hand, but also adjusting policies so that customers have to bear more losses themselves.” And cyber insurance providers are increasingly tightening their acceptance criteria. Industrial insurer AGCS, for example, rejects around 60 to 70 percent of applications.
The threat situation is increasing, but at the same time companies are reacting too little or too slowly. Jörg Asmussen, Managing Director of GDV, comments: “Attacks are becoming more professional and more frequent, but the level of IT security has been stagnating for years. We still see major security gaps at most companies.” Asmussen goes on to lament: “A third have no one explicitly responsible for IT security. Half have no plan whatsoever for dealing with a cyberattack. As a result, companies react too slowly to an attack and suffer unnecessarily severe economic consequences.”
Requirements: What criteria must companies meet for cyber insurance?
Every insurance company has different standards. Among other things, the insurance company Gothaer requires data to be encrypted before it is sent, complete backups to be separated offline and home office devices to be secured. Compliance with standards such as ISO/IEC 27001, meeting the requirements of industry-specific standards (e.g. VDA-ISA), the introduction of an endpoint protection platform and the performance of penetration tests are also part of the desired catalog of measures.
For example, when applying for cyber insurance, Allianz asks whether the applicant has a proactive vulnerability management system, uses a SIEM/anomaly detection solution or implements system hardening measures based on relevant standards.
And Hiscox sometimes wants to know when you apply for cyber insurance,
- whether your company operates in a sensitive or critical area.
- whether there have already been cyber attacks in the past (claims history).
- whether you have formulated appropriate internal security guidelines.
- whether you use attack detection systems (such as Trovent MDR), operate vulnerability management or carry out penetration tests.
Here is an excerpt from the German Hiscox questionnaire:
This means that in order to have part of your IT security risk covered by an insurer, you must credibly demonstrate that you and your company as a whole take IT and information security seriously and implement state-of-the-art protective measures. If you do not do this, an insurance company will refuse to cover the risk or the premium will be extremely high.
In our experience, when applying for cyber risk insurance, many insurers do not check whether the information you provide is true. However, in the event of a claim, you will have to prove that you have actually taken the required protective measures. If you are unable to do so, long negotiations will follow. In the worst-case scenario, your cyber insurance will not cover the benefits agreed in the contract.
You should also bear this in mind: If your application is accepted but your details indicate significant gaps in your IT security architecture, this will cause your premiums to skyrocket. Of course, because your company is exposed to a high risk of falling victim to a cyber attack.
Measures: How do you meet the requirements of insurance companies?
Clearly demonstrate that you and your company do not view IT and information security as a one-off action, but that you are pursuing a clear concept with demonstrably implemented protective measures.
Information security is not a project with a fixed beginning and end, but an ongoing process that you must live by in your company – in line with the principle of continuous improvement. This is the only way to increase your chances of successfully fending off both current and future threats.
Accordingly, it is not enough for an IT manager to implement a few ad hoc measures on a one-off basis. You need internal and possibly also external experts who continuously and sustainably secure your IT infrastructure and fill IT/information security processes with life.
These measures must also be aligned with the industry-specific standards relevant to your company. This is because the requirements placed on insured companies by cyber insurers are made up of legal requirements, norms and industry-specific standards as well as practical experience gained from claims handling.
For you, this means that as long as you comply with the requirements of the relevant laws (such as the IT Security Act, EU GDPR, Section 75b SGB V), general information security standards (e.g. ISO 27001, BSI IT-Grundschutz) and industry-specific standards/specifications (e.g. KAIT/VAIT/BAIT, TISAX, IEC 62443), you will have no problems with the requirements of your cyber insurance.
Technical measures that are required by both relevant standards and cyber insurance policies include:
- Penetration Testing
- Vulnerability Management
- Log Management
- Managed Detection & Response
- System Hardening
Ideally, these technical measures, together with appropriate organizational measures, are embedded in an information security management system (ISMS).
Important: Do not view the improvement of IT and information security merely as a necessary evil or a cost item in order to comply with cyber insurance requirements. On the contrary, view compliance with these requirements as an opportunity to establish a process of continuous improvement in your company.
This not only results in an increase in the security of your data and business processes, but also the potential to improve business processes in general – for example in terms of their reliability, productivity and quality. So make IT security a top priority! It’s worth it.
Alternative: Do without cyber insurance?
It is a valid option for the management of a company to forego cyber insurance and bear the remaining IT / information security risk itself, so to speak. In our discussions with customers, we repeatedly see that companies are considering canceling their cyber insurance due to the rapidly rising premiums and increasing insurance exclusions and instead investing their money in improving and implementing IT security measures. The motto here is prevention instead of a panicked reaction to the SuperGAU.
In certain situations, after a sober consideration of the cost-benefit situation, this can make perfect sense. Those who lock their house reliably and also take care of an effective alarm system and other measures will live more securely. An insurance policy that may only pay a fraction of the damage anyway – and that after a long negotiation or court case – costs more (nerves) than it brings.
Conclusion: Does cyber insurance make sense?
Despite the rising costs and increasing exclusions of liability, we believe that cyber insurance makes sense. As a rule, we would therefore not recommend dispensing with such a policy altogether.
The right mix usually leads to the best result. This means that if you do your homework and take appropriate protective measures to significantly reduce the risk of a successful attack, the costs of cyber risk insurance will also be significantly lower. And the chances are good that the insurance will actually pay out in the event of a claim.
No matter what you choose: Under no circumstances should you take IT and information security lightly! From today’s perspective, the threat potential is on the increase. Be honest: would your company be able to survive without IT?
Do you need support in developing or optimizing your IT security strategy? Would you like to align your security measures with the standards relevant to your company? Or would you like to improve existing security measures? The Trovent team will be happy to assist you. Contact us without any obligation!
Images: iStock, Munich Re, Hiscox