Many insurance companies are jumping into the market for cyber insurance. It is a cut throat business with each insurance company trying to underbid the other or add additional protection features. The net result has been a flood of insurance products at low prices.
Why do I say the prices are low? We complete the security assessment questionnaires that our clients send us from insurance companies. The vast majority of insurance companies aren’t asking the right questions to accurately determine the cyber security risk of an attack by cyber criminals. Recent awards to cities around the country highlight the poor underwriting by the insurance companies. The Wall Street Journal today reported that the town of Lake City, Florida paid $462,000 in ransom on June 17, 2019 to get its computers back online. The out-of-pocket expense for the town was only $10,000. Towns see cyber insurance as a way to avoid spending money on cyber security defenses.
Insurance companies covered by cyber insurance policies that don’t force clients into good cyber security practices are almost always certain to make large payouts. Cyber criminals know this. They have also figured out that commercial insurance sales to municipalities has included cyber coverage so they can demand higher ransoms and get paid. As cyber insurance spreads to other business entities, look for the same trend in ransom demands for businesses. If your company is attacked and doesn’t have cyber insurance, the entire IT system is at risk since the ransom will be more than the business can afford since the cyber criminals will be expecting you to have insurance to support big payouts.
Since the cyber insurance market is relatively small, most insurance carriers aren’t paying any attention to the mounting losses being generated by this type of insurance. When the insurance companies finally wake up, they will be out hundreds of millions of dollars and policy rates will rise substantially. The other thing that will happen is the insurance carriers will get better at assessing cyber risk by asking the right questions which will probably include some type of automated network scan and client provided reports to verify the answers being submitted are correct. The insurance industry will begin to treat cyber insurance like fire insurance that has strict guidelines for compliance and the availability of insurance. This realization by the insurance industry is years away, so now is the time to buy cyber security insurance.
Ironically the insurance industry is ultimately going to do something we in the IT industry have failed at for years. Getting companies to invest enough in cyber security to protect their data.
Click HERE for more information.