The United States cyber insurance industry continues to see strong profits, according to Fitch Ratings. Average premium increases, meanwhile, have moderated over the last three years: While 2021 saw a 34% jump in premium pricing and costs rose 15% in 2022, increases were under 1% in 2023.
As noted by the Fitch Ratings report, “segment underwriting profitability at current levels is unsustainable as cyber insurance pricing is likely to remain flat or down going forward.” While this is good news for enterprises looking to limit the impact of cybersecurity incidents, cyber insurance providers are concerned about the uncertain costs that come with fully covering companies if networks are breached or data is compromised.
The result? Words of warning from Warren Buffett: “You may get an aggregation of risks that you never dreamt of, and maybe worse than some earthquake happening someplace.”
The problem for providers
Berkshire Hathaway is the sixth-largest provider of cyber insurance policies in the United States. And while current policies are profitable, Berkshire’s top executive Ajit Jain says that total cyber losses are often hard to pin down. “The aggregation potential can be huge,” he says. “And not being able to have a worst-case gap on it is what scares us.”
Consider recent news-making cyber incidents that led to companies worldwide facing millions (or billions) in outage costs. The scale and scope of these incidents create a potential problem for insurers. Depending on the terms of cyber insurance policies, payouts could end up significantly outpacing profitability.
Buffett’s concern is that insurance agents are rushing to sign up new commercial clients without conducting thorough cyber risk assessments, in turn putting providers in a precarious position if claims fall within the scope of policies and costs spiral out of control. He warns that even if policies have a relatively low $1 million limit, large-scale cyber events that affect hundreds or thousands of policies could cause serious problems. “You’ve written something that in no way we’re getting the proper price for,” says Buffett, “and could break the company.”
The challenge for companies
For companies, cyber insurance is now a must-have to combat the rising cost of breaches and ensure compliance with evolving government and private sector regulations.
As noted by Cybersecurity Dive, however, 80% of organizations have suffered a cyberattack that wasn’t fully covered by their policy. Research from CYE found that on average, cyber insurance policies fell $27.3 million short.
This shortfall is tied in part to growing lists of insurance exclusions. For example, if enterprises do not have adequate security controls in place or fail to follow compliance expectations, cyber insurance coverage may be null and void.
In much the same way that insurance agents are eager to sell policies, enterprises are eager to obtain coverage. As a result, both providers and purchasers may find themselves faced with an insurance gap, one that isn’t easy to quantify, track or manage.
Doubling down on due diligence
For enterprises to find effective coverage and insurers to reduce the risk of spiraling costs, both sides need to double down on due diligence.
Consider the case of organizations facing a sudden cloud outage. If the issue isn’t tied to a security breach, the costs may be covered under their general insurance, rather than requiring a separate cybersecurity policy. Understanding the difference between unexpected IT events and security-driven issues can help organizations address potential security shortcomings before they purchase new policies.
When it comes to cyber insurance providers, meanwhile, clarity is critical. During a recent White House summit, big tech, infrastructure and insurance providers met to discuss the challenge of creating a more secure business landscape. According to Cybersecurity Dive, three recommendations emerged from the event: Insurers should be clearer about the expectations of security standards, provide an actionable list of security practices and offer companies something in return for engaging with new behavioral and procedural standards.
Bottom line? There are challenges on both sides of cyber insurance. To reduce risk and minimize loss, providers and purchasers need to meet in the middle with policies that clearly spell out obligations and fully disclose payout policies.