The cyber insurance market has undergone a significant shift over the past few years, as demand has skyrocketed alongside escalating risks. According to Karen Ritchie (pictured), senior vice president at Baird MacGregor Insurance Brokers LP, there are both challenges and developments in this rapidly growing area, as businesses slowly wake up to the realities of cyber threats.
"We've been promoting cyber now for probably the last three or four years, pretty consistently," Ritchie said. Yet, despite efforts to raise awareness, many businesses still struggle to grasp the severity of their vulnerabilities.
“You still get some of them that think, 'I'm okay. My IT people tell me, I'm okay,” Ritchie said.
Ransomware has become the most prevalent threat in the industry. Ritchie emphasized the ease with which bad actors can deploy such attacks, noting that “you've got your ransomware for hire... small bad actors can get this ransomware and use it." This has resulted in a surge of claims from businesses, many of whom never anticipated they would be victims. One case Ritchie recalled involved a small family-owned manufacturing company that fell prey to a ransomware attack.
“Their whole system was taken down," she said, adding that the incident would have been financially crippling without cyber insurance coverage. The ransomware claim reached around $100,000—an amount that would have severely impacted the company’s ability to continue operations.
Cyber insurance is not only about covering financial losses but also about business continuity. Ritchie pointed out that cyber policies often include provisions for business interruption and reputational damage. "Once your systems are down, you’ve got a loss of income," she said, underscoring the importance of such coverage in minimizing the long-term impacts of an attack.
For businesses that deal directly with consumers, reputational harm can be even more damaging than the immediate financial losses. "The reputational hazard is a bigger exposure, in a way," Ritchie said, particularly if a business cannot quickly recover or repair its systems.
As more companies begin to understand their exposure, Ritchie sees an increasing uptake in cyber insurance policies. However, the process of convincing businesses to invest in cyber coverage often involves educating them on the specific vulnerabilities they face. One effective method is to present potential clients with a detailed analysis of their risk profile.
"Once we get the quotes, we can get a really good printout of that particular client's vulnerabilities," Ritchie said. When presented with a pie chart breaking down their exposure, clients are often startled to realize the gaps in their defenses. "They go, 'I see, I see that. I’m not as safe as what I thought I was,'" she added, noting that this educational approach has been instrumental in converting skepticism into action.
The issue is not limited to small businesses. Larger companies, particularly those in sectors like manufacturing, wholesale distribution, and business-to-business services, are also being hit hard by ransomware. Ritchie said that cyber insurance is becoming a necessity not only to protect against direct attacks but also as a requirement for doing business with larger partners. Increasingly, companies are demanding that their vendors and partners have cyber insurance in place.
"In order for me to do business with you, you need to have cyber," Ritchie said.
As the cyber insurance market matures, insurers are raising their expectations for the security measures businesses must implement to qualify for coverage. One key area is multi-factor authentication (MFA), which has become a standard requirement for cyber policies.
"A lot of the cyber markets are requiring not just the one MFA; they want double MFA on everything," Ritchie said. This tightening of requirements reflects the evolving nature of cyber threats, which demand more robust security protocols.
Looking to the future, Ritchie believes the cyber insurance market will continue to grow as businesses realize the importance of protecting themselves from an increasingly dangerous digital landscape.
“There are still a lot of opportunities," she said, describing the market as "open" and noting that premiums, while rising, are still relatively reasonable given the scale of the risk.
Yet, the integration of advanced technologies like AI and big data into cyber risk management remains a cautious endeavor.
“We are integrating it slowly and carefully," Ritchie said, recognizing the potential for AI to streamline processes but also warning of the risks. The use of AI in predictive analytics for rating and underwriting carries the risk of biases, which could inadvertently lead to unfair outcomes for certain businesses.
"If you're not careful of that, then you can wind up with biased results.”
