Blog
← Back to Blog
November 15, 2021 financial

Cyber Insurance Is Getting Harder to Buy. Here's Why and What to Do.

Insurance and risk management

If you've tried to renew or purchase cyber insurance recently, you may have noticed something: it's more expensive, the application is longer, and some carriers are declining coverage altogether. The cyber insurance market has fundamentally changed, and the reason is ransomware.

What Changed

Ransomware claims have exploded. Colonial Pipeline ($4.4M ransom), JBS Foods ($11M), Kaseya (attempted $70M). The average ransomware payment in 2021 is over $500,000. Insurance carriers are paying out more in claims than they're collecting in premiums. That's unsustainable.

The result: carriers are raising premiums (50-100% increases are common), reducing coverage limits, adding exclusions, and requiring specific security controls before they'll issue a policy.

What Insurers Now Require

Most cyber insurance applications in 2021 ask specific questions about:

  • Multi-factor authentication: Do you require MFA for remote access, email, and admin accounts? This is now a dealbreaker. No MFA often means no coverage.
  • Endpoint detection and response: Do you have EDR (not just antivirus) on all endpoints?
  • Backup integrity: Are backups tested regularly? Are they air-gapped or immutable?
  • Patch management: How quickly do you apply critical patches? Do you have a documented patching process?
  • Email filtering: Do you have advanced email security beyond basic spam filtering?
  • Security awareness training: Do you conduct regular phishing simulations and training?
  • Incident response plan: Do you have a documented plan?
  • Network segmentation: Is your network segmented to limit lateral movement?

Answer "no" to several of these and you'll either face significantly higher premiums, reduced coverage, or outright denial.

The Silver Lining

Here's the thing: every control that insurers are requiring is something we've been recommending for years. MFA, EDR, tested backups, patching, training, segmentation. The insurance industry is now enforcing the security basics that many organizations wouldn't adopt voluntarily.

If you've been following the advice in this blog, you're well-positioned for cyber insurance. If you haven't, the insurance application is your wake-up call.

What to Do

  1. Start with MFA. If you implement nothing else, implement MFA on email, remote access, and admin accounts. It's the single most common disqualifier.
  2. Document everything. Insurers want evidence. Document your security policies, backup procedures, patch schedules, and training records.
  3. Work with a specialized broker. Cyber insurance is specialized. Work with a broker who understands the market and can match you with carriers appropriate for your industry and size.
  4. Budget for premium increases. Expect 25-100% increases at renewal. Budget accordingly.
  5. Don't let coverage lapse. A gap in cyber insurance coverage is a gap in financial protection. Renew on time.

Cyber insurance was always meant to be a backstop, not a substitute for security. The market is finally enforcing that distinction.