Spiking costs have put cyber insurance out of reach for many SMEs. A panel at Computing's Cybersecurity Festival discussed what's going on, and if we can expect it to change.
A combination of rising costs and increased payouts has sent premiums soaring over the last 12 months. Panellists Joseph Da Silva, CISO at RS Group, and John Stenton, Head of IT at Thrive Homes UK, said they had been quoted renewal prices as much as 150% higher than last year.
"The book of available business is shrinking for reinsurers, so premiums are going up," said Da Silva. "It's not just the size of individual payouts, but the number of payouts. There are many we see in the press but many more we don't hear about. Insurers no longer see [cyber] as an attractive market."
The doubling (or more) in price comes on the back of even higher increases last year. The result is SMEs being priced out of the market - and even that only applies to those that can satisfy the qualifying questions.
"I'm dreading renewal," said Stenton. "They ask so many questions. There are rumours that they're turning more people down; they want to know all the ins and outs."
"Part of the problem is there's not enough money being put in by reinsurers, so not enough money to pay out," said Da Silva.
"That's why they're asking such detailed questions. There are now panels you need to attend [to qualify for reinsurance]. I know of companies that have been through that and then been turned down."
Public sector feels the pinch
It's not only SMEs under pressure. The NHS is one of the UK's largest employers, but its budgets are stretched to breaking point. Joanna Smith, Interim CTIO at University Hospitals Sussex, said insurance is "no longer affordable" for the organisation.
Smith was an insurance customer in 2013. The market has changed since then, and the high requirements are a significant barrier to entry.
"The public and charity sectors are often in a less mature state [than the private sector], and that makes it difficult to get insured," she said.
"[In 2013] it was what you have, what you can prove - your policies, your audit trails - and I hear it's got even worse. Not many organisations can expect to be at that standard. Your money is better spent getting to that standard."
Da Silva agreed:
"You could be better spending the money fixing the things that need to be fixed. If you have a reasonable level of security controls in place, maybe you could self-insure, though I'm not sure I'd advise it.
"It's not quite like car insurance, but it is like parcel insurance. My decision to get parcel insurance is based on contents and carrier. If it's UPS, I trust them. If all that's available is Evri, I'll get insurance. I'm making that decision based on the [carrier's] capability."
Instead of insurance, Smith has a virtual CISO service. Although the coverage isn't as broad, the organisation still benefits from incident response.
There is "a growing market for these types of [virtual CISO] services," said Stenton. "They are probably the ones insurers will recommend anyway. Save your money and employ them yourself."
Taking a lesson from health insurers
For those who really want the "comfort blanket" of cyber insurance, it's not all bad news. Da Silva said prices are likely to come down again as insurers gain a better understanding of how to price risk - he knows of at least two who have employed former CISOs as loss adjusters.
"When actuaries get used to [quantifying risk] prices will start to stabilise. Niche areas will open up and I think businesses who previously wouldn't be able to afford those sorts of premiums will be able to do so via a discount - ‘We'll cover you for these things and these things but not these things.'
"I can almost see a situation like Vitality, the health insurance brand, where they're giving people free Apple Watches and then a discount if they stay active. So that reduces health insurance premiums. I think you'll probably get insurance companies partnering with security providers to do that."
