Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

It's getting hard to buy cyber insurance, but not having it is not always an option. Low-coverage plans could bridge the gap.

Photo of a basic black office chair and an office telephone sitting in an otherwise empty room
Source: Bill Varie via Alamy Stock Photo

"Everybody says it, so it must be true" is an example of the bandwagon fallacy. In the context of cyber insurance, the argument goes that everyone is a potential victim of an attack, thus everybody must have cyber insurance. In reality, not every organization can afford to buy cyber insurance, and some organizations don't qualify for a policy even if they want one.

Having cyber insurance used to be as simple as purchasing a prepackaged cyber insurance policy, similar to the process of buying a home or car insurance policy. But with the explosion of ransomware attacks, the industry has been in disorder as insurance carriers and brokers process claims for damages caused by ransomware. In response to soaring claims, carriers are reducing the amount of coverage offered per policy, charging higher prices for less coverage, imposing much tighter rules on which companies can qualify for coverage, and canceling policies for companies that don't meet the minimum requirements.

Policy coverages are significantly lower than they used to be — in some cases dropping from $10 million to $5 million and often lower, and many companies cannot get enough, says J. Andrew Moss, a partner at Reed Smith LLP's Insurance Recovery Group.

"You have to fill in the gaps, and that's very tough because capacity has just been low or companies are priced out from buying as much insurance as they would ideally like to buy," he adds.

Coverage Required, But Out of Reach

For victims of a ransomware attack or a hacking attack where private information was disclosed, it can be difficult to obtain new policies. "What we usually recommend is that they undergo what we call a holistic review of their current insurance coverage," says Moss. The review includes general liability coverage, kidnap and ransom, property, first-party property insurance, and errors and omission, if they're in a professional services organization.

Some contracts and compliance regulations require that a company have a cyber insurance policy — posing a quandary for those companies that lose coverage. Without coverage, the company will find itself out of compliance or be vulnerable to a partner lawsuit for violating the terms of an existing contract. Getting some kind of cyber insurance policy often is mandatory, even if the company has other policies that could cover many of the losses a company might experience.

"It's not a comfortable time to be in business with respect to cyber-risks," says Daniel J. Struck, a partner at the law firm Culhane Meadows PLLC.

Characterizing today's cyber insurance market as being similar to the Wild West, Struck says he would not be surprised to see "relatively low-cost cyber insurance that doesn't cover much, but at least it provides the certificate for a contractor." He likens such "skinny" cyber insurance offerings to the low-cost, low-coverage auto insurance policies that allow drivers to meet US state auto insurance mandates.

Bare Minimum Provides a Fig Leaf

One benefit of a basic policy is that it could permit more organizations to obtain affordable coverage, eliminating the possibility of losing insurance and going out of compliance or violating contractual obligations.

Curtis Dukes, executive vice president and general manager for security best practices at the Center for Internet Security (CIS), notes that most corporate cyber insurance policies are negotiated by the corporate general counsel or outside counsel, and virtually all business policies are different. Underwriting these policies can take up to three months, he adds, due to their complexity and nonstandard clauses.

CIS offers a free self-assessment tool that helps users understand the financial impact of various aspects of a breach, including costs related to productivity, response, replacement, legal, competitive advantages, and reputation. The tool helps companies assess, report, and propose changes in cybersecurity controls based on a return-on-investment analysis, the organization says.

Because all states have their own insurance commissioner and rules, Dukes suggests that companies lobby the National Association of Insurance Commissioners directly to develop national, standardized policies that would be easier for organizations to understand and manage, as well as set minimum requirements for a basic policy. A copy of the NAIC's 2022 Report on the Cyber Insurance Market can be found here, with its discussions on cyber insurance, committee actions, and resources located here.

About the Author(s)

Stephen Lawton, Contributing Writer

Stephen Lawton is a veteran journalist and cybersecurity subject matter expert who has been covering cybersecurity and business continuity for more than 30 years. He was named a Global Top 25 Data Expert for 2023 and a Global Top 20 Cybersecurity Expert for 2022. Stephen spent more than a decade with SC Magazine/SC Media/CyberRisk Alliance, where he served as editorial director of the content lab. Earlier he was chief editor for several national and regional award-winning publications, including MicroTimes and Digital News & Review. Stephen is the founder and senior consultant of the media and technology firm AFAB Consulting LLC. You can reach him at [email protected].

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights