Over the past six months, we have held numerous discussions with medium-sized organisations of various sizes that would like to take out new cybersecurity insurance or adapt existing policies. The consistent tenor that we have heard everywhere is that it is becoming increasingly challenging to obtain affordable policies at all. Insurance against cybersecurity risks is now considered a high-risk policy by many insurers. Consequently, many insurers are continuously tightening the conditions and requirements under which risks in this area can be insured.

We have derived the following core challenges from the above-mentioned discussions:

  1. Rising premiums and deductibles: Due to the increase and severity of cyber attacks, premiums and deductibles are rising. Companies must therefore expect higher costs for insurance cover.
  2. Stricter requirements for risk management practices: Insurers are placing increasingly stringent requirements on companies’ cyber security practices. Among other things, this includes regular security audits, the implementation of state-of-the-art cyber security practices and proof of a robust technical security infrastructure.
  3. Adapting policies to new threats: As new cyber threats evolve, companies need to ensure that their insurance policies cover these risks. Adapting existing policies to provide protection against new types of attacks is challenging or even impossible if organisations cannot provide evidence of state of the art security practices.
  4. Assessing your own risk profile: Organisations need to realistically assess their own risk profile to ensure adequate coverage. This includes assessing the probability and potential damage of cyber attacks. In particular, this shows that many companies underestimate the risks – and do not consider themselves to be a worthwhile target.
  5. Negotiating with insurers: In a market characterised by rising demand and increasing risks, negotiations with insurers are becoming ever more challenging. Companies need to build up a strong negotiating position in order to receive an offer with appropriate conditions.

For companies that want to insure themselves against cybersecurity risks, the question arises: how to deal with these challenges? We recommend proactively developing an awareness of your own risks even before the first discussions with potential insurers or brokers. The best way to do this is with a methodical approach to managing information security. The international standard ISO 27001 describes a management system for this and is well suited to addressing the challenges mentioned. With the risk-based approach, the points mentioned above can be addressed proactively – regardless of whether or not the organisation opts for formal certification. However, we believe that a certificate from an accredited certification body is likely to become a prerequisite for ensuring that cyber security risks remain insurable.

Is your company also facing the challenge of taking out appropriate insurance? We would be happy to arrange a free initial consultation on the subject of information security.

More articles

Many organisations trust that their own systems and applications “will be secure somehow”. Especially when third parties such as IT service providers or cloud services are used, the trust in IT security is great. Our...
“The cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.” (Bruce Schneier). The quote comes from the context of the LastPass breach...
Are you already familiar with our SCOD consulting service? SCOD stands for Security Consultant on Demand – and for being available to you at short notice at any time for all your information security questions....