Cyber risk - To buy insurance or self-insure?

As cyber risk has soared up the boardroom agenda - 91% of UK CEOs see cyber threats as a top concern, according to our 24th annual CEO Survey - so has cyber insurance as a way to finance and mitigate this risk. But challenging insurance market conditions are making it harder than ever to secure appropriate and affordable cover and some organisations are choosing to consider alternative options such as self-insurance.

However, the decision on whether to buy cyber insurance or to self-insure is a challenging one and should be taken with knowledge of the pros and cons of each option.

A higher underwriting bar for cyber insurance

Cyber insurance provides financial protection from losses or damage caused by cyber attacks and data breaches. But it can also provide valuable and practical hands-on specialist support required to respond and deal with an incident or crisis.

The worldwide cyber insurance market writes approximately $7-8bn in premiums per year and is expected to grow significantly over the next 5-10 years. However, this growth may be tempered if the current trend of some insurers withdrawing capacity or applying more onerous policy terms continues.

There are stories aplenty of organisations facing two-fold, three-fold and even six-fold increases on previous cyber insurance premium quotes. But it is not only premiums that insurers are reviewing - at times they are seeking to change policy terms or exclusions, or apply a mix of higher deductibles, lower limits and use of sublimits and coinsurance.

From the insurer perspective, the fast-increasing frequency of ransomware attacks (and the growing associated impacts and ransom demands) and business interruption claims has resulted in cyber becoming a less profitable area of insurance in recent times. Early cyber insurance policies did not predict the current levels of ransomware attacks and business interruption incidents, so there has been a significant shift from privacy-related losses to business income-related losses.

This has led to the underwriting bar shifting - it is common for insurers to now demand that organisations have strong levels of multi-factor authentication (MFA) and endpoint detection and response (EDR) to get access to a quotation. Unsupported systems/hardware can also stop them providing cover. In essence, with lower capacity and supply of cyber insurance in the market, insurers are able to be selective in relation to the risks they are taking on - they are often seeking only the “best” risks.

Movements in the broader pricing and provision of cyber insurance policies over time are outside of the control of corporate insurance buyers, but there can be significant benefits to being on the front foot in discussions with the insurance market to proactively tell the story of the organisation’s cyber risk journey.

This means that insurance buyers understanding and clearly articulating their wider approach to cyber risk management - as well as their key strengths and weaknesses - can make all the difference when it comes to successfully negotiating a cyber insurance policy.

Self-insuring cyber risk and how to quantify it

Cyber insurance is only one way to finance and reduce cyber risk. Insurance may not provide cover for the full amount at risk from cyber attacks and incidents, or may simply not be available.

This has led to an increasing trend for organisations to consider using self-insurance or an insurance captive to either cover primary cyber insurance layers or to fill in the gaps of traditional cyber insurance policies. This can also benefit future negotiations with insurers if there are elements of the risk which are to be transferred externally in future.

An element of this self-insurance approach often missing is the process of quantifying the risk - at least at a high level - in financial terms. If insurance is not purchased, the risk is still there and resides on the balance sheet.

Quantifying cyber risk and/or key cyber scenarios allows an organisation to make deliberate and informed risk retention decisions and understand how much of the balance sheet might be exposed. Self-insurance does not mean just ignoring the risk. Not quantifying cyber risk in any way can be equivalent to running an unknown and potentially significant risk through the balance sheet.

Organisations that self-insure must also ensure they have access to key specialist services where needed, such as incident response, forensics, legal, communications, crisis support and negotiators.

Financing cyber risk - where should I start?

For some organisations a mixed approach of insurance and self-insurance will be optimal. Either way, it is imperative to be on the front foot in identifying and considering alternatives, and to make deliberate and informed decisions.

A good starting point is often a maturity assessment of the process through which you seek to purchase insurance and/or finance cyber risk using an alternative approach (such as self-insurance or use of an insurance captive).

Some important questions to ask yourself are:

Are you creating sufficient competitive tension during cyber insurance negotiations?
Are you getting value from your insurance broker?
Are you articulating your wider approach to cyber risk to brokers and insurers so that they will perceive you as a good/mature risk?
Are you self-insuring in a clear and deliberate way?

The answers to these questions can be key to unlocking the optimal decisions in relation to cyber risk transfer and risk retention, and will inform some of the practical steps that can then be taken.