Buying Cyber Insurance

Buying Cyber Insurance is Getting Trickier, Says WSJ: Cybersecurity Trends

Gee, you think? According to the Wall Street Journal, buying cyber insurance is getting trickier as attacks proliferate, which leads to costs rising – dramatically.

The article (Buying Cyber Insurance Gets Trickier as Attacks Proliferate, Costs Rise, written by Cheryl Winokur Munk, hat tip to KnowBe4 for coverage) states that, for many businesses, obtaining or renewing cyber insurance has become expensive and arduous.

The price of cyber insurance has soared in the past year amid a rise in ransomware hacks and other cyberattacks. Given these realities, insurers are taking a harder line before renewing or granting new or additional coverage. They are asking for more in-depth information about companies’ cyber policies and procedures, and businesses that can’t satisfy this greater level of scrutiny could face higher premiums, be offered limited coverage or be refused coverage altogether, industry professionals said.


“Underwriting scrutiny has really tightened up over the past 18 months or so,” said Judith Selby, a partner in the New York office of Kennedys Law LLP.

In the second quarter, U.S. cyber-insurance prices increased 79% from a year earlier, after more than doubling in each of the preceding two quarters, according to the Global Insurance Market Index from professional-services firm Marsh & McLennan Cos. Ouch!

More ouch: Direct-written premiums for cyber coverage collected by the largest U.S. insurance carriers—the amounts insurers charge to clients, excluding premiums earned from acting as a reinsurer—climbed to $3.15 billion last year, up 92% from 2020, according to information submitted to the National Association of Insurance Commissioners, an industry watchdog, and compiled by ratings firms. Analysts attribute the increase primarily to higher rates, as opposed to insurers significantly expanding coverage limits.

One of the reasons that buying cyber insurance has gotten trickier is that companies buying insurance are subject to tight scrutiny of internal cyber practices, said Selby.

Now, insurers aiming to limit their risk are putting corporate security chiefs through lengthy lists of questions about how they defend their companies, said Chris Castaldo, chief information security officer at Crossbeam Inc., a Philadelphia-based tech firm that helps companies find new business partners and customers.

The WSJ article has more on the current challenges for buying cyber insurance. When I covered cyber insurance trends last year, I reported that premium prices were rising as much as 40%. To quote Ron Burgundy, “that escalated quickly!”

So, what do you think? Are you surprised the extent to which buying cyber insurance has gotten trickier and more expensive?  Please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright © Dreamworks Pictures

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.


  1. Not surprised since the more an insurance company pays out the harder it is to get coverage, e.g flood, hurricane, etc. The reality is no matter the steps any company takes they are all vulnerable.

  2. Risk management, or specifically risk assignment, regardless of the object to be protected, is always going to be an expense and never a producer. Insurance companies, regardless of the type of coverage, know this all too well. Do you want better life insurance? Then get it while you are young and in better health and for a sufficient long term. Make it a part of your long term financial strategy. Auto insurance, while taking in factors unrelated to driving habits, offer monitoring devices that tell them how well and how much you drive. If it meets their actuarial standards then you get lower premiums. Property insurance also has its own risk reduction factors. Cyber Insurance is not much different. It seems to become a matter of “not if but when” with respect to a malicious cyber event.

    Reading the link articles, along with links in those articles, I did not find one reference to volumes of publicly available research on Ransomware, which is the hot topic in cyber security. You can’t protect the forest without protecting the trees and removing the underbrush and maybe even some trees. Professional assessments like those mentioned on the Marsh website are a great service but a good CISO should already know not only the file types that are targeted but what are the methodologies used by the miscreants to encrypt those targets.

    Risk assignment will always be based on the amount of risk. If you are medically considered obese, have diabetes, heart disease, hypertension you probably won’t even be able to acquire much more than a pre-paid burial policy. If you don’t know what mission critical data is more likely to be attacked, your cyber insurance premiums will be higher. Even if you are aware of the file types and methodologies but you rely solely on backups that remain in a connected to your network, you are still asking for higher premiums.

Leave a Reply