Light Dark
August 30, 2024 By Doug Bonderud 3 min read
News

The United States cyber insurance industry continues to see strong profits, according to Fitch Ratings. Average premium increases, meanwhile, have moderated over the last three years: While 2021 saw a 34% jump in premium pricing and costs rose 15% in 2022, increases were under 1% in 2023.

As noted by the Fitch Ratings report, “segment underwriting profitability at current levels is unsustainable as cyber insurance pricing is likely to remain flat or down going forward.” While this is good news for enterprises looking to limit the impact of cybersecurity incidents, cyber insurance providers are concerned about the uncertain costs that come with fully covering companies if networks are breached or data is compromised.

The result? Words of warning from Warren Buffett: “You may get an aggregation of risks that you never dreamt of, and maybe worse than some earthquake happening someplace.”

The problem for providers

Berkshire Hathaway is the sixth-largest provider of cyber insurance policies in the United States. And while current policies are profitable, Berkshire’s top executive Ajit Jain says that total cyber losses are often hard to pin down. “The aggregation potential can be huge,” he says. “And not being able to have a worst-case gap on it is what scares us.”

Consider recent news-making cyber incidents that led to companies worldwide facing millions (or billions) in outage costs. The scale and scope of these incidents create a potential problem for insurers. Depending on the terms of cyber insurance policies, payouts could end up significantly outpacing profitability.

Buffett’s concern is that insurance agents are rushing to sign up new commercial clients without conducting thorough cyber risk assessments, in turn putting providers in a precarious position if claims fall within the scope of policies and costs spiral out of control. He warns that even if policies have a relatively low $1 million limit, large-scale cyber events that affect hundreds or thousands of policies could cause serious problems. “You’ve written something that in no way we’re getting the proper price for,” says Buffett, “and could break the company.”

The challenge for companies

For companies, cyber insurance is now a must-have to combat the rising cost of breaches and ensure compliance with evolving government and private sector regulations.

As noted by Cybersecurity Dive, however, 80% of organizations have suffered a cyberattack that wasn’t fully covered by their policy. Research from CYE found that on average, cyber insurance policies fell $27.3 million short.

This shortfall is tied in part to growing lists of insurance exclusions. For example, if enterprises do not have adequate security controls in place or fail to follow compliance expectations, cyber insurance coverage may be null and void.

In much the same way that insurance agents are eager to sell policies, enterprises are eager to obtain coverage. As a result, both providers and purchasers may find themselves faced with an insurance gap, one that isn’t easy to quantify, track or manage.

Doubling down on due diligence

For enterprises to find effective coverage and insurers to reduce the risk of spiraling costs, both sides need to double down on due diligence.

Consider the case of organizations facing a sudden cloud outage. If the issue isn’t tied to a security breach, the costs may be covered under their general insurance, rather than requiring a separate cybersecurity policy. Understanding the difference between unexpected IT events and security-driven issues can help organizations address potential security shortcomings before they purchase new policies.

When it comes to cyber insurance providers, meanwhile, clarity is critical. During a recent White House summit, big tech, infrastructure and insurance providers met to discuss the challenge of creating a more secure business landscape. According to Cybersecurity Dive, three recommendations emerged from the event: Insurers should be clearer about the expectations of security standards, provide an actionable list of security practices and offer companies something in return for engaging with new behavioral and procedural standards.

Bottom line? There are challenges on both sides of cyber insurance. To reduce risk and minimize loss, providers and purchasers need to meet in the middle with policies that clearly spell out obligations and fully disclose payout policies.

 |  |  |  | 
Doug Bonderud
Writer

More from News
January 13, 2025

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

December 30, 2024

DHS: Guidance for AI in critical infrastructure

4 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology. In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into…

December 26, 2024

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature