As cyber risk intensifies, insurers must offer a better market to companies in need of protection
From rising inflation to Russia’s invasion of Ukraine, this year has yet again demonstrated the domino effect that occurs following a crisis, and the impact this has on businesses. There are many lessons to be learned as we move into the new year.
If we take the war in Ukraine, the geopolitical crisis triggered sanctions against businesses operating in Russia, vast increases in operating and energy costs, disruptions to supply chains and immense financial losses for businesses across the globe, as well as putting businesses at increased risk of cyber-attack.
Businesses are operating at a time of heightened exposure to cyber-attack, with an increase in concern around cyber warfare and information security systems. This is especially true in sectors that underpin critical UK infrastructures such as aviation, transport, IT and telecoms and finance.
We surveyed businesses and found that, across all sectors, 79 per cent of respondents have experienced a cyber-attack this year, with 50 per cent of those attacks resulting in a loss of data or revenue. These attacks can devastate companies, leading to data breaches, severe disruptions to day-to-day operations, lost income and vast financial costs to investigate and reinstate systems. The key change in 2022 has been that practically no one is safe: hackers are now casting their nets far wider than traditional “target” sectors like finance.
One reason behind this increase is the retention of working from home practices as a result of the pandemic. Remote working increased vulnerability and exposure to cyber-attack, making security more challenging to coordinate across more devices, locations and communications platforms, coming at the same time as a sharp increase in hacker activity.
Businesses aren’t naïve to this, and, despite its limitations, cyber insurance is a key defence. In our survey, we found that 77 per cent of companies believe their insurance covers them at least partially against the risk of cyber-attacks, a marked improvement on our previous survey in 2018, when only 30 per cent of large businesses had cyber-specific cover in place.
But there are issues with the quality and affordability of this insurance. At a time of increased cyber vulnerability and when companies can ill afford disruption, the cost of cyber insurance has rocketed while the protection on offer has often been severely eroded.
Many policies now include more and wider exclusions, or have narrower definitions of cover and less available incident response support. The most vulnerable businesses can find some types of cover simply unavailable to them, such as for ransomware or the costs of their own IT disruption. This raises serious questions about the corporate insurance model: just when protection is most needed, it’s much harder to obtain.
For businesses looking to protect themselves from cyber threats, the landscape is tough. We’re witnessing premiums increasing and cover decreasing, characteristics of a ‘hard market’ in the insurance industry that is now the longest on record, extended by current economic uncertainty. According to Marsh’s insurance pricing index, UK cyber insurance pricing increased 66 per cent in the third quarter of 2022, following a peak increase of 102 per cent year-over-year in the first quarter. It’s rising far faster in the UK than any other market with an average premium cost that is now four times what it was in 2018.
This leaves businesses having to make difficult choices about where to spend their money, creating a trade-off between investing in IT security vs. investing in insurance protection in case that security fails. This should not be an either/or decision: insurance has a key role to play in protecting businesses against unforeseeable or unprotectable events, and in helping foster best practices in preventative security and incident response.
Instead of stepping up to help businesses across the UK facing an ever-increasing cyber threat, the insurance industry’s response has been characterised by increasing prices ahead of anticipated losses. Instead, insurance providers should be building a deeper understanding of clients’ risk and providing last resort support.
With 2023 around the corner and the increasing threat of cyber-attack prevalent, businesses may find themselves between a rock and a hard place as they scramble for the right protection, and fast. Insurers need to avoid a situation where inaccessibly expensive and inappropriate cover helps push businesses even closer to the cliff edge – as cyber risk is not going away any time soon.