What's driving the fluctuating costs of cyber liability insurance?

What's driving the fluctuating costs of cyber liability insurance?

Elaine Atwell and Aida Knežević by Elaine Atwell and Aida Knežević on

When you tell people you’re writing a piece on cybersecurity insurance, they tend to look at you with a mix of confusion and pity.

Even when you interview cyber insurance professionals, they preemptively apologize for boring you.

The truth is, cyber liability insurance – like any other kind of insurance – is pretty boring, right up until the point that the people who need it can’t get it. Then it becomes not only interesting, but vital. And that’s the point we’re approaching now.

In the past three years, the cost of cyber liability premiums hasn’t so much skyrocketed as it has teleported. In 2021, the cost of cyber insurance increased 25.5% year-over-year, making it the fastest growing premiums of all lines of insurance. 2022 was even worse, with rates doubling in the first quarter and increasing a further 79% in Q2.

As of 2024, these massive price jumps have stabilized somewhat, with increased competition in the market even leading to a decline in average premium costs – though prices still remain far higher than they were in 2021.

(A note on data: sources differ in the exact percentages of price changes depending on whether they’re studying U.S. or global markets, or new versus renewed policies, but they all tell the same basic story.)

If you’re looking at your own cyber insurance policy and scratching your head (or pulling out your hair), you likely have three questions:

  1. What is causing cybersecurity insurance costs to fluctuate so dramatically?

  2. Do I really need cyber insurance or can I go without it?

  3. What can I do to reduce my cyber liability premiums?

Let’s try and answer all three.

Why is cybersecurity insurance so expensive now?

There’s a simple and a complicated answer to this question.

As far as why premiums rose so sharply in recent years, you could probably figure out the simple answer on your own: cyber insurance costs more now because of the huge rise in data breaches and hacks in the post-COVID world. When the pandemic hit and employees started working remotely en masse, it created a cybersecurity crisis. Workers accessed sensitive data on their personal, unmanaged devices and outside the protection of the company VPN, and bad actors seized on the chance to launch a campaign of phishing, ransomware, and other cybercrime attacks that targeted vulnerable employees on vulnerable devices.

All these breaches created a tidal wave of insurance claims that threatened the profitability of the entire field. The Information reported that “collectively, insurers' payouts to customers nearly exceeded the amount they collect via premiums.” In response, insurers not only jacked up prices, they instituted much tougher underwriting requirements (more on that later), and trimmed what their policies would cover.

In general, it’s not hard to understand why Warren Buffet warned against cyber insurance as an investment option, given the field’s continuous change and potential for loss at a major scale. The massive outages of summer 2024 are just one example of the kind of unprecedented events that cyber insurance companies have to contend with.

The more complicated answer to our original question is that companies themselves helped create this crisis by investing more in insurance than they did in actual security. As far back as 2017, AT&T named “overreliance on cyber insurance” as one of its three chief cybersecurity concerns. According to their report: “Nearly 3 in 10 survey respondents (28%) plan to allocate all or most of their cybersecurity budget to insurance in anticipation of future incidents. "

That’s not to say that every company is to blame for its own misfortunes. In insurance, a few irresponsible actors and careless underwriters can drive premiums up for everyone.

Finally, some of these premium increases over the last few years are probably just normal price corrections, since the concept of cyber insurance is still quite new (some date the first policy to 1997.) “When cyber liability insurance entered the marketplace, it was kind of an unknown,” says Andrew Bucci, VP of Sales at Amplified Insurance Partners. “It was a new product and I don’t think the underwriters really knew how to price it.”

Do I need cyber liability insurance?

The question everyone asks when insurance gets too expensive is: can I go without it? Unfortunately, if you digitally store sensitive customer data and/or payment information (so if you run anything more complicated than a lemonade stand) then you probably need a policy.

We’re not here to sell you cyber insurance, and plenty of small businesses still go without it, but hackers are increasingly targeting SMBs, so you can’t automatically assume you’re too small to be a target.

These days, a data breach costs businesses an average of $4.88 million (a 10% increase from the year before). That could put a small company out of business if they lacked insurance. And beyond a simple payout, cyber insurance providers often help companies hire forensic experts to recover data, negotiate with ransomware attackers, and inform customers of a breach.

Still, you can tailor your cyber insurance coverage to your budget and risk level. Standalone policies typically provide more coverage and assistance in the aftermath of a breach, but if you’re not in a particularly vulnerable industry (such as healthcare), you can likely buy insurance as part of a larger business policy. This is common even in large organizations. According to Forrester’s report, The State of Cyber Insurance, 2023, 84% of enterprise decision-makers have cyber insurance, but only 26% report having a standalone cyber insurance policy.

Furthermore, according to The Information, some major enterprises with expensive policies are exploring alternative forms of insurance. “In some cases, companies set up a captive insurer, an arrangement in which a company uses its capital to create an insurer whose only customer is the company.”

Small businesses, on the other hand, don’t have such exotic options for going without traditional cyber insurance. Bucci acknowledges the tough position businesses are in when insurance becomes truly unaffordable: “It’s going to come to a point where some people may have to self-insure, which means that they don’t take a cyber policy out and they just cross their fingers they don’t have some sort of breach.” In fact, as of late 2023, only 17% of small businesses were found to have cyber insurance at all.

How much does cybersecurity cost?

Beyond the broader shifts in cyber insurance costs, premiums will also depend on several variables, so it’s tough to come up with an “average cost.” But there are a few factors that can drive the cost of a policy up or down.

Your industry

Certain industries are subject to higher premiums because they are more susceptible to threats. Hospitals, for example, are a major target of ransomware attacks because they store sensitive patient data and will often choose to pay ransoms rather than risk their patients' lives by going offline.

“Healthcare businesses see substantial premiums. Because if they get hacked and one HIPAA-protected record gets into the wrong hands, that’s going to be detrimental,” Bucci explains. “So you need a standalone cyber policy that’s going to include coverage for social engineering and ransomware.”

On top of that, if you file a claim, “You’re going to need an experienced resource to come in and do forensics. And you will also need a policy that’s going to pay to alert the individuals whose records have been breached, which typically costs $150 to $200 per notification.”

Some industries are considered so vulnerable that carriers may refuse to cover them at all. Dan Garcia-Diaz, managing director of the U.S. Government Accounting Office (GAO), told CNBC that “one insurer reported that it opted not to insure the energy sector because of its vulnerability to attacks and because of concerns that energy operators do not follow robust cyber security protocols.”

Revenue

Your revenue plays a key role in how much you end up paying for your premium because insurance providers use revenue for the rating basis. If the provider’s rate is $15 per $1000 in revenue, and your projected revenue is $900K, then your premium will be $13.5K.

“When you have $500K in revenue, you can get a $1 million or $2 million policy for much cheaper versus when you have $5 million in revenue,” explains Joe Morrison of Collard Advisory Group.

History of breaches

Unsurprisingly, insurance carriers tend to charge more if you’ve been breached in the past. But the correlation isn’t necessarily as strong as you might think, depending on how your company responded to the breach.

Says Bucci: “It’s always going to be a question on your application, but it’s not the end-all, be-all. Maybe you were breached, but the claim was never paid out because you got the breach under control. What it’s really going to come down to is what protections you have in place to keep a breach from happening again.”

That brings us to the next factor.

Cybersecurity assessment

The evaluation of your security system and protocols is a critical step in the underwriting process.

Typically, the insurance provider will require you to fill out a lengthy questionnaire that asks security-related questions. For example, you might need to provide information on your backup and recovery procedures.

Most of the questions will be familiar to anyone who has gone through SOC 2 certification.

Here’s a (non-exhaustive) sampler from a questionnaire we reviewed:

  • Do you have third party software to protect your network such as antivirus and firewalls?

  • Do you have an incident response plan in the event of a breach?

  • Do you conduct an annual review and test of all your system backup and recovery procedures?

  • Do you store health information?

  • Do you store payment information?

  • Do you use any software or hardware past its end of life date?

  • Do you implement all required software updates for known vulnerabilities?

When going through the cybersecurity assessment, it’s important to be honest, or you risk shooting yourself in the foot later on. “Let’s say that a company states it has a security measure in place and then a claim happens. When the insurance provider comes to investigate, and if the company said it had multifactor authentication but didn’t, the insurer can deny the claim,” says Bucci.

Also, it’s important to recognize the limits of your policy. Fortinet explains that cyber insurance policies “often exclude issues that were preventable or caused by human error or negligence.” They name poor security, insider attacks, and breaches arising from previously known vulnerabilities as examples of issues that can get your claim denied.

How can you reduce cyber liability insurance costs?

It’s easy to feel helpless in the face of rising insurance costs, but there are ways to negotiate for a better rate.

If you’re shopping for a new cyber liability insurance policy or renewing an existing one, the following tips can help you pay less.

Shop around

The insurance marketplace changes, so if you’ve been renewing your policy with the same company and their prices keep increasing, your broker can help you re-negotiate a more favorable rate. Bucci recommends brokers shop rates out every three years to multiple companies, which will help you pay less for similar coverage.

Bolster your cybersecurity measures

Improving your company’s security is the best way to ensure that coverage remains accessible and affordable for everyone, and that your claim is actually approved in the event of a breach. In fact, the average fall in costs through 2024 has been at least partially attributed to the many businesses that improved their security practices.

According to Bucci, some insurance providers now require customers to have multifactor authentication (MFA) to protect against phishing and other credential-based attacks. That’s just one in the growing number of requirements and exemptions to insurance policies, which have left many companies not receiving the coverage they were relying on.

The cyber insurance company Coalition recommends creating backups of critical data that you can use to avoid paying the ransom in a ransomware attack. Likewise, they advise keeping up-to-date on patching of both servers and employee devices, to protect against known vulnerabilities.

Investing in security for your insurance provider is time-consuming and expensive, but it may actually protect you from a breach. According to Forrester, companies with standalone cyber insurance policies were the least likely to report a breach in the last 12 months. Granted, this is a small dataset, but it speaks to the larger value of taking security seriously.

A graph from Forrester that asks how many times do you estimate that your organization's sensitive data was potentially compromised or breached in the last 12 months.

About 1Password

At 1Password, we’re a security company, not an insurance company, so we can only talk about rising premiums as observers (and customers). But we have observed that insurance costs seem to be one of the factors driving interest in our product and in security more broadly. The same circumstances that drove up cyber attacks and insurance premiums are also driving interest in Zero Trust security, and in our subset of it: extended access management.

1Password Extended Access Management’s device trust solution reduces the likelihood of a breach by ensuring that only secure devices access company resources. And since nearly half of companies still allow unmanaged devices to access their apps, we have a rather large hole to fill.

A graph from our Shadow IT report asking about managed devices.

In addition, our enterprise password manager (EPM) helps guard against credential-based attacks, which are the leading cause of breaches, year after year.

If you’re looking for more peace of mind in a world full of cyber risks, read more here about our security solutions.

Elaine Atwell and Aida Knežević - Elaine Atwell and Aida Knežević -

Tweet about this post