The frequency and costs of data breaches continue to rise globally, with the average price tag of a data compromise reaching US$4.45 million in 2023, according to a recent report from IBM Security. Cyber insurance can help protect your organization from bad actors—but can you get it, and what should you be looking for in a policy? We interviewed Ady Sharma, senior vice president at Aon in Toronto, Ontario, and Jason Sheffield, national director of compliance at The Baldwin Group in Atlanta, Georgia, to get both a Canadian and a U.S. perspective on the current state, challenges and future trends in the cyber insurance space.
During the pandemic, we saw a huge rise in cyber attacks and cyber crimes. Is this trend continuing postpandemic? What do you expect in the future?
JS: This trend is continuing, and cyber attacks are getting bigger and more prevalent. One of the big pandemic-related influences of the increase in attacks was the shift to the remote work environment. Organizations can’t effectively control the operational environment in an employee’s home. Even though they may have a VPN to get into their organization’s network, employees are still much more vulnerable at home than in the workplace. We’ve also seen that the attacks have become more sophisticated. But then the organizations that get attacked often go back to business as usual, and they get attacked again because they did not shore up their security measures to prevent another attack. All they did was recover from the initial attack.
Cyber insurance can help plan sponsors mitigate the impact of a cyber attack, but can you even get cyber insurance now, or is it cost-prohibitive for most?
AS: Interestingly, cyber insurance is probably the most competitive it’s been in terms of pricing since 2020. In 2020, we started to see the market harden and become a lot stricter as a result of heightened claims activity, whereby claims were significantly outweighing the premiums and insurers were reviewing the profitability of their books. Underwriting controls and requirements began getting stricter and were being carefully reviewed across insurer portfolios. Obviously, increased pricing followed: some organizations saw upwards of a 100% or 150% increase in pricing. Retentions and deductibles went up as well, and limits and capacity were cut back. There was a large correction in the cyber insurance market.
Then, in 2023, we saw things significantly calm down. Aon’s North American data indicates there was around a 20% reduction in prices in 2023 for our client book, and that trend has continued into 2024 with organizations seeing stable renewals, or slight decreases in certain cases. There are still some strict requirements for an organization to display a basic level of cyber hygiene—and that’s a good thing in order to ensure the sustainability and longevity of cyber insurance as a product. But it’s out there for purchase, and it’s at a favorable price right now. However, all of this may change if we see more catastrophic or systemic events that shake up carrier confidence.
JS: There are about 15 active insurers in the U.S. marketplace. A small employer with under 250 employees might pay a premium of $1,500 to $2,000 a year if it has not experienced a breach. An employee benefit plan that has a lot of confidential employee information would likely see higher rates, and the highest annual rate that I’ve seen on a large employer plan is about $15,000.
Rates will go up if an employer has recently experienced a breach and if they have had multiple occurrences, just like auto insurance rates go up for drivers with multiple car accidents. We try to encourage clients to get underwritten before they have an event so they can lock in lower rates—and then, even if they have an event, the premium doesn’t jump as much or as quickly.
What options are available and what is typically included or excluded?
AS: Basic cyber policies are fairly standard across the board. Small to midsize enterprises are buying cyber insurance because of the support: much like other insurance policies, it’s a financial indemnification vehicle that’s meant to protect your balance sheet. Cyber insurance, though, provides organizations with the infrastructure they need to effectively respond to a cyber attack in addition to financial protection. Large companies typically have that infrastructure, but some small to midsize organizations can’t invest time and energy in creating it. Cyber insurance takes care of that, plus it pays the bills for all the various providers needed to respond to an attack. Large businesses buy cyber insurance for different reasons. For example, there are a lot of regulatory developments relating to cyber breaches and cyber attacks, and you don’t want to be offside with the regulators. Exclusions should be carefully reviewed by the insured and their broker. Some worth noting are war and terrorism exclusions, core infrastructure failure exclusions and property damage exclusions.
What are the key considerations for evaluating a cybersecurity policy?
JS: The first ones are going to be cost and coverage. How much is it going to cost, and what’s the benefit? What are the limits on the policy in terms of cash that can be recovered? It’s generally going to range between US$1 million and $5 million, depending on the significance of a breach or attack.
Also, look at the renewal process. How does it work, and for what period of time does the contract run?
Most cyber insurance is issued on a 12-month or calendar-year basis, but we’ve seen a few that offer three-year policies. That’s advantageous because you can lock in a rate, and if you have a breach during that time, your rates won’t go up right away.
AS: There has to be baseline coverage: incident/breach response coverage; legal, computer and forensic experts on standby to help you get up and running; and PR. That’s called breach event expense, which is extremely important—It’s the backbone of your cyber insurance. The next one is ransomware coverage and cyber extortion: it pays the ransom amount as well as other expenses relating to the ransomware. Then there’s the restoration of your data: plan sponsors typically have a lot of confidential information belonging to individuals, so having that coverage is key. And finally, cyber insurance will come with liability coverage. If you have lost information and are going to be in a lawsuit as a result, then cyber insurance will pay to defend you in court as well as any settlements, judgments or damages against you.
Want to learn more about the latest developments and trends in cybersecurity? Stay tuned for more tips to better protect your organization from Word on Benefits®.
Kathy Bergstrom, CEBS
Senior Editor, Publications at the International Foundation
Alyssa Hodder, GBA
Director, Education and Outreach – Canada at International Foundation