Cyber insurance, sometimes referred to as cyber liability insurance or cyber risk insurance, is a type of insurance that transfers a policyholder’s financial liability to cybersecurity and privacy events such as cyberattacks, data breaches, and acts of cyberterrorism, or regulatory violations.
Much like the cyber threat landscape itself, the cyber insurance market is constantly evolving. While there can be a great deal of variation from one cyber insurance policy to the next, most leading cyber insurance underwriters will provide the same core first party and third party insuring agreements that have become commonplace for over 10 years.
It’s important to note that cyber insurance is not a replacement for a strong cybersecurity strategy and posture, as it is not intended to cover a company’s gross negligence for ignoring their cyber risk. Rather, it is intended to cover risks that exist even after reasonable efforts have been made to minimize those risks. For more information on this distinction, please read our related blog post, Cyber Insurance Is Not a Substitute for Cybersecurity
There are two distinct components of a cyber insurance policy:
While the specific terms of each policy will vary from business to business and insurer to insurer, typical first-party insuring agreements include:
Third-party cyber insurance is designed to transfer an organization’s financial risks it relates to a cyber event that it is responsible to prevent. It is also very important to note that a breach does not need to happen on an organization’s network. As such, organizations may often become liable for their error, omission or act of negligence that led to a security event impacting a third-party that is unrelated to an event on their own network.
Third-party cyber insurance is of particular importance for any organization that manages PII or that is responsible for another party’s network security.
Like first-party policies, there is some variety as to what is covered by a third-party cyber insurance policy. Coverage may include:
A few important exceptions
It’s important to note that there are a few exceptions to many cyber insurance policies. Many cyber underwriters have scaled back or do not cover financial fraud from social engineering techniques, which exploit and manipulate employees, vendors or other people within the organization to wire funds to unauthorized accounts. While coverage of this nature may be offered as an extension to an existing policy, many companies overlook this risk and fail to protect the business. This underscores both the need to train network users on safe and acceptable online behaviors, as well as carefully review and assess the policy and any gaps with a trusted cybersecurity expert.
Another area not usually covered in cyber insurance policies is the cost of strengthening a system after an attack. While the cyber services and support may identify areas of improvement as part of their forensic analysis, the cost of upgrading, patching or hardening the security architecture will not be covered by an insurance policy.
Finally, many policies secured outside the United States may have geographic restrictions, especially for US based operations. It is important to identify ant uncovered entities especially given that cyber threats are not bound by country borders. It is important for organizations to work with a cybersecurity team to weigh their risk and assess the likelihood of being the victim of a foreign adversary that targets specific nations.
According to the 2021 CrowdStrike Global Security Attitude Survey, 66% of organizations suffered at least one ransomware attack in 2021, and as shown in the CrowdStrike 2024 Global Threat Report, ransomware-related data leaks increased 76% from 2022 to 2023. This is fueled in part by the growing availability of hackers “as a service” that makes ransomware and other malware attacks available to those who lack the technical expertise to personally carry out such an attack.
Ransomware attacks are typically among the most costly cyber events to remediate in that they not only disrupt business operations and require significant resources during the recovery process, but also often involve payment of the ransom demanded by the hackers.
The shift to a remote work model, accelerated by the COVID-19 pandemic and stay-at-home orders, has dramatically increased the attack surface for organizations. As employees access applications, assets and systems through private networks and personal devices, they expose the organization to a new level of risk. Further, the proliferation of connected devices and Internet of Things (IoT) technology, provide a plethora of entry points for cybercriminals.
Most existing cybersecurity strategies and toolsets simply were not equipped to handle this new way of working, which has resulted in the introduction of new security gaps and shortcomings.
Ransomware remains one of the most profitable tactics for cybercriminals. The average ransom payment in 2023 is $1.85 million USD. The victim company must also cover the cost of cleaning and restoring affected systems, as well as legal, security and public relations services.
It is important to keep in mind that even when a ransom is paid, that is no guarantee that the organization’s systems, data and other assets will be restored.
Learn more about the future of the Cyber Insurance market and where it is headed:Read Now
Given the increase in cyberattacks, as well as the high cost associated with remediation, cyber insurance is a necessity for any digital business. One of the primary targets for hackers and cybercriminals is data, including PII, such as the names, addresses, social security numbers, bank account information, credit card numbers and other information that can be used to carry out fraud, advance secondary attacks or be sold on the dark web.
While many small or mid-sized businesses or organizations may assume that their relative obscurity will protect them from cybercrime, in fact, our analysts have found that many cybercriminals see these organizations as easy targets because they often do not have robust cybersecurity measures in place.
On the other end of the spectrum, large and prominent organizations can be the target of big game hunting, a type of cyberattack that usually leverages ransomware to target large, high-value organizations or high-profile entities. Victims are chosen based on their ability to pay a ransom, as well as the likelihood that they will do so in order to resume business operations or avoid public scrutiny.
Recent analysis from CrowdStrike reveals that big game hunting continues to be a security concern for large organizations, regardless of location or sector. The 2024 CrowdStrike Global Threat Report reveals that the increase in the number of victims in big game hunting dedicated leak sites (DLSs) is partly attributed to new BGH adversaries and high-volume campaigns involving adversaries such as GRACEFUL SPIDER.
In this landscape, organizations have three basic options when it comes to cyber insurance:
Insurance Risk Transfer | Self-Insurance | No Insurance |
---|---|---|
Efficient and reliable risk mitigation leveraging the commercial markets to achieve an acceptable risk posture | Reliance on cash reserves to fund a multi-million dollar breach response and third-party liability | No formal plan to fund a potential breach response or third-party liabilities |
low risk | medium risk | high risk |
It is important to note that cyber insurance is a net-new insurance product meant to cover gaps within traditional insurance policies, such as general liability insurance (GCL) and errors and omissions insurance (E&O). In both cases, existing policies were not designed to protect against the likes of the modern threat landscape. Most do not have specific language that address cyberattacks or cyberterrorism, which generally means that claims stemming from such activity will not be covered or that support will be limited.
The cost of a cyber insurance policy is most heavily influenced by the level of coverage the organization wants or needs. As with traditional insurance policies, there is a wide range of coverage options to fit each organization’s budget based on their risk tolerance.
Several factors determine how cyber insurance premiums are calculated. These include:
The rise in ransomware, in particular, has had a direct bearing on cyber insurance premiums and coverage. The increase in cyber insurance premiums, 50% in 2022, has been directly attributed to an increase in insurer losses caused by ransomware attacks that occur with accelerating sophistication and severity. Another fallout of this rise in ransomware attacks has been reduced coverage limits, specifically in high-risk industries such as healthcare and public entities.
Insurance criteria have become more strict due to the increase in volume and severity of ransomware and other cyber-related events. Over the last two years, insurance companies experienced increased losses related to cyber claims. As a result, insurers have strengthened their insurance requirements to better protect their loss ratios.
Underwriters are requiring greater transparency into security programs to gain a better view of the true exposure and increasing their emphasis on proactive measures that insureds must take to better protect their business from cyberattacks.
The insured’s cyber tech stack is one of the biggest factors in determining the cost of the premium. While there is no single tool or combination of controls that guarantees security, there are some best practices that will help reduce the company’s risk profile. This includes:
In addition to strengthening the organization’s cybersecurity tech stack, organizations can also adopt IT hygiene best practices to further reduce their risk profile. This includes:
As the security landscape continues to evolve, some organizations are facing significant premium increases for their existing coverage, while others may not be able to renew their policies without proving that they have made investments in their tech stack and strengthened IT hygiene.
Overall, insurers are becoming more discerning of who they agree to take on as a client and how to calculate their premium. Having comprehensive and complete visibility into the attack surface will become increasingly important not just to the security of the organization, but its insurability. This is because the lack of visibility into identity-based incidents increases the dwell time — the time an adversary goes undetected inside the network — making it difficult for organizations to detect and remediate the incident before the damage is done. Companies should also take steps to provide higher levels of protection around their most valuable assets and data.
For more information on how your organization can understand the evolving landscape and select a policy that meets your needs, please download our related paper: How to Navigate the Changing Cyber Insurance Market
The key to improving insurability lies in the organization’s ability to demonstrate comprehensive security coverage. The CrowdStrike Falcon® platform is designed as a highly modular and extensible solution that helps clients reduce risk and improve their security standing. Our platform includes:
CrowdStrike understands the intricate nuances of cyber insurance because we have a team dedicated to working with the cyber insurance community. This team is comprised of experienced insurance professionals that previously underwrote and brokered cyber insurance. This team spends a tremendous amount of their time educating insurance underwriters and cyber insurance brokers on the value of CrowdStrike products and services and how our solutions help our clients to better qualify for cyber insurance.
Narendran is a Director of Product Marketing for Identity Protection and Zero Trust at CrowdStrike. He has over 17 years of experience in driving product marketing and GTM strategies at cybersecurity startups and large enterprises such as HP and SolarWinds. He was previously Director of Product Marketing at Preempt Security, which was acquired by CrowdStrike. Narendran holds a M.S. in Computer Science from University of Kiel, Germany.