August 30, 2024 By Doug Bonderud 3 min read

The United States cyber insurance industry continues to see strong profits, according to Fitch Ratings. Average premium increases, meanwhile, have moderated over the last three years: While 2021 saw a 34% jump in premium pricing and costs rose 15% in 2022, increases were under 1% in 2023.

As noted by the Fitch Ratings report, “segment underwriting profitability at current levels is unsustainable as cyber insurance pricing is likely to remain flat or down going forward.” While this is good news for enterprises looking to limit the impact of cybersecurity incidents, cyber insurance providers are concerned about the uncertain costs that come with fully covering companies if networks are breached or data is compromised.

The result? Words of warning from Warren Buffett: “You may get an aggregation of risks that you never dreamt of, and maybe worse than some earthquake happening someplace.”

The problem for providers

Berkshire Hathaway is the sixth-largest provider of cyber insurance policies in the United States. And while current policies are profitable, Berkshire’s top executive Ajit Jain says that total cyber losses are often hard to pin down. “The aggregation potential can be huge,” he says. “And not being able to have a worst-case gap on it is what scares us.”

Consider recent news-making cyber incidents that led to companies worldwide facing millions (or billions) in outage costs. The scale and scope of these incidents create a potential problem for insurers. Depending on the terms of cyber insurance policies, payouts could end up significantly outpacing profitability.

Buffett’s concern is that insurance agents are rushing to sign up new commercial clients without conducting thorough cyber risk assessments, in turn putting providers in a precarious position if claims fall within the scope of policies and costs spiral out of control. He warns that even if policies have a relatively low $1 million limit, large-scale cyber events that affect hundreds or thousands of policies could cause serious problems. “You’ve written something that in no way we’re getting the proper price for,” says Buffett, “and could break the company.”

The challenge for companies

For companies, cyber insurance is now a must-have to combat the rising cost of breaches and ensure compliance with evolving government and private sector regulations.

As noted by Cybersecurity Dive, however, 80% of organizations have suffered a cyberattack that wasn’t fully covered by their policy. Research from CYE found that on average, cyber insurance policies fell $27.3 million short.

This shortfall is tied in part to growing lists of insurance exclusions. For example, if enterprises do not have adequate security controls in place or fail to follow compliance expectations, cyber insurance coverage may be null and void.

In much the same way that insurance agents are eager to sell policies, enterprises are eager to obtain coverage. As a result, both providers and purchasers may find themselves faced with an insurance gap, one that isn’t easy to quantify, track or manage.

Doubling down on due diligence

For enterprises to find effective coverage and insurers to reduce the risk of spiraling costs, both sides need to double down on due diligence.

Consider the case of organizations facing a sudden cloud outage. If the issue isn’t tied to a security breach, the costs may be covered under their general insurance, rather than requiring a separate cybersecurity policy. Understanding the difference between unexpected IT events and security-driven issues can help organizations address potential security shortcomings before they purchase new policies.

When it comes to cyber insurance providers, meanwhile, clarity is critical. During a recent White House summit, big tech, infrastructure and insurance providers met to discuss the challenge of creating a more secure business landscape. According to Cybersecurity Dive, three recommendations emerged from the event: Insurers should be clearer about the expectations of security standards, provide an actionable list of security practices and offer companies something in return for engaging with new behavioral and procedural standards.

Bottom line? There are challenges on both sides of cyber insurance. To reduce risk and minimize loss, providers and purchasers need to meet in the middle with policies that clearly spell out obligations and fully disclose payout policies.

More from News

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today