Falling cyber insurance premiums as incentive for firms to foster better security cultures

Published: Fri 25 Oct 2024

Howden’s annual report published at the start of July found that cyber insurance premiums are decreasing, with the market seeing double-digit price reductions in the 2023/24 financial year.

Cyber premiums to grow 15-20% per year to $23bn by 2026: S&P

Howden’s findings attribute this to businesses becoming more adept at limiting their losses from cybercrime.

Indeed, businesses are investing more in security posture and infrastructure, illustrated by the cost of cybercrime dropping despite incidences of cyber attacks continuing to increase. It is these businesses that choose to invest in continuous monitoring and controls that will be most successful in the fight against cybercrime in today’s evolving threat landscape.

Areas for broker focus

Falling insurance premiums suggest a growing standard of cyber preparedness amongst businesses – and brokers should remind clients of this. When evaluating firms applying for cyber insurance, it is apparent which customers are already engaging with cybersecurity and going above and beyond.

One clear green flag is businesses that are demonstrably working to reduce the risk of human error. Employee training is one of the most important aspects of fostering a sensible security culture – an EY survey from June found that 72 percent of Gen Z workers had clicked on ‘suspicious’ links at work, highlighting the necessity of educating employees.

Other key aspects to look out for include companies that have ongoing relationships with cybersecurity organisations and those who are selective about their purchasing of security services demonstrate an understanding of cybersecurity.

Regular audits and assessments for security controls can also differentiate businesses that actively manage and evolve their risk profiles from those that treat cybersecurity as a box-ticking exercise. With the threat landscape rapidly evolving, companies need to conduct regular maintenance to be as protected as possible against ransomware attacks.

All this can help brokers gain an insight into a firm’s security culture, and understand which businesses are already focusing on security.

Security solutions are key

Another trend emerging in the UK is that more and more firms are looking to do more than just stay in line with the National Cyber Security Centre’s ‘cyber essentials’ – they are seeking to improve their overall cyber readiness.

In response to this trend, we have seen the rise of security solutions in the insurance market, combining cybersecurity with cyber insurance.

This will, in particular, help develop less mature markets where penetration rates are lower – Resilience estimates penetration in the EU mid-market space to be around 7 percent, compared to around 30 percent in the UK and US.

The evolution of new cybersecurity regulations, such as NIS2 and DORA in the EU, are also pushing businesses to improve their risk profile, and the increased accessibility of comprehensive cyber solutions will aid this.

Running simulations and scenarios is increasingly important

A further action for companies looking to continuously improve their security is by taking a more proactive approach. Cyber insurance should influence companies to engage more with managing their cyber risk, and augmenting the security teams of clients is something insurers now strive to do.

In addition to coverage, insurers now also deliver expert guidance, artificial intelligence modelling with human-in-the-loop engagement, and cyber action plans to enhance the cyber risk profile of clients.

These all allow businesses to quantify their risk – a process that determines the likelihood and potential impact of a cyber attack in financial terms, supporting firms to more effectively allocate the appropriate resources to security controls and insurance coverage.

The fall in cyber insurance premiums means insurance and security controls are more accessible for the growing number of businesses looking to achieve robust cover, and as firms build better security cultures, implement a comprehensive cyber risk strategy to proactively monitor and defend against threats, they will significantly increase their cyber resilience, which is fast-emerging as the defining metric in today’s evolving cyber threat landscape.

Rehan Hussain is head of underwriting, UK and Europe at Resilience