This is apparently due in-part because insurance providers are incentivizing companies to improve their cyber defenses, not only by meeting minimum cyber defense standards, but also linking premium costs and depth of coverage to maintaining those standards.
It seems like that should just be common sense.
Insurers are starting to refrain from going all in offering cybersecurity insurance (in a manner of speaking) by offering lower limits of cybersecurity coverage; tightening cybersecurity insurance contract terms, conditions, and restrictions; and being more selective of the markets (e.g. industries) to offer cybersecurity insurance (at whatever limits and terms). They are also increasingly denying claims on existing policies. This is the challenging landscape faced by organizations seeking approval of a new cybersecurity insurance policy or renewal of an existing policy.
This podcast episode below of “Unscripted”! dissects the groundbreaking Merck cyber insurance case, offering a unique perspective on cyber risk management. This episode is a must-listen for anyone navigating cyber insurance complexities, highlighting key lessons from the Merck-NotPetya incident. The discussion offers insights into policy exclusions and the evolution of cyber-related insurance coverage. The basic message is that cyber-insurance providers are playing hardball with current and prospective policy holders … rightfully so.
Pricier premiums for cybersecurity insurance is an unfortunate but obvious consequence (for policy holders) of the rising number of costly data breaches, ransomware, and other security attacks occurring in the world today. For example, the losses incurred by cyberinsurance providers from the Crowdstrike incident are likely to mean that the cost to insured organizations for new policy approvals and existing policy renewals will continue to trend up for at least the near future. Providers aren’t stupid…they’re making a business decision.
Cyber loss modeling (to providers and insured alike) reminds us of the saying: “man plans, God laughs”.
Cyberinsurers are waking up to the risk they’ve taken on and the potential cost and losses they could incur…not a comfortable position for them to be in (they are in the business of making a profit after all). Providers are responding accordingly with the trend of rising costs to insured…. that makes sense. This isn’t necessarily a bad thing either, as it forces companies to finally “get serious” about their cybersecurity efforts (funding, staffing, strategy, etc….. increasingly scrutinized by the underwriters before approval of policies) or risk being exposed with no coverage.
We strongly believe companies should view cybersecurity as a business issue rather than just an IT problem. EVERYONE in an organization, from top management to individual employees, is responsible for cybersecurity. Companies should approach cybersecurity similarly to health and safety, with a culture that promotes vigilance and proactive measures.
The need for constant vigilance and proactive measures in cybersecurity cannot be understated (cyberinsurance notwithstanding). Businesses must invest in comprehensive security solutions, yes … but they absolutely MUST also foster a culture of awareness to effectively mitigate risks.
We’ve had too many “watershed moments” in Cybersecurity the last few years. The unfortunate consequence is that we have officially entered the 21st Century game of cyberwarfare. We’ve always talked about the importance of Cybersecurity, and now we’ve been hit in the face HARD. The implications of this moment are simple: you get serious about Cybersecurity, right now, or you wave the flag of surrender.
If you do the former with focus and budget, you are in better position to protect your business. If you do the latter, you simply let your systems, networks, data, and e-commerce be “owned.” Cyber insurance isn’t going to come in on a white horse to save the day, or your business. The only thing that will work is to accept the reality that this is warfare. Adopt the posture of a warrior, focus your budget, amass your tools, and step up your game.
It’s painfully obvious that cyberinsurance costs for new policies and renewal of existing policies is going up. Insurers are also increasingly denying coverage outright if you don’t have your stuff together. They’re also increasingly denying claims when the insured should have done better/more. That makes a lot of sense, they should be. The risk to insurers is too high given the threat environment and the still lagging lack of emphasis (e.g. staffing and funding of cybersecurity strategies/initiatives) by too many organizations.
The message to companies is take it seriously, or not. If not … you’ll pay the price, literally. That also makes sense.
Pay now or pay later … it really is that simple. Or put another way … if you’re more concerned about the “bottom line”, you won’t have a “bottom line” to be concerned about for long. You’ll be out of business.
Having Cyber Insurance doesn’t guarantee you will get a claim paid out either. With a staggering number of claims being denied, it’s crucial to understand why.
Cybersecurity insurance promises peace of mind. But for this company, it became a legal nightmare.
In 2013, Cottage Health suffered a major data breach. Tens of thousands of patient records were exposed online. They thought their multi-million-dollar insurance policy with Columbia Casualty had them covered.
Then, everything turned upside down.
Instead of covering the losses, Columbia sued Cottage Health, claiming they didn’t comply with the security protocols outlined in their policy.
Suddenly, the insurance that was supposed to protect them became the center of a high-stakes legal battle.
Here’s what you need to know to avoid a similar fate:
✅ Don’t just skim your cyber insurance policy. Read it in detail. Are there exclusions for things like negligence or compliance issues?
✅ Ensure every answer you provide in the application process is correct. A single mistake could cost you millions in coverage disputes.
✅ Stay vigilant and assess your practices regularly. Insurance won’t save you if you’re not following the cybersecurity protocols you promised.
In the end, a U.S. federal court dismissed Columbia’s lawsuit. It was a positive outcome for Cottage Health, but the process was costly and stressful. Plus, don’t expect those sme legal results today. Times have changed.
Many businesses make the mistake of thinking that once they have cyber insurance, they’re fully protected. However, the reality is that cyber insurance has its limitations. It might cover some financial losses but won’t repair your reputation, recover lost customers or undo the damage caused by a breach. That’s an unpleasant fact you need to be aware of.
The main takeaway of this article is clearly explained in the below video. It explores the surprising reality of cyber insurance to understand how difficult it really is to obtain a cyber insurance policy, and how difficult it is to actually make a claim. The point being that if you aren’t taking cybersecurity seriously and putting in place a solid cybersecurity strategy upfront (with the requisite tools, resources, staffing, culture, and funding) …. don’t expect cyberinsurance to ride in on a white horse and save the day for you. That’s not how it works. If you’re not serious enough to put in the effort you won’t get a policy request approved (new or renewal) or a claim approved either. Cyberinsurance providers are getting much tougher in this regard….and rightfully so. It’s time to wake up to this reality.
For FREE help addressing everything you need in a cybersecurity strategy to improve your chances of getting a cyberinsurance policy approved or renewed simply ask us at FreedomFire Communications.
