UNITED STATES
DePass: The demand for cyber insurance remains high given persistent cyber threats, contractual requirements to have certain levels of coverage, and the potential for significant financial harms resulting from cyber events and data breaches. In the wake of such incidents, companies face direct costs, such as those involved in containing and investigating an incident, as well as indirect costs including those relating to third-party notifications, government investigations, litigation and reputational harms. The high demand for cyber insurance coincides with efforts by insurers to mitigate their exposure by increasing premiums, narrowing coverage and adopting other restrictions. For example, some insurers will cover a company’s expenses for engaging third-party experts only if those experts have been pre-approved by the insurer to assist in incident response activities. Given these kinds of limitations, it is critical that companies carefully review their policies and coordinate with their insurance brokers to confirm that they meet the company’s needs.
BELGIUM
Taelman: The cyber insurance market has experienced significant growth in Belgium, with Belgian companies increasingly recognising insurance as critical to risk management strategy, although the market penetration is still running behind the US. This surge stems from high-profile breaches demonstrating potentially catastrophic financial impacts. Although NIS2 does not mandate cyber insurance as such, the robust risk management required by NIS2 has further increased the interest in cyber insurance. However, the insurance landscape has become increasingly sophisticated and selective. Insurers now conduct rigorous cyber security assessments before providing coverage, often requiring evidence of specific security controls such as multifactor authentication (MFA), regular patching protocols and employee training programmes. Premium costs have risen, particularly for high-risk sectors or organisations with poor security postures. Recent trends include active cyber insurance where the insurer not only provides coverage, but also helps companies with identifying, mitigating and responding to cyber risks. In short, purchasing cyber insurance is not just about obtaining coverage, it also demonstrates ongoing commitment to cyber security best practices.
CANADA
Caldwell: The increased volume of cyber and privacy threats to companies has led to a higher demand for cyber insurance. Improved understanding of these risks has resulted in better underwriting standards, refined policy wordings and diverse coverage options. Cyber insurance premiums have seen a period of stabilisation and even some decline after significant increases in 2021 and 2022, but it still remains expensive. Common types of coverage include first party cyber liability, which covers direct damages like lost income, ransomware payments and customer notifications, and third party cyber liability, which covers legal fees and damages from third-party claims. Companies may need to enhance internal security processes, such as MFA, regular data backups and incident response plans, to qualify for a policy.
THE NETHERLANDS
van der Wolk: Most companies are certainly considering procuring cyber insurance. What I am hearing, though, is that in recent years premiums have gone up significantly while at the same time coverage has been more targeted and limited. Most cyber insurance will cover the cost of responding to an incident, which is helpful, but it will not cover such things as ransom payments, regulatory penalties or lost business. This may of course be understandable, but these are the areas where businesses are typically hit hardest as a result of a cyber incident. Companies should also be careful about the incident response coverage, and whether this includes free choice of third-party support, such as forensic investigators and attorneys. It is also important to know whether customer notifications, such as call centres and regular mail, are covered.
FW: What essential advice would you offer to companies on implementing effective strategies to mitigate cyber risk and strengthen their defences? How should they go about protecting their data, devices and critical infrastructure?
UNITED STATES
DePass: Protecting data and systems requires multiple levels of protection. Maintaining robust technical controls provides a strong foundation, but that is not enough. For a security programme to be effective, such controls must be reinforced through policies and procedures, training and awareness efforts, and other practices that cultivate a culture of compliance. Regularly assessing risks and vulnerabilities, and implementing measures to mitigate identified risks also are cornerstones of a mature security programme. Finally, companies should recognise that establishing a resilient security programme is not a one-time investment; it requires ongoing monitoring, evaluation and adjustment, given a dynamic threat landscape, and as a company’s operations and risk profile evolves over time.
