Is Cyberinsurance a Worthwhile Investment?

The cyberinsurance market is rapidly maturing for many reasons. Companies are increasingly leveraging technology to expand or streamline their businesses, remote work is seeing wide-scale adoption, cybercrime is inflicting trillions of dollars in damages, and global cybersecurity legislation and privacy obligations are increasingly holding firms accountable. The cyberinsurance market is projected to become a thriving $20 billion industry by 2025.

Meanwhile, cyberinsurance premiums are becoming costlier by the day. In the first quarter of 2021 alone, cyberinsurance premiums rose by an average of 18 percent, owing to the increasing number of claims and thinning margins of cyberinsurers. It’s now time to evaluate whether the coverage is affordable and delivers real value to the policyholder.

Here are five questions to help organizations assess whether carrying cyberinsurance is a worthwhile investment:

1. What is our risk exposure?

Organizations should be fully aware of what’s at stake from a cyber risk perspective because each company carries various degrees of risk relative to their distinct type of attack surface. Assessing cyber risk against well-known security standards or frameworks—such as ISO/IEC 27002, the NIST Cybersecurity Framework, or the ISF Standard of Good Practice for Information Security—can serve as a good starting point for determining a company’s risk posture.

Risk assessments can not only frame the organization’s requirement for cyberinsurance, but also serve as evidence for efficiency in risk management. Insurers evaluate how a company measures, monitors, and manages its risk. Therefore, entities with a sound security posture are in a better position to negotiate favorable rates.

2. Is our risk insurable?

Once a business has insight into its risk exposure, it can more successfully define requirements from the cyberinsurance policy. Most brokers can advise on the policy inclusions, but it’s the policyholder’s responsibility to understand the nuances and evaluate whether the terms and inclusions of the policy meet its risk cover requirements. There will always be elements not covered under the policy, and the organization must be prepared to accept those risks.

3. Do we have the right coverage?

The value of cyberinsurance is mainly dependent on its ability to provide sufficient risk coverage should a cyber incident occur. Organizations that carry out a detailed risk evaluation are in the best position to determine the extent of coverage needed. Prioritizing risks and taking into account the losses associated with those risks can help businesses select the right type and amount of coverage. Ultimately, cyberinsurance shouldn’t be an off-the-shelf type of solution; it must be tailored to the business.

Through this process, the organization should evaluate gaps in their traditional insurance policies. Property/casualty, product liability, directors and officers (D&O), kidnap and ransom, and general liability policies may cover certain types of cyberattacks. However, the insurance industry has started to eradicate “silent cyber” (cyber risks that are not explicitly mentioned in a policy), and a majority of them do not entertain any claims pertaining to cyber risks.

4. What does it cost to insure?

Given the fact that insurance is a risk-transfer process, insurers will take into account several factors before arriving at a premium and agreeing to the terms of the policy. These factors may include:

• coverage—the expenses that the insurer will reimburse;
• exclusions—types of loss that the policy will not cover;
• premium—the cost of the cyberinsurance policy;
• conditions—eligibility criteria for the policy to remain valid and claims to be approved;
• excess or deductions—the amount the organization must pay before the claim can be made or insurance is paid out;
• sublimit—the maximum amount the insurer will pay for a specific type of loss;
• aggregate indemnity limit—the total amount the insurer will pay across all claims within a specified period; and
• waiting period—the time within which an incident or a business interruption can be claimed.

Remember that the better an organization is at managing information risk, the better the terms and price of the policy will be. Having said that, other external factors govern the cost of insurance, such as rising demand for insurance, escalating cyber claims, or unstable geopolitical environments.

5. Do benefits outweigh the cost?

Businesses must make an informed decision about whether to accept their cybersecurity risk as it is and put it on the balance sheet, or to take up the policy and invest in cyberinsurance. Even when the policy is affordable, it may not completely satisfy the business’s requirements. Therefore, it might be necessary to search for an alternative risk reduction method.

That’s why choosing an insurer should not be the decision of the IT, legal, or security team in isolation. All key stakeholders of the business—including the C-suite, legal counsel, and risk managers—must closely scrutinize the policy and decide whether the terms offered justify the price quoted.

Cyberinsurance is about sharing, rather than divesting, cyber risk. Organizations must establish a symbiotic relationship with their insurers to enhance security arrangements and better manage cyber risk. When the insurer gains a more sophisticated understanding of the organization’s security posture, both parties will be better equipped to gather the right information to accurately measure and model the business’s cyber risk.

Steve Durbin is CEO of the Information Security Forum, an independent nonprofit dedicated to investigating, clarifying, and resolving key issues in information security and risk management by developing best practice methodologies, processes, and solutions that meet the business needs of its members. ISF membership comprises the Fortune 500 and Forbes 2000.