5 trends in the cyber insurance evolution

As cyber insurance companies evolve, they will wield more power throughout the industry. Check out five areas where cyber insurance trends are changing the cybersecurity market.

While cyber insurance chatter has escalated over the last decade, its origins date back to the 1990s, when the world was just figuring out how to monetize Netscape browsers and Apache web servers. Fast-forward to 2024, and the global cyber insurance industry is worth somewhere around $12 to $15 billion in 2024 premiums and is growing between 20% to 30% per year.

Until recently, standalone cyber insurance sales were limited to the biggest organizations in the world, primarily in the U.S. This is no longer true. Cyber insurance sales are growing precipitously in Asia and Europe, while small and midsize businesses are buying policies at an increasing rate.

Why are cyber insurance policies and premiums on the rise? Visible and costly cyberattacks like ransomware are the obvious answer. But I believe cyber insurance proliferation is also a function of growing executive- and board-level understanding of cyber-risk and its role in corporate risk management and governance. Finally, regulations from the Securities and Exchange Commission, the EU (Network and Information Security Directive) and others are persuading corporate boards to supplement their security strategies by transferring risk to insurers.

Despite global market growth, cyber insurers haven't sat back and raked in the money over the past few years. Ransomware attacks were especially ugly in 2020 and 2021, resulting in an overall market loss ratio for most insurers -- direct claims were greater than insurance premiums. This led to a sharp increase in cyber insurance customer premiums and far more stringent oversight for underwriters. The prevailing joke at the time was that cyber insurance went from a product you couldn't sell in the 2000s and 2010s to a product you couldn't buy in the 2020s.

The state of cyber insurance

After some recent research into the status of cyber insurance, I believe the market is slowly stabilizing and maturing. Premiums continue to grow but at a more reasonable pace. New players are emerging, driving competition and price pressure. I also see some promising innovation in the market. As these trends continue, cyber insurance will become an increasing center of gravity, influencing enterprise security programs, security technology markets and purchasing behavior. As this happens, here are five things I anticipate:

I believe cyber insurance proliferation is also a function of growing executive- and board-level understanding of cyber-risk and its role in corporate risk management and governance.
  1. Greater use of technologies for continuous risk assessment. According to CISOs I spoke with, the process for renewing cyber insurance policies has become more and more onerous, with longer questionnaires and more direct interactions with underwriters. This is an improvement in risk quantification, but it's still a point-in-time assessment. Just as you can plug an adapter into your car's computer to personalize auto insurance, cyber insurance vendors will likely lean on tools in areas such as attack surface management, including those from CyCognito, Ionix, Palo Alto Networks and so on; vulnerability management, including Kenna Security from Cisco, Qualys, Rapid7, Tenable and others; and security asset management vendors, including Axonius, Brinqa, JupiterOne, Panaseer, Sevco Security and more; and others to get a real-time view on cyber-risk for adjusting premium rates accordingly. This is a bit of a business model stretch for blue-chip insurance firms, but I expect creative insurers to adopt continuous monitoring tools for risk mitigation, offering customers a way to proactively manage premium costs.
  2. Accelerated adoption of zero trust. With the attack surface growing like a weed, insurers want customers to lock things down as much as possible. This will drive more thorough and rapid zero-trust implementation technologies, such as MFA, passwordless authentication based on FIDO2, network microsegmentation and user and entity behavior analysis. I expect more aggressive zero- trust implementation in industries with lots of business-critical operational technology and IoT devices, such as healthcare and manufacturing.
  3. Drive deception technology to the mainstream. I wrote last year about why I thought 2024 would be a big year for deception technology. As more intelligent and user-friendly deception technologies emerge, it makes sense that insurance providers would want their customers to blanket their networks with thousands of synthetic breadcrumbs, decoys and lures, aimed at fooling sophisticated adversaries and scaring off more pedestrian hackers.
  4. Growing alliance between cyber insurers and service providers. Cyber insurance vendors want customers to have strong cyber-risk management practices, accurate threat detection, rapid incident response and architectural resilience. Unfortunately, many organizations are under-resourced or victims of the global cybersecurity skills shortage and aren't up to these tasks. This resource gap will drive a natural marriage between cyber insurers and managed security service providers (MSSPs). These relationships will likely start on the money side but will evolve over time as cyber insurance vendors separate leading and laggard MSSPs. Look for more one-stop-shops, such as At-Bay, that offer both insurance and MSSP services.
  5. Channel strategies and tactics between cyber insurers and technology vendors. Cyber insurance vendors shouldn't care whether their customers use CrowdStrike, Microsoft, SentinelOne or Trend Micro endpoint security, or if they prefer Check Point, Cisco, Fortinet or Palo Alto firewalls. One brand might do better in some third-party tests than others, but these tools are only as good as the way they are installed, configured and managed. Once again, managed services could become the key to differentiation. Meanwhile, cyber insurers will continue to form business relationships with tool vendors, exchanging leads, finder's fees and sales spiffs.

Many of these developments are well underway and will only accelerate in the future. As cyber insurers evolve through these trends, they will wield more and more power throughout the industry, ultimately influencing who wins and loses in the cyber game.

Jon Oltsik is analyst emeritus and founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.

Dig Deeper on Risk management