SMB Cyber Insurance: The End of Innocence

By Nadav Arbel, Co-founder & CEO, CYREBRO

The cyber insurance landscape has changed dramatically in recent years – for both insurers and policyholders. In many ways, the past two years have spelled the end of innocence for this market, which was once willing to rely on simple cybersecurity checklists for policy underwriting. Today, things look very different – especially for SMBs, who lack both the deep pockets and the in-house resources their enterprise colleagues enjoy. What’s changed, why, and what can SMBs looking for cyber insurance expect?

What’s Changed and Why?

First off, cyber insurance has shifted from “nice to have” to a precondition of doing business in many sectors. From sales to forging partnerships and raising capital – if you don’t have cyber insurance, many organizations will not do business with you.

Secondly, demand for cyber insurance has experienced meteoric growth in past years with insurers scrambling to issue policies and capture market share. But then the cyber insurance loss ratio spiked from around 43% in 2020 to 72% in 2021. The frequency and value of customer claims skyrocketed. All of a sudden, insurers began losing money on cyber insurance – while cybercrime continued to surge.

Notably, ransomware attacks grew exponentially in 2021, with governments globally experiencing a 1,885% rise, the healthcare industry facing a 755% increase, and attacks overall more than doubling compared to 2021. Ransomware payments surged to $590M in the first six months of 2021, up from $416M in all of 2020.

This presented a unique challenge for cyber insurers. Ransomware insurance tends to create a negative loop: companies with insurance are more likely to be able to meet ransom demands, and attackers know this. This incentivizes attackers to target companies with insurance. And that’s why some traditional insurers are trying to scale back their ransomware offerings, hoping to reduce the temptation for hackers and thus their payouts. Others are raising premium prices, or simply turning away cyber prospects. What is common to all cyber insurers today is an increased demand for validation of sufficient cybersecurity precautions as part of the underwriting process. The age of innocence for cyber insurance has passed. Today’s cyber insurers adhere to the age-old Russian proverb: trust but verify.

What Should SMBs Looking for Cyber Insurance Expect?

Just like car insurance evolved in some geographies to demand proof of car security through aftermarket security products, and health insurance demands declarations endorsed by a physician – cyber insurance is evolving toward proof, too.

Insurers now realize that risk questionnaires and in-house risk analysis assessment products are not sufficient for underwriting purposes. Today, insurers are simply not offering coverage if a cyber insurance prospect doesn’t meet a growing list of demands. Some of these demands include:

1. An active Endpoint Detection and Response (EDR) system
2. An operational SOC
3. Compliance with ISO 27001 information security standards
4. Active and ongoing offline or immutable data backups
5. A detailed disaster recovery and business continuity plan in-line with ISO 23301
6. Verifiable incident response capabilities, with a live SLA contract
7. Multifactor authentication for remote users, cloud-based services, and all privileged accounts inside the network
8. Web Application Firewalls (WAFs) for high risk websites
9. Guarantee of no legacy or out of support systems – or at least verifiable and powerful mitigations if these exist
10. Social engineering tests and training conducted

What’s more, insurers are no longer willing to settle for just declarations of the existence of these solutions – SMBs will need to show proof.

The Bottom Line

As the risks to both cyber insurance policyholders and insurers themselves continue to grow dramatically, insurance companies find themselves playing a new role in the SMB market: cyber protection instigator. Insurers still want a slice of the cyber insurance market and are increasingly willing to make specific underwriting demands to this end. It’s important that SMBs obtain insurance to ensure that they protect themselves, their partners and anyone they work with. To be eligible, however, they will need to meet and verify compliance with insurers’ requirements or risk facing increased premiums, suffer reduced coverage, or find themselves uninsurable. There’s no doubt that the end of innocence for the cyber insurance market is forcing SMBs to take a hard look at their security and take the necessary steps to protect themselves.

About the Author

Nadav Arbel is a co-founder and CEO at CYREBRO, a company offering Security Operations Center infrastructure that provides continuous monitoring and security services. Nadav can be reached online on LinkedIn (https://www.linkedin.com/in/nadav-arbel-a183573/) and at www.cyrebro.io.