Cyber insurance premiums are on the decline – but is it good news?
Last year, industry reports projected that the global cost of cybercrime would reach $9.5 trillion, equivalent to a loss of $302,000 every second. The rise in cybercrime and associated costs have directly fueled the cyber insurance market, which is expected to grow from $8.5 billion USD in 2021 to $14.8 billion in 2025. However, with such high stakes come equally high premiums.
Cyber insurance premiums soared throughout 2021 and 2022, primarily because ransomware was in its prime. While the ransomware threat still hasn’t abated, more organizations are now ransomware-resilient and manage to avoid paying ransom altogether. Additionally, new technologies, like AI, are streamlining and strengthening cybersecurity. As a result, cyber insurance premiums have reportedly been declining since early 2023.
Regardless of the reports, about 50% of organizations still experienced increased premiums, meaning that not all companies fully benefit from the decline in insurance costs. So, what gives?
Understanding Cyber Risks and Lowering Insurance Premiums
The cyber landscape is largely unpredictable compared to other insurance lines, such as property or health insurance, where risk models have been refined and matured over the past several decades. Lowering insurance premiums can significantly strain insurers trying to make the market sustainable for themselves. Therefore, any sustainable decrease must depend on the insured companies' cyber hygiene and security posture.
Today, insurance companies want network and data security evidence before deciding on premiums and coverage. Cyber premiums are also tightly knit to the company’s risk profile. Cyber premiums are also tightly knit to the company’s risk profile - the greater the company's risks, the more it needs to be cyber-insured. Below are some crucial steps that you can take to fulfill the increasingly stringent cyber insurance requirements and improve your standing during the underwriting process:
Attack Surface Discovery: You need to have a complete picture of your attack surface, including all network endpoints, IT assets, and all the data you own and utilize across all your infrastructure environments. Demonstrating self-awareness of the attack surface can improve your odds of securing lower premiums, better coverage, and faster approvals, but discovery isn’t enough!
Zero Trust and LPA: Zero Trust Network Access (ZTNA)’s primary goal is to ensure varying access levels for different users and user groups, applying least privilege access (LPA) principles at the network layer. However, you must apply least privilege access (LPA) at a much more granular level—at the data level—to ensure that users cannot access sensitive parts of files and documents unless they are explicitly authorized. This guarantees a smaller blast radius, helping you negotiate better insurance terms.
Compliant Supply Chains: When you acquire new technologies, solutions, or partners and integrate them into your ecosystem, you take on their attack surface and potential vulnerabilities to your own environment, heightening risk. You need to have a complete picture of your vendors’ and partners’ security practices, selecting those who comply with cybersecurity standards and regulations like ISO, SOC, and HIPAA and implement known cybersecurity frameworks such as NIST and CIS Controls.
Regular Pen-testing and Red Teaming: Continuous pen-testing can reveal potential vulnerabilities as soon as they arise, while annual or biannual, expert-led penetration testing and red teaming can uncover hidden vulnerabilities that require human oversight. This shows insurers you're in lock-step with your evolving attack surface and emerging weak points. A proactive approach to cybersecurity provides more substantial leverage when negotiating premiums.
Incident Response Plan: Despite your best efforts, the chance of a security incident always remains. A comprehensive incident response plan ensures that if an outage, breach, or attack occurs, you can swiftly understand, respond, and mitigate the impact, lowering the overall cost and effect of the incident to build rapport with insurers.
AI-Powered Cybersecurity: AI can boost cybersecurity through automated vulnerability scans and assessments, unprotected data discovery and classification, compliance monitoring, and threat detection. Insurers value these AI-powered proactive and adaptable cybersecurity capabilities and may consider those who implement them as lower-risk and eligible for reduced premiums and better coverage.
Reducing Data-Centric Risks with Confidencial
A critical factor determining insurance premiums is the sensitivity of the data you handle. This isn’t something you can work around but must work with. If you're dealing with sensitive data, you must protect it at its core to secure lower premiums and ensure the coverage you’re paying for. Without preemptive protections like data encryption and access controls, claims might be partially or entirely denied since over 40% of insurance companies require least privilege access (LPA) controls for granting a policy.
Confidencial can help:
Find where your sensitive data lives: Confidencial locates sensitive data hidden in files and folders across your entire IT environment—cloud, on-prem, and local.
Apply full-file or selective encryption: Once you have a complete view of the data that needs immediate protection, you can encrypt entire files or just the sensitive parts.
Continuously scan and protect: Schedule regular scans to discover sensitive, unstructured data as soon as it’s created—set policies to automatically protect it upon discovery.
Confidencial strengthens your data security posture even as your data, technology, and corporate footprint expands. Manage LPA at the data level, demonstrate your robust data security posture, and join the 5% that are actually seeing their premiums decrease. Request a demo today!
Comments