Mandatory protections, higher premiums and continued growth -- cyber insurance predictions for 2024
The high costs, both financial and reputational, of dealing with a cyberattack along with tighter regulations that means attacks must be reported have meant that many more organizations are seeking to protect themselves with cyber insurance.
This is still a relatively new and developing field, so what do industry experts think we'll see in the cyber insurance market in 2024?
David Bennett, CEO of backup company Object First, thinks that immutable backups will be a requirement for companies covered by cyber insurance. "Cyber insurance underwriters will bring reality to the market. The average ransomware demand increased by 74 percent this year and cyber claims have already jumped 12 percent. In 2024, cyber insurers will have no choice but to raise premiums -- a lot -- in order to reel in losses, or take it upon themselves to advocate for better cyberattack preparation amongst their customers. We'll start to see immutable backups as a requirement for companies to be covered by cyber insurance. The ability to get cyber insurance will be a major driver of the adoption of better data backup practices in the enterprise. Those who fail to adopt will be left without insurance or an effective recovery plan, and will not be able to financially recover when the inevitable ransomware attack hits."
Paul Laudanski, director of security research at Onapsis, thinks the rising costs of cyber claims in 2024 will push insurers to re-evaluate insurance policies:
In 2024, we will witness a significant surge in insurance claims related to cyberattacks. This increase is expected to prompt a concerted effort within the insurance industry to enforce stricter requirements for board members and executives to possess a comprehensive understanding of cybersecurity. Much like how regions hit by hurricanes saw their damage insurance policies become unsustainable, the rising cost of cyber claims will force insurance companies to reevaluate their offerings.
Consequently, we will see new restrictions emerge, mandating that organizations' leadership must demonstrate expertise in security and ransomware, while also establishing robust processes and technology frameworks to facilitate effective incident response. This proactive approach aims to ensure that the days of merely requesting a recovery are replaced by a well-prepared checklist in the face of cybersecurity attacks.
Dirk Schrader, VP of security research, and Ilia Sotnikov, security strategist at Netwrix, believe cyber insurance requirements will tighten. "With successful cyberattacks leading to increasing payouts, insurers will require more organizations to have strong security measures in place to qualify for a policy or to reduce premiums. Common requirements today include multifactor authentication (MFA), patch management and regular security training for business users. In 2024, identity and access management (IAM) is likely to join that list, especially for the enterprise sector. What's more, we expect insurers to partner with managed service providers (MSPs) to help ensure a minimum level of security at small and midsize companies."
This view is echoed by John Golden, UK regional director at Nozomi Networks echoes this view. "In 2024, I anticipate that insurers will become increasingly stringent in their underwriting processes. This means that organizations will need to demonstrate and prove the right level of OT and IoT security policies and measures are in place before being granted coverage. This underscores the need for businesses to invest in comprehensive cybersecurity solutions to protect their assets and maintain insurability. We have seen two cases recently of major global organizations having cyber insurance declined."
Jon Miller, CEO and co-founder of Halcyon, says, "Recent reports indicate a 12 percent spike in cyber insurance claims related to ransomware attacks over the first six months of 2023. Although organizations have increased the adoption of cyber insurance, most insurers no longer cover all of the potential losses from ransomware attacks, and those that do have significantly increased premium costs to insurmountable levels -- leaving businesses with the choice of forgoing insurance due to budgetary restrictions. Further, if and when the time comes to submit a claim, if the organization is out of compliance -- for example, if it did not apply patches in a timely manner or misconfigured security applications -- it will be disappointed to find that their policy does not cover the attack."
Tom Ammirati, CRO of PlainID, says, "The security landscape will continue to present new and challenging obstacles for organizations in 2024. We saw the global average cost of a data breach in 2023 jump to $4.45 million, and as ransomware attacks continue to persist, that number will only go up in the coming year. To avoid this kind of payout, many organizations are investing in cyber insurance; however, that too will only get more expensive as its demand grows. In an attempt to decrease the financial and operational burden of devastating cyberattacks on organizations, regulators and legislators will ramp up their initiatives to hold cybersecurity firms accountable for breach notifications, security posture management and zero trust initiatives."
Andrew Correll, director of insurance solutions at SecurityScorecard, foresees stormy times ahead for the industry:
As cybersecurity threats continue to escalate in 2024, insurers face a delicate balancing act. On the one hand, insurers must scrutinize companies more closely to assess their risk profiles and ensure adequate safeguards are in place. On the other hand, they must also remain competitive in a rapidly growing market, which may tempt some to loosen underwriting requirements and lower premiums to gain market share. This dichotomy will create confusion for insurance buyers, who may struggle to understand the evolving underwriting landscape and the potential implications for their coverage.
Insurance companies that slash premiums will introduce new exclusions to offset the reduced revenue. This can leave policyholders with a false sense of security and expose them to significant financial losses in the event of a cyberattack. When an organization purchases a cheaper policy and subsequently experiences a claim, it will discover the reason for the lower price tag. This reinforces the misguided perception that cyber insurance is a racket.
On a positive note Ben Beeson, vice president of BlueVoyant, expects cyber insurance to remain the fastest growing part of insurance industry. "Cyber insurance continues to remain the fastest growing risk class in the insurance industry despite its challenges. In 2024, the insurance industry will continue its investment in better data, technology, and people to support its ability to accurately model and underwrite cyber risk. It will also continue to gravitate towards the cybersecurity industry to meet these needs in the form of partnerships and acquisitions. In 2023 we saw an uptick in debate about the role of the federal government in the US, (and governments elsewhere), and whether it should provide a backstop to the insurance market against major systemic cyber events. This debate is nothing new and has been happening for the last 10 years. However, in 2024 the debate will continue to gather pace in the face of significant risk to national economies and critical infrastructure."
Image Credit: FuzzBones/Shutterstock