About the author

Christine Young

Managing Consultant | Advisory

Christine Young joined Thomas Murray’s Advisory team in 2022, after 30 years in the asset servicing sector. Her previous role was at BNY Mellon, where Christine was responsible for the risk and regulatory control function in the asset servicing business, having led the development of the control framework for the business. She has also held roles in sales, corporate development and relationship management. Christine has both legal and accounting qualifications, and extensive experience in working on multi-discipline projects in global jurisdictions.

The cyber insurance market has grown rapidly over the last few years, and it’s not done yet. By some forecasts, the global market will grow from US$12.83bn in 2022 to US$63.62bn by 2029.

It seems clear that cyber insurance is here to stay. But to meet these high growth expectations, the market will first need to overcome the resistance to it that has started to surface – largely because of its skyrocketing premiums.

The accelerated move to remote working from 2019 coincided with a spike in the number of insurance claims for ransomware attacks.

But this has meant that organisations renewing their cyber policies now have been shocked by the huge increase in premiums – if, that is, they can get coverage at all.

The international Council of Insurance Agents and Brokers, for example, says that cyber insurance premiums went up 28% on average in the first quarter of 2022 compared with the last quarter of 2021. Insurers argue that prices are still finding their level, and that increases were inevitable because these policies made losses in 2018 and 2019.

This is hugely unwelcome news for policyholders, as is the fact that insurers are also making it tougher to get coverage. Those shopping for cyber insurance now will find more exclusions, fewer coverage options, and demands for higher standards of cyber security.

One insurance firm won’t offer cover to the energy sector, citing its vulnerability to cyber attacks and its weak defences. Many firms, particularly those with cyber insurance coverage built-in to a broader policy, have found that securing an insurance pay-out in the wake of an attack is either difficult or impossible.

Ties that bind

Apart from financial protection, insurers argue that part of the value of their cyber policies comes from the incident response (IR) services provided (like data recovery, legal advice and ransomware negotiations with cyber criminals). But this may not be as attractive as insurers think it is:

  • Organisations with their own IR experts and mature IT security plans are likely to feel hesitant, to put it mildly, about having to rely on an insurer’s preferred IR providers.
  • Some institutions have decided it’s more cost-effective and efficient to contract directly with IR teams than to pay ever-growing insurance premiums.

As frustrated as organisations may be with their cyber insurance providers, however, reports of the market’s demise are much exaggerated. In the face of escalating and ever-evolving cyber risk, organisations are finding that their clients, stakeholders, suppliers and partners require them to have at least some form of cyber insurance.

The best defence

Of course, by the time the insurers are called in the worst has already happened. The main focus of your efforts should therefore be on protecting your organisation from cyber risk. At Thomas Murray, we have 30 years’ experience working in the world’s most complex sectors. We combine that knowledge with our award-winning cyber security technology to help you identify, measure and reduce your cyber risk exposure.

Talk to us to find out more about what we can do for you.