Organizations manage risk in three ways: they accept it, they take out insurance against it, or they take active measures to diminish its potential impact. These active measures commonly include deploying or enhancing (or removing) technology, updating policies and procedures, instituting training and awareness programs, revising their third-party agreements, and in some cases, modifying their organizational structure.
When organizations are deciding which mitigation techniques to apply, they look at relative costs. Note that this does not require a detailed risk quantification effort – those tend to go off the rails quickly. For estimates as uncertain as cyber risk, it is prudent to be generally correct than precisely wrong. Cyber insurance is among the proactive measures that can be taken as part of a holistic information security risk remediation program.
Growth of Cyber Insurance
There are two separate trends driving this growth. First, the number of organizations purchasing cyber insurance is growing. Second, the premiums for a given amount of coverage are increasing. However, demonstrating a strong information security program can help organizations negotiate a reduced rate.
According to Marsh’s Global Insurance Market Index Q4 2016, the cyber insurance market in the U.S. continues to see moderate increases in premiums. In 2015, rates increased by 12 to 15 percent, while in 2016 rate increases dropped to single digits, ending the year at 1.2 percent. The survey notes that cyber insurance purchases increase in the aftermath of a noisy, expensive incident. Recent events – the Verizon AWS leak, the waves of ransomware, and such – will drive buying.
Another consequence of more organizations electing to purchase cyber insurance is that the dollar volume of insurance premiums is growing. According to the May 2017 Cyber Insurance Market Watch Survey, from the Council of Insurance Agents & Brokers, 44% of respondents (insurance brokers) report that their clients are increasing their coverage, while none report any client decreasing coverage. The average policy covers about $6 million, up from $3 million in last fall’s survey. Growth is fastest among small-to-medium enterprises, as they become increasingly aware of the real cyber threat. Three brokers noted that they each had clients seeking $600 million limits. The largest reported last fall was $500 million.
The Financial Times reports global premiums amount to $2.5 billion in 2016. Allianz, an insurer based in Munich, Germany, expects that to exceed $20 billion by 2020. Third-party risk and business interruption coverage, along with ransomware and hacking risk are driving that growth.
Getting the best coverage for your buck
Once an organization decides to purchase cyber insurance, it can lower the premium significantly by having a strong information security program, which reduces the potential exposure to the insurer. The following elements will make a difference.
Cyber insurance is an effective supplement to a robust information security program. To help negotiate the best premium for your organization, check out Trend Micro’s Control Manager. The layered, centralized visibility and robust reporting can be used to demonstrate effective security management procedures to cyber insurance providers.