A new report has found that the cost of cyber insurance policies is soaring, so let’s talk about the reasons why these policies are becoming more expensive.
The numbers come from the General Accountability Office (GAO), who has noted a significant increase in the cost of cyber insurance policies. Their research came after the National Defense Authorisation Act of 2021 contained a provision that the General Accountability Office study the price of cyber insurance policies.
Get ISO 27001 – Information Security – Certification With Best Practice
This, in itself is significant, considering the National Defense Act contained a provision that the GAO study cyber insurance policies, which will no doubt become increasingly important to have in the near future.
Their findings included the fact that adoption rates of cyber insurance policies is increasing dramatically, with coverage increasing from 26% in 2016 to 47% in 2020.
The authors of the report found that “the industry sectors with the highest take-up rates in 2016-2020 included education and health care, which collect, maintain, and use significant amounts of personally identifiable information or protected health information.”
“Sectors experiencing significant growth in take-up in that period included the hospitality and retail sectors, which commonly collect payment card information. The manufacturing sector’s take-up rate also grew significantly, as that industry became increasingly aware of potential cyberattack risks.”
The Cost of Cyber Insurance Policies Is Soaring; Here’s Why
The General Accountability Office noted that along with the rise in adoption of cyber insurance policies, the cost of those cyber insurance policies is soaring. The report noted that in half of the cases it studied, policy prices jumped between 10-30% in the last quarter of 2020 alone.
As the number of cyber attacks launched against healthcare providers and the education sector increases, insurers look more reluctant to offer cyber security coverage for some of the most vulnerable industries.
Another key finding of the report is that policyholders are largely unaware of what their cyber security policy actually covers, and that insurance companies are becoming increasingly risk-adverse to underwriting policies that cover ransomware payments.
Last week, insurance giant AXA had its Asian operations hit by a ransomware attack just days after the company’s headquarters announced it would stop underwriting policies with ransomware coverage.

As for the reasons why, the report states as follows. “One broker told us that minimum premiums for high-risk industries with revenues up to $5 million can range from $2,000 to $3,500 per million of limit, while other brokers said premiums on policies that target mid-size entities with revenue from less than $100 million to $250 million can average from about $5,000 to more than $10,000 per million of limit.”
“In addition to entity and industry risk factors, premiums can differ based on the amount of a deductible or other self-insured amount, which the brokers told us had minimums from $1,000 to $5,000 for policies with a $1 million total limit.”
“These same risk factors also can result in lower coverage limits for certain perils, such as $250,000 for social engineering and wire transfer attacks on a policy with a $1 million total limit.”

The Rising Importance of ISO 27001
As cyber criminals become more sophisticated in their campaigns, it’s essential that organisations protect their networks in the most effective way possible. With the threat landscape constantly evolving, it can be difficult to stay ahead of cyber criminals without the right tool at your disposal.
This is where ISO 27001 steps into the equation, providing you with an internationally-recognised set of best practices for information security and data protection. Implementing a system like ISO 27001 requires you and your organisation to understand the threats, and build a system that protects its most important data assets from the prying eyes of cyber criminals.
While cyber insurance provides you with money in the event of a cyber attack, a lump-sum payment will not repair your reputation in the aftermath of a cyber or ransomware attack. One of the major benefits of a system like ISO 27001 is that it provides you with a set of tools you can build an information security system that can prevent an attack occurring in the first place. While there is no assurance that your organisation won’t be targeted, if you’ve done the work in covering the basics, you can make the task difficult enough that – hopefully – a hacker will turn their attention to targeting another organisation.
In the context of cyber security, the best defense is an effective offense, which ISO 27001 can help you assemble in your organisation. This is, of course, in addition to the confidence you can inspire from your customers if you’re certified to a world-leading cyber security standard, and the regulatory requirements that you’ll meet. For more information on getting certified to ISO 27001, click here.