Cyber Insurance: Why are companies getting rejected? And how to get accepted

If you are operating as a business in 2022 without cybersecurity insurance, you could potentially be leaving yourself open to huge ramifications if a breach should occur. Cyber insurance is part of a sensible integrated cybersecurity approach, but it is also important to remember that cyber insurance alone does not reduce your cyber risk. However, as we see increased rates of cyberattacks, businesses are finding it harder and harder to be accepted by insurance companies. Why? 

Cyber insurance will help your company get back on the right track in the event of a cyber-related attack. Not only does cyber insurance help alleviate financial damage in the event of a cyber breach, it can also help minimise business disruption, with legal issues, and regulation thereafter. However, a recent government survey reveals that only 32% of businesses report being insured against cyberattacks, with even tiny businesses seeing cyber incidents costing over £3,000 in damages.

And as most industries and organisations go remote and all-digital post-pandemic, we have seen an increase in cyberattacks. For instance, emails containing malicious malware has skyrocketed by 600%, with the global cost of cyber breaches set to hit $10.5 trillion by 2025. As a result, the cyber insurance market is also expected to reach $20.6 billion by 2025 to combat this.  

Not only do companies have to prove security maturity to cyber insurance agencies, they are also re-assessed every 12 months to ensure their protocols remain up to date. So, why are so many companies being rejected for cyber insurance? 

What does cyber insurance cover? 

Before we get to why companies are rejected for insurance, let us break down what cyber insurance is. There are usually two types of cybersecurity insurance policies available to organisations.  

The primary one is called ‘First-party’ coverage and covers your company from expenses related to data breaches or hacks. The secondary one is called ‘Third-party’ coverage and provides protection when a customer, vendor, or partner sues you for allowing a data breach.  

You can elect to have one or both coverages in your policy. 

Why is cyber insurance important? 

Businesses that create, store, manage, and handle any data electronically should investigate applying for cyber insurance. If your company is dependent on said data to generate sales and revenue, it is even more important to apply for cyber insurance, as it can help in the case of any downtime after a hack.  

To show why cyber security insurance is so important, let us use some examples. Soon after Sony launched the PlayStation 3, their online network was breached by hackers who exposed information relating to 77 million user accounts as well as taking the service down for 23 days. This hack cost Sony $178 million in lost profits and resulted in a class action lawsuit brought against them for $2 billion! Unfortunately for Sony, their insurance policy only covered physical property damage, not cyber damages. Sony’s insurer argued that Sony’s policy did not cover cyber breaches. This hack had huge ramifications for the company moving forward. Namely, increasing their security measures and igniting their need for true cyber insurance. 

In 2017, Equifax, a credit reporting agency suffered a data breach concerning 147 million consumers. As a result, Equifax agreed to pay $700 million to the US FTC (Federal Trade Commission) to cover reimbursements, identity theft recovery, restoration services, and their inability to secure 147 million records. Equifax did have a cyber insurance policy in place and maintained $125 million of cybersecurity insurance coverage, above a $7.5 million deductible. However, this did not help with ballooning costs because of damage claims and continued identity theft recovery for victims in both the US and UK. Whilst Equifax received financial support, they did not demonstrate a high enough level of cyber security measures for a maximum pay-out.  

The UK alone saw a 31% increase in cybercrime during the height of the pandemic between 2020 and 2021. Data from Hiscox revealed that businesses with 50 to 249 employees see an average cost of £150,000, whilst companies with 250 to 999 employees see an average cost of £520,000. 

The examples above show that half measures lead to full fallout. The more secure and robust your cyber culture and policies, the more likely you are to qualify for insurance and the smaller the impact will be from a potential hack/breach. According to Spiceworks data, 38% of organisations are now covered with some sort of cyber insurance plan, with 71% of them purchasing a policy for precautionary reasons and ‘peace of mind’.  

Why are companies rejected for cyber insurance? 

The rate and number of cyberattacks is increasing exponentially and globally. Cyber insurance companies have hardened the market as a result. They have done this by increasing premiums by as much as 100% with PwC revealing that cyber insurance premiums grew from $2.5 billion in 2014 to $7.5 billion in 2020. Insurance companies are also making it far harder for clients to qualify for coverage. 

So, let us look at the main reasons companies are rejected by insurance companies: 

1. Low level of cybersecurity awareness and training 

95% of security breaches are caused by human error (see The Insider article on: How do we safeguard against human error). In cybersecurity, human error refers to anything from clicking a dodgy link to inadvertently downloading malware or using weak passwords (see The Insider article on: why do people use weak passwords?). It is fine having the most secure and expensive security hardware and software in place … none of this will matter if your employees are not behaving securely. It, therefore, is not surprising that companies with poor levels of cybersecurity awareness and training are struggling to qualify for cyber insurance. Your company must be able to prove that employees have been comprehensively trained.  

2. Weak supply chain/third party protocols 

Companies also need to be aware that the status of their supply chain line and third-party relationships are vital in their bid for cyber insurance. If a company is truly trying to protect itself from cybersecurity attacks, the level of security inside your organisation will also be replicated outside of it. Cyber attackers target companies via their contractors and third-party providers to access internal systems and confidential data. If the cybersecurity of your supply chain is not up to standard, your insurance claim will not be successful. 

3. Overlooked endpoint security 

To qualify for cyber insurance, companies must show that their security plan is holistic and with good coverage. This means implementing healthy endpoint security. Endpoint security refers to the process of protecting IoT (Internet of Things) devices such as desktops, laptops mobiles and tablets from cyber threats and attacks. Endpoint security software protects employees when they are connected to online networks and cloud services. If your company has not implemented smart endpoint security with subsequent incident response protocols, you will have your insurance claim denied.  

4. No preventative security campaign or culture 

Stating the obvious; if your company has no preventative security measures in place or fails to demonstrate the existence of any security training, you will have your insurance claim denied. This does not mean your company needs to internally build a whole new security plan. You can also demonstrate preventative security measures through third-party security awareness providers and training. Once again, if you have no security plan in place, it simply is not worth a cyber insurance company’s time to work with your organisation, as the risks far outweigh the benefits of the relationship. 

5. Inability to prove existence of a security culture 

The most frustrating reason companies are rejected by cyber insurance agencies is their inability to demonstrate that security measures are actually in place and being followed. When assessing your claim, insurance agencies will request evidence to prove that networks are sufficiently protected, and employees are aware of threats and risks in the cyber space. Unfortunately, many companies fail to do this because they are either operating internally and not aware of the ever-changing threats in the cyber space, or do not have a mechanism in place to quantify employee security awareness. Cybersecurity awareness companies like TSC (The Security Company) that work with organisations to build a security culture can provide detailed assessment reports and research surveys to highlight the security strength of a workforce. 

In Conclusion 

In the past, company directors very much saw cyber insurance as the go-to solution in the event of a wide-ranging cyberattack. This is because cyber insurance was cheap and easy to qualify for. However, as cyber threats and attack surfaces expand and innovate, the quest to qualify for insurance has become extremely difficult and extensive.  

A worrying report by Hiscox revealed that by 2019, cyber losses had hit over $1.8 billion a year and looked on course for a 50% year-on-year increase. They were not wrong! If you are desperate to avoid more financial issues in an already tumultuous economy, cyber insurance is a good safety blanket to fall back on. 

If you need to establish a security culture, refresh security behaviours, or simply find a comprehensive way to assess the level of maturity in your organisation to qualify for insurance, working with TSC’s awareness and culture experts can help you achieve this. We have been helping organisations hone their human security for over 20 years and can help provide awareness and training products/services to help better your security culture.  

If you would like more information about how The Security Company can help your security culture and raise awareness levels, please contact Jenny Mandley.