WatchGuard Blog

The factors that determine the cost of cyber insurance

In our predictions, we highlight how cybersecurity will become a key area for insurers in 2022. The seriousness and growth in damages caused by cyberthreats has raised the price of policies sharply in 2021, according to experts. Given this situation, companies must either be prepared to take out new insurance at higher rates or expect a rise in the cost of their current policy.  

But what elements determine the cost of cyber insurance for insurers? There are 5 key factors, both internal and external: 

1. Sector: there are sectors that are more prone to be victims of cyberattacks than others, such as public administrations, technology and healthcare. Apart from the number of cyberattacks suffered, insurers also take into account cases where the associated costs generated are sizable, such as the financial sector. Therefore, if an organization belongs to any of these sectors, policies will be more expensive.  

2. Size: although SMEs in general have more discrete cybersecurity tools, the greater the number of devices, users and systems an organization has, the larger its threat surface and therefore the greater the possibility of being the victim of a cyberattack. Policies are tailored according to size and complexity.  

3. Geographical and remote presence: operating from or having a workforce in different countries also multiplies the risks and usually requires implementing new layers of cybersecurity adapted to the context and local regulations, particularly in terms of data protection. The rise in remote working also needs to be factored in, as this also extends the surface outside the organization's perimeter and requires VPNs.  Policies are also adapted to cover these situations.  

4. Company revenue determines the cost of coverage: company revenue can be a major element in determining the maximum amount of losses generated by the cyberattack that the insurer covers and this influences the cost of policies significantly. 

5. Types of coverage: organizations also tailor their policies according to the most frequent or dangerous risks they want to cover. Coverage against highly sophisticated cyberattacks such as living-off-the-land APT groups is more costly than more common threats, such as ransomware through phishing using email as an entry vector or credential theft and employee identity theft.  

Notwithstanding, insurers require organizations to have implemented a minimum level of cybersecurity tools to be able to access their policies. This includes endpoint protection, which goes beyond more traditional antivirus solutions, and increasingly, multi-factor authentication (MFA), which is critical to protect the organization's accounts and credentials.  

This is because most data breaches occur because cyber threat actors gain access to systems because passwords are too weak and lack an extra security layer; or because they manage to steal credentials.    

Insurers are particularly concerned, as data breaches are among the costliest incidents for organizations (and therefore for them too, as they bear these costs). Not only is it necessary to mitigate the damages of the breach itself, but also on some occasions, to pay the million-dollar fines that the authorities impose for lack of data protection diligence: for example, the £20 million fine that British Airways received for the data breach it suffered in 2020.  

For these reasons, it is imperative for insurers and also for a growing number of corporate software vendors, such as Salesforce, that organizations wishing to engage their services have a reliable and powerful MFA service in place to manage all their credentials and devices

 

Share this: