Recent attacks are helping cyber insurers better understand what security strategies need to be in place and how to price policies based on the risk those policies cover.

Remember, insurance companies of all kinds are in business to stay in business. That means that while they are willing to share the risk with your organization, they’re not in the business of just paying out on a claim without a fight. And because that’s not a good look for cyber insurers, it makes more sense for them to be proactive and do one or more of the following:

  • Help to reduce the risk of attack by establishing what cyber defenses must be in place
  • Price policies across the board correctly so there’s enough revenue coming in to cover the percentage of claims that should be paid
  • Limit what attack scenarios are covered – sometimes in specific down to the kind of attack, the role of the attacker, the role of internal employees in the attack, etc.

According to a recent Wall Street Journal article on the subject, cyber insurers are getting really smart at limiting their risk. With premiums rising by 92% in 2021, according to reinsurance company Swiss Re, the focus now is on the impact an attack could have on, say, a supplier that could impact millions of people, evaluating which cloud providers the insured use, and possibly requiring insureds to hold capital in reserve for worst-case scenarios.

In other words, cyber insurers are better understanding the nature of cyber risk. While news of premiums hiking significantly isn’t pleasing, in the end, it may be a necessary step until there’s enough significant data on attacks for insurers to determine what the risk reality looks like.

Until then, it’s up to organizations to continue to put up strong cyber defenses designed to keep attackers from succeeding – something that should include Security Awareness Training as part of the strategy.