Blog article
See all stories »

Why underwriters are struggling to price cyber risk insurance policies

This past December, the CEO of one of Europe’s biggest insurance companies issued a stark warning. Zurich Insurance’s Mario Greco stated that cyberattacks will become “uninsurable” and went on to warn of the dire consequences of a dark agent “tak[ing] control of vital parts of our infrastructure.” Attacks have already targeted the British health service and, just days ago, Pakistan reported that nationwide power outages may have been the result of a cyberattack.

Greco’s warning is poignant for governmental and private organisations alike. Cyber is the most important global business risk for 2023, according to Allianz’ annual Risk Barometer, and this is a time of ever-increasing cyberattacks. As a result, companies are reporting spiralling insurance premiums: according to, written premiums for all cyber policies jumped to $4.83 billion in 2021, which was a 74 percent year-over-year increase from $2.77 billion in 2020. an S&P Global Market Intelligence analysis, written premiums for all cyber policies jumped to $4.83 billion in 2021, which was a 74 percent year-over-year increase from $2.77 billion in 2020.

Underwriters are struggling to price cyber risk policies because they don't have the tools to accurately determine their clients' risk posture. Cyber insurance was created before the risk was entirely understood and insurers are having to create tailored policies even as the risk continuously shifts and evolves.

Companies are caught in the crossfire: they are unsure if their insurance premiums will continue to increase as cybeattacks rise.  There are mutterings that the sharp rise in premiums and exclusions may abate, but there are also moves by some firms to reduce their insurance cover, instead shifting resources to invest more in their cybersecurity offering.

If companies don’t have cyber defences, they could be denied insurance coverage entirely. They will also face the ire of organisations like the SEC, which are increasingly fining companies for noncompliance in their cyber controls. April 2023 will see the SEC take its final action on its changing cybersecurity regulation, proposing rules to “enhance and standardise disclosures regarding cybersecurity risk management, strategy, governance and cybersecurity incident reporting.”

As we move into this period of more stringent regulation, the better the controls, the less likely companies are to get fined and the more likely companies are to get insurance coverage. Whether companies are compliant will also be an important factor for potential clients – insurance firms will shy away from working with those whose reputations could be on the line. There are no unified codes of mandated policies, so external advice and oversight will be invaluable here.

If companies don’t have adequate cyber insurance policies in place, this will be obvious when any due diligence or RFPs take place. Some will avoid partnerships with companies who do not have their policies in place. After all, any weakness in a network is attractive to cyber criminals. Coverage might not be compulsory, but it's a sure sign to others -- whether clients or suppliers -- that a business is taking its cybersecurity seriously. It is often investors who push for cyber insurance, especially for smaller firms.  

Cybersecurity measures and cyber insurance are intrinsically linked. Cyber insurance is another layer of protection, and as such, it shouldn’t have to be sacrificed. Cybersecurity doesn’t need to be prohibitively expensive, thereby forcing companies into an either/or situation.

Instead, companies should be deliberate and wise in their choice of cybersecurity measures. They needn’t try to do everything themselves. They need to bring in a neutral advisory company, which will audit what measures are in place -- everything from employee training to penetration testing.

Companies need continuous vulnerability management but they -- and their MSPs -- cannot look at themselves objectively.  Instead, they must look for a support partner that can ensure that the MSP is providing the service it is supposed to and that the company’s cyber health is robust. Having a cybersecurity expert on hand will also provide business credibility for companies when they are talking to clients.

This year, when geopolitical conflicts and economic uncertainty continue worldwide, there are predictions that cyber crime could cost the global economy as much as $16 trillion. Cybersecurity measures are essential and cyber insurance coverage, as an extra layer of protection, is something companies should strive to have in place both for their safety and their reputation.



Comments: (0)

Now hiring