Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

Updated: October 26, 2022

As cyberattacks increase, more companies consider cyber liability insurance; but coverage costs are rising


Over the past few years, businesses large and small have found themselves targets of cyberattacks, which are growing in complexity and frequency.

The second quarter of this year saw an all-time peak, with global cyberattacks increasing 32% compared to the same period in 2021, according to Check Point Research.

One of the latest local victims was Bradley International Airport, which recently saw its website go down after being hit by a distributed denial of service attack.

Ongoing threats not only loom from foreign-led groups and geopolitical tensions, like the Russia-Ukraine war, but the pandemic has also made things worse, with the new reality of a remote workforce accessing business data through multiple unprotected devises, said Joseph G. Fortner Jr., a partner at law firm Halloran Sage in Hartford.

Joseph G. Fortner Jr.

“That’s opening up everyone to more vulnerabilities,” Fortner said.

Four out of five data breaches involve a human element, according to the Verizon 2021 Data Breach Investigations report.

For businesses, ransomware remains the most pervasive threat, at record levels in 2021, followed by social engineering attacks like phishing and other email compromises, according to the IBM Security X-Force Threat Intelligence Index 2022 report.

While finance, insurance, health care, energy and education remain popular targets of cyber criminals, no industry or government sector is immune, with manufacturing, for example, ranking as the top attacked industry in 2021, according to the report.

“Cybercriminals look for network access, and they take it wherever they find it, regardless of industry or the size of the company,” said Tim Francis, vice president and enterprise cyber lead at property and casualty insurer Travelers Cos., which underwrites cyber liability insurance policies.

Liability coverage

The uptick in cyberattacks, which can result in significant costs and damages, is leading more businesses to explore cyber insurance.

While not all policies are created equal, an array of cyber liability insurance products are currently offered by 279 U.S. insurance carriers, according to the National Association of Insurance Commissioners.

Though policies can vary, the basic guarantee for business policyholders is the payout of a fixed amount to help restore services interrupted by a cyberattack and cover third parties, including people who have suffered damages as a result of having their data leaked.

But cyber insurance coverage isn’t ubiquitous. For example, three out of four of the 1,200 business decision makers who responded to Travelers’ 2022 risk index survey, named cybersecurity insurance as critical, but just 59% said their company had such coverage.

Multiple reasons were cited by those who haven’t purchased a cyber insurance policy, according to Travelers’ Francis.

“Some pointed to cost, while others feel they already have adequate protections in place or aren’t familiar enough with cyber coverage to be comfortable purchasing it,” Francis said.

Nearly 25% of survey participants also said they didn’t think their company will suffer a cyberattack, while the same percentage said they had too many other things to worry about, he said.

That might be a dangerous miscalculation given a cyberattack can be devastating, resulting in financial losses, remediation expenses, downtime, reputational harm and other damages. The average ransomware payment was $925,162 during the first five months of 2022, approaching the unprecedented $1-million mark, and rising 71% from last year, according to Palo Alto Networks.

The average cost of a data breach for U.S. businesses is $9.4 million, according to the IBM report, while nearly two out of three small firms go out of business within six months of a cyberattack, according to The National Cyber Security Alliance. The cost of cybercrime is predicted to reach $10.5 trillion by 2025, according to Cisco/Cybersecurity Ventures 2022 Cybersecurity Almanac.

Rising coverage costs

As companies brace for the rising risks of attacks, cyber insurance is growing as a higher priority across many industries, experts said.

“Cyber risk has become a board-level issue over the last few years,” said Marc Lombardi, a partner at law firm Shipman & Goodwin in Hartford.

Marc Lombardi

He and other legal experts cite a growing roster of business clients looking to invest in ways to protect, mitigate and manage their cyber risk and cyber exposure, including via insurance coverage.

“Companies first need to start by assessing their data, and knowing its value both internally and externally and from there, proceed to devise strategies to protect it from all angles,” Lombardi said.

A 2021 report by the U.S. Government Accountability Office found more insurance clients are opting-in for cyber coverage — up from 26% in 2016 to 47% in 2020.

The report also pointed out the cyber insurance market is in flux as cyber crimes become more common. The rising costs of threats and some insurers taking losses from hefty payouts over the last couple of years have not only driven up premiums but also led insurers to reduce coverage limits for some industry sectors, the report notes.

Since 2020, premiums have increased anywhere from 30% to over 100%, said Timothy Zeilman, a vice president at specialty insurer Hartford Steam Boiler, which also underwrites cyber liability coverage.

“There’s been really traumatic increases in rates over the last two years or so, though it varies by industry and the size of the business,” Zeilman said.

That trend is putting a squeeze on midsize and small businesses, which tend to be popular targets of cyber criminals.

That’s led the Treasury Department’s Federal Insurance Office and the Cybersecurity and Infrastructure Security Agency to agree to research and determine whether Congress should enact a federal cyber insurance program to make coverage more affordable for businesses.

But cyber insurance is still worth getting, experts said. Insurance polices are becoming more diverse in covering a broad range of costs associated with cyber risks as the market matures, said Zeilman.

Insurers writing policies for cyber risk are also requiring more information from policyholders, including requirements around security controls and a range of technical, physical, procedural and human controls, to minimize cyber risk.

“Insurance companies are challenging policyholders with basic requests for security measures,” said Linn F. Freedman, a partner at law firm Robinson+Cole.

Linn Freedman

It’s the combination of coverage and risk mitigation, “not leaving your doors and windows open,” that will yield the best results, Freedman said.

“Businesses can’t rely on insurance alone,” she added.

Sound cyber hygiene includes robust back up and secure network strategies, like multifactor authentication at critical access points, fire walls, and scanning technologies, experts said.

Cyber-risk management

Another key focus, and a blind spot for many businesses, is the ongoing need to train employees in cyber best practices, particularly how to spot a suspected incident as threats continue to evolve, said Fortner of Halloran Sage.

“Businesses think they have put things in place, like software updates and they’re done, but hacking efforts and social engineering are getting better, more sophisticated and more people are getting attacked as a result,” Fortner said.

The good news is that insurers are playing a big role in nudging businesses toward better cyber-risk management just as new standards are evolving that they may need to comply with in the future, said Eric George, president of the Insurance Association of Connecticut.

Eric George

While cyber insurance has been around for two decades, it’s a “neonatal” sector, he said.

“It’s still very early on and a growing area,” George said.

Sign up for Enews


Order a PDF