With enough claims under the belts of insurance companies covering data ransoms, data theft, and other types of cyberattack, the risk appears to be shifting somewhat back to the policyholder.
Let me make this clear: insurance companies are in business to stay in business. Sure, they’re willing to take on a certain amount of risk in issuing cyberattack policies, but at the end of the day, they’re more a cushion for your organization’s “cyber-fall” than a safety net.
The business of insuring organizations against cyberattack has traveled down an interesting path the last few years. From denials of claims due to being seen as an act of war (as in the case of Mondelez International), to the massive increases in ransomware demands and attack sophistication, it’s evident that insurers are gaining a solid understanding of how much the can – and can’t – predict about cyberattacks. The result is an increase in premiums – as high as 25% - according to Robert Parisi, U.S. cyber product leader at Marsh & McLennan Companies Inc.
With the ransom demands increasing beyond what’s reasonable, insurers like Allianz – according to Kelly Castriotta, Allianz North American’s head of product development for financial lines – are now even looking to separate our ransomware as a separate cyber product from all other attacks. And insurers like Sompo International are looking at the possibility of 20-30% “coinsurance” payments to offset the insurer’s payouts.
Like I said: insurers are intent on staying in business, so organizations need to shift their focus from seeing cyber-insurance as a catchall, and instead look to put solid security practices such as Security Awareness Training in place that shore up the organization’s ability to fend of cyberattack well before someone needs to pick up the phone and call in a claim.