As cyber criminals grow more sophisticated and attacks more frequent, businesses face a reality in which cyber liability insurance is no longer optional.
What was once a specialty product has become nearly as fundamental as property insurance — and potentially more crucial for a company’s survival.
A lot has changed since Arkansas Business last reported on cyber insurance in 2021.
Then, the industry had not seen any notable increase in insurers offering commercial cyber policies despite rising cyberattacks. Policy costs were also on the rise as underwriters scaled coverage back.
But that’s not the case today, according to Clint Lamberth, chief sales officer at the insurance agency Meadors Adams & Lee of Little Rock. The cyber insurance market has matured.
The U.S. cyber insurance market saw an 11.7% increase in policies from 2022 to 2023, with total premiums totaling more than $9.8 billion. That number was $6.5 billion in 2021 and just $1.4 billion in 2015. Those numbers are from the National Association of Insurance Commissioners.
Insurers saw a rise in cyber claims when workers shifted to working from home during the pandemic, because home networks didn’t have the same protections as offices. This caused underwriters to pull back coverage and raise prices.
But now insurance carriers have “more of a grip” on the industry and have “picked up a lot of steam,” according to Christopher Wright, co-founder, partner and lead security engineer at Sullivan Wright Technologies of Little Rock.
Wright, whose company offers cybersecurity consulting to businesses, said cyber insurance is something he always recommends to clients. It is now a fundamental part of cybersecurity, incident response plans and risk management, he said.
Cyberattacks are more common now than ever, and that’s perhaps the biggest factor in the rise of cyber insurance.
Wright said that today’s cyber threats are far more sophisticated than the stereotypical “hacker in a basement” scenario: “These are organized crime operations.”
According to IBM, the global average cost of a data breach in 2024 is $4.88 million — a 10% increase over last year and the highest total ever. Of that increase, 75% was due to the cost of lost business and post-breach response activities.
“If you get hit with an attack, there’s financial and reputational risk overall to your organization, and you need to be able to have some recoverability,” Devin Shirley said in a telephone interview. Shirley is chief information security officer at Arkansas Blue Cross & Blue Shield of Little Rock. “It’s kind of like other insurance in the same way — everything’s a risk evaluation for your organization.”
Firsthand Experience
“The threat landscape has increased significantly,” Shirley said. “The bad guys are getting better. They’re getting smarter. The proliferation of AI has made it easier for them to do mass attacks in a shorter amount of time.”
Arkansas Blue Cross & Blue Shield reported unauthorized access to its Blue Wellness Rewards program in August through its vendor Healthmine. The information exposed included members’ names, addresses, email addresses, dates of birth and prescription histories.
The company has cyber insurance, and after the breach, it hired a forensic firm to assist with the investigation. It also gave customers the opportunity to enroll in a complimentary one-year membership with Experian, which included credit monitoring, identity restoration and up to $1 million in identity theft insurance.
And BCBS isn’t alone, even in the state. In just the past year, major Arkansas companies have disclosed cybersecurity breaches. Evolve Bank & Trust of West Memphis faced a ransomware attack in May from the criminal organization LockBit, and Encore Bank of Little Rock alerted customers in January that it had discovered a compromised employee email account.
Encore launched an investigation with outside cybersecurity professionals, and offered a free two-year membership with IDX, a data breach and recovery services company. The services included credit monitoring, a $1 million insurance reimbursement policy and fully managed identity theft recovery services, as well as a free response line.
Those are the services that cyber insurance covers that can make or break a business after a breach, Lamberth said. He emphasized it’s about “defending yourself” and transferring risk to the insurance carrier.
Coverage can protect against various costs associated with cyber incidents, including forensics investigations, legal expenses, customer notifications and business interruption.
The NAIC reports that 72% of small and medium-sized businesses without cyber insurance say a major cyberattack could destroy their business.
“If you do get breached, the amount of what you get back is so immensely larger than anything you would ever pay out at this level,” Wright said. “You can’t get those forensics analysts; those people are thousands of dollars an hour. You can’t get those lawyers or the people that do all the notifications.”
And Shirley agrees that cyber insurance has become an essential part of incident response planning.
“Having that there helps mitigate or transfer the risk of some of the monetary cost of a breach to a cyber insurance organization,” Shirley said. “Is anyone going to truly understand all the upfront cost of a cyber breach? No. In some industries, the heavy costs come five years after the breach. It’s just understanding where your costs are and working with the right cyber insurance provider that will work with your particular industry.”
Insurance Terms
The evolution of cyber insurance reflects the changing threat landscape. The need for cyber liability insurance mostly comes from three sectors: ransomware, data breaches and business email compromise.
According to Wright, almost all insurance carriers now require basic security measures like multi-factor authentication before providing coverage.
“A lot of times the insurance carriers now are adding things on there to say, ‘If we’re going to cover you, you’re going to come meet us in the middle somewhere.’ So you can’t have the worst cyber hygiene in the world, and expect for them to pour money into your business.”
According to the NAIC, it’s also a growing trend for insurance carriers to include “exclusionary language” in policies.
Policies typically include “failure to maintain security” or “failure to follow” exclusions, which preclude coverage for claims resulting from a failure to maintain minimum security standards.
But Shirley said most insurance carriers will do an annual check-in to make sure a company is meeting its cyber policy standards.
And though the cost of cyber insurance remains a concern, Wright and Lamberth say coverage is more affordable than many assume.
“There is always something,” Wright said. “If you don’t have tons of revenue, your policy is not going to cost that much because there’s not a lot to replace in there.”
Lamberth said that cyber coverage often costs less than other types of business insurance, and should be part of a company’s budget. He also said that by just asking a few simple questions, an insurance agent can probably turn around a cyber insurance quote within a day, which was not the case just a few years ago.
“The product availability is absolutely there for anyone,” Lamberth said. “When we do a premium summary, cyber is probably at the bottom end. It’s almost in the addendums like, ‘Oh, by the way, your cyber is $800.’”
Shirley said every company will have to decide which policy works best for it, because “any business is going to have to evaluate their overall risk tolerance, their risk appetite and understand just what they need.” And Lamberth said there’s so much variety that whether a company needs $100,00, $1 million or $10 million in coverage, it’s available.
As of July, Arkansas also maintains a cyber insurance program for public entities through the Risk Management Division of the Arkansas Insurance Department. The program provides coverage with a $100,000-per-occurrence limit for entities that comply with published standards, and $50,000 for those that don’t, with a $1,000 deductible.
Cyber Hygiene
Insurance carriers may require certain standards to be covered, but that doesn’t mean that’s all a business should do, Wright said. And better cyber hygiene can bring down cyber insurance rates.
Insurance also shouldn’t be viewed as a complete solution. Shirley and Wright both emphasized the need to keep data as private as possible, as well as not hoarding unnecessary data, because cyber attacks are not abating.
“There’s a lot of extortion,” Shirley said. “When you start looking at data that actually belongs to people, then that’s where the privacy factor comes in. You have really got to keep things private. Everybody needs to start thinking privacy, even if they may not themselves be a privacy-oriented company.”
Wright encourages his clients “not to hoard data,” especially data that cyber attacks would target.
“One of the things we try to do is get our clients to think about that whole life cycle of an attack, and if the protection fails, you need other controls beyond protection,” Wright said. “Insurance is a great additional control to have.”