4 Key Thoughts on Cyber Insurance for SMEs

Virus infections and cyber attacks are becoming increasingly dangerous and costly. As a result, cyber insurance companies carefully assess their clients, requiring a higher standard of security technology and policy compliance for qualification, and modify their prices accordingly.

Canada is the third most expensive country by the average total cost of a data breach, as the average cost of a data breach here was $6.75 million per incident in 2021. And the response from cyber insurance providers is very likely to match the increasing costs so they can become profitable again — just in the first half of 2021, the loss ratio for cyber liability was nearly 113%. 

The market needs cash to cover the loss, and providers have already lowered coverage limits while increasing premiums. Moreover, cyber insurance providers now require robust cybersecurity systems for an organisation to qualify for insurance to reduce the risk even further. 

Every company that uses the internet should consider purchasing cyber insurance, but navigating cyber insurance qualifications can quickly turn what should be a straightforward process into a complicated rush to meet requirements. 

We've been watching this trend for over a year and have identified four common themes to be considered when making your organisation cyber insurance-ready as insurers clampdown.

1. Qualification requirements

Most cyber insurance providers use comprehensive compliance checklists to inventory an organisation’s technology environment. 

What cyber insurers usually evaluate: 

• Firewalls and anti-virus 
• User training 
• Secure connections
• Technology configuration 
• Business policies and procedures that aim to prevent breaches and dictate your response to violations 

Non-compliance with the requirements attracts higher premiums, coinsurance, and even your organisation’s eligibility for coverage, depending on its software and systems vulnerability. 

2. Premiums will continue to go up 

The number of ransomware attacks surges forward, and the average ransomware payment for Canadian firms gets closer to $500,000. Therefore, organisations can expect premiums to grow accordingly. Rate adjustments can go anywhere between 100% and even 300% for companies and organisations with low compliance scores — in the US, some public organisations saw a premium increase of over 330%. 

Besides the compliance score, other factors that can further influence cyber insurance premiums are: 

• Your industry — tech, finance, fintech, and healthcare companies - are more likely to be targets of cyberattacks, and they should expect to pay more. 
• Your work-from-home policy — hybrid and remote workplaces are more likely to become victims of a cyberattack, directly impacting the premium.
• The company’s size — the higher the number of devices in your systems’ environment, the greater the risk of having vulnerable terminals that can expose your organisation to risk. 
• The company’s revenue — the higher your possible loss from a cyberattack, the higher the cyber insurance premium. 

The type of policy you opt for and how much protection you want will also influence the value of the premium. 

3. Cyber insurance coverage has gone down 

Organisations will pay more for cyber insurance, but it doesn’t mean they get more value for money. Many cyber insurance providers have lowered their coverage to ensure they remain profitable. This measure, too, is a way to counter the continuously growing value of average ransomware payments and other costs associated with data breaches and cyberattacks.

Moreover, many cyber insurers will tie coverage to the compliance score to protect themselves. Therefore, if your provider considers your cyber risk high, you can expect a lower coverage value.

Depending on how much protection you want, cyber insurance can cover: 

• Expenses caused by business interruption. 
• Regulatory investigations and legal fees.
• Lost income and related financial losses.
• Coverage for data subjects whose sensitive information was leaked.

Cyber insurance will rarely cover paid ransom after a ransomware attack, and more and more cyber insurance providers might rethink ransom coverage.

4. Clients can pay a portion of damages

Cyber insurance carriers establish a value on the amount of any damages that the policyholder will pay — similar to a deductible. This way, insurers reduce their risk and could even lower insurance costs in some cases, but it might also mean you should expect to pay more if you fall victim to a cyberattack.

Further, most companies can’t afford to hold reserve cash required to accommodate a security breach or a deductible, so a series of considerations should be made before opting for such a policy.   

Should your company be cyber insurance-ready?

Considering that cyber insurance providers qualify organisations before agreeing to sell them a cyber insurance policy, the limitations described above become the ideal situation. On the opposite side, you can find yourself in the impossibility of getting insurance, which puts you and sometimes your business partners at high risk.  

The frequency of cyberattacks is growing, and without insurance, your company might not be able to cover expenses caused by data breaches and cybercrimes. 

Here’s why: 

• The cost of exposure is enormous. Average ransomware demands surged by 518% in 2021, and extortions are expected to reach significantly higher proportions in the following years. 
• Business interruption costs following a ransomware attack are also getting higher. The average recovery cost went from $761,106 in 2020 to $1.85 million in 2021, and statistics show that your business has few chances to get back all its data after such an incident. 
• The risk doesn't stop at your door. Your liability can extend to any organisation affected by a breach within your environment. You could put partners, vendors, and financial institutions at risk, and they’re in their right to claim damages if there’s any doubt that your company hasn’t done enough to prevent or contain a security breach. 

What can an organisation do? 

The goal is to secure a low-cost cyber insurance policy, so you'll need to make your company "insurable" by convincing insurers that you're aware of the risks and are working to mitigate them.

Before contracting an insurance provider, you must identify and solve your weaknesses to lessen fees and deductibles.

You can't repair a problem unless you understand how serious it is and how it affects your business. To guarantee that your organisation follows cybersecurity standards, begin with a pre-audit of your technological environment and security policies.

You can also start creating a security roadmap with this audit. While security technology might be costly, it's critical to address high-risk vulnerabilities and budget for future expenses to reduce exposure and secure your business.

Ready to make your organisation cyber insurance ready? Start with our Insurance Readiness Checklist!