Cyber & data breach insurance has increasingly become one of the most valuable insurance coverages sought out by organizations of all shapes and sizes. As cyber-related threats continue to evolve and multiply, the insurance offers a financial umbrella for those who fall victim to attempted and successful breaches. 

Cyber insurance consists of two major components; first-party and third-party coverage. First-party coverage refers to damages that happen directly to the insured as a result of a cyber incident. It includes things like incident response costs, business interruption (loss of revenue), data replacement, and ransomware payments. 

The third-party component, on the other hand, refers to liability coverage for the data of others, compromised as a result of an incident. The cost of legal defense, proceedings, settlements, damages (sometimes including punitive) are all included in this coverage part. 

There’s also coverage for credit card repayments if the data that was exposed happened to be credit or debit card information. Lastly, some cyber insurance policies will include media liability for copyright, trademark, or intellectual property infringement claims.       

This insurance coverage is underwritten the same way that any other line of insurance would. The insured is evaluated based on their ability to prevent a potential claim through implementing security controls that would ideally prevent an incident from ever happening. Underwriters also will look at the insured’s capacity for detecting and quickly responding to an incident as a way to mitigate the total loss. 

More Claims, More Government, More Underwriting  

Unfortunately, claims in this space have gone somewhat out of control to the point where federal and state government bodies are getting more and more involved. According to the National Conference of State Legislatures (NCSL), at least 45 states in 2021 processed bills or resolutions to manage cybersecurity. Some of the most popular measures included:

  • Government agencies providing cybersecurity training for management of formal security policies/standards and response planning for an incident 
  • Regulation in cyber insurance requiring more controls to be compliance 
  • More task forces and commissions to investigate and advise on cybersecurity issues
  • Support and incentives for cybersecurity education    

On top of the introduced legislation (in which some were passed into law), there has also been communication between the White House and some major cyber insurance carriers on ways to address their current claims challenges. 

Between the legislation and security summits, one of the conclusions was a newly profound respect for endpoint security — leading to a popular new underwriting requirement for endpoint detection and response (EDR) technology.     

Current Trends in Cyber Claims 


To better understand the emphasis on endpoint-security solutions such as EDR tools, it’s important to review the trends in claims data to understand just how bad this environment has become. 

According to a 2021 cyber claims report generated by the National Association of Insurance Commissioners (NAIC), there was a significant increase in the average cyber insurance loss ratios (claims expenses paid divided by premium collected) from 2017-2020:

  • 2017: 32.4% 
  • 2018: 35.3%
  • 2019: 44.6%
  • 2020: 66.9%  

It should be noted that the increasing lost ratios are also coupled with a 21.7% increase of premium written from 2019 to 2020. This means that cyber claims are becoming so frequent and severe, that the increase of written premiums still isn’t offsetting the losses.  

Another claims report by Coalition does a good job showing the claims trends by category which further pushes the focus for EDR. The three most common claim categories are ransomware, business email compromise, and funds transfer fraud in which each of them saw a significant increase in frequency from the second half of 2020 to the first half of 2021:

  • Ransomware→ Up from 0.41% (2020) to 0.52% (2021) frequency 
  • Business Email Compromise→  Up from 0.44% (2020) to 0.56% (2021) frequency 
  • Funds Transfer Fraud→  Up from 0.32% (2020) to 0.60% (2021) frequency  

Although the severity (average claim paid) for ransomware and business email compromise had decreased, the average funds transfer fraud claim went from $215,000 to $247,000 from the second half of 2020 to the first half of 2021. To make matters worse, funds transfer fraud only had an average claim of $88,000 in the first half of 2020. 

Claims Are Altering Underwriting Processes 

The results of these trends have yielded a more detailed and rigorous underwriting process that now requires a much longer initial cyber application. These applications consist of questions about the insured’s cybersecurity program, loss history, and a series (or sometimes separate application) of industry-specific or regulatory questions.  

Additionally, more carriers are using supplemental applications that strictly narrow in on particular threats such as ransomware or social engineering. You see it also become more common for insurers to require signed attestations confirming specific controls such as multi-factor authentication (MFA) are in place. 

The result of all of the paperwork with new and complicated questions — a longer cyber insurance procurement process that demands more back-and-forth communication between the insured and their agent.  

Why EDR is the Key 

Rest assured, we did not just provide claims information and underwriting trends without explaining the importance of EDR tools. Like commonly used security controls such as antivirus or encryption software, carriers want to see that their insureds have a comprehensive program in place to prevent, detect, AND respond to an incident. 

The idea is that the better the controls are, the less likely there is for a claim to occur and/or the less severe of an impact (financially) a claim will have. Insurance should NOT be a sole protection mechanism. Think about it, if you purchased car insurance, that isn’t a blessing to go out and beat your windshield with a bat. Same goes for health insurance, just because you have it doesn’t mean you still shouldn’t eat healthy, exercise, and take care of yourself.     

How EDR Works 

The functionality of EDR tools in conjunction with the sources of claims is what makes it such a valuable and increasingly required control by underwriters. Once the tools are installed, EDR collects data from endpoints such as a computer, tablet, phone, or server for analysis. 

Upon analysis, the solution is looking for “anomalies” in the events taking place. This could be anything from a login from a strange IP address to a session type not commonly used. If the system finds anything odd, it will automatically initiate a response to contain the incident, investigate it, notify the dedicated response team, and offer insights on mitigating the incident. 

EDR Against the Common Claims 

Based on the claims data we presented earlier in the article, we know that each of those three major incidents would have to start with some form of unauthorized access to an endpoint or network before initiating the attack. That being said, the EDR system would be able to detect potentially threatening access if it had some kind of contextual uniqueness to it and contain the incident quickly and effectively. 

From the viewpoint of an insurance carrier, the incident is either prevented altogether or so minor that a claim would have little effect on their loss ratio.    

No EDR, No Insurance 

For a variety of reasons, you’re seeing situations where cyber claims are denied even though the insured has a robust policy. In some of these circumstances, carriers argue it’s largely because of a misrepresentation that was done on the insurance application which indicated they had EDR in place when they really didn’t. 

That’s not to say that you won’t get coverage without EDR, but even the way the policy is constructed might be altered as a result. In other words, a carrier might still write the insurance but drastically increase premiums or exclude a specific cause of loss. For example, some carriers may not include social engineering as a covered loss for their cyber insurance policies depending on the class of business and if it is determined you don’t have a control like EDR in place.   

What’s the Worst That Can Happen? 

Recently, we’ve seen firsthand the worst-case scenarios that take fold in what can happen if you don’t have EDR. One of these circumstances is a financial institution that was required, by law, to have a comprehensive cybersecurity program consisting of cyber insurance. 

The firm was looking to renew their current policy but was denied coverage after a newly demanded EDR requirement was not fulfilled. They shopped around dozens of carriers only to continue the rejection to the point where the policy expired and they no longer had cyber insurance coverage.

Because they no longer had cyber insurance, they were no longer compliant with the regulatory requirements set forth and forced to shut down operations losing hundreds of thousands of dollars per day. After a few weeks, a full EDR solution was installed and one of the carriers bound the cyber coverage, putting them back into compliance. 

Unfortunately, the nightmare got worse. After the EDR tools were up and running, an irregular event was detected on one of the organization’s endpoints that turned out to be a breach by a malicious actor. It was discovered that the criminal had already downloaded thousands of files of private client information and sold it on the black market.

It still gets worse….A few hundred client identities were stolen which resulted in many lawsuits. Ordinarily, the cyber liability insurance coverage would pay for the defense, settlement, and damages costs, however, the claims adjuster established that the threat actor had gotten access to the specific endpoint while operations were shut down and prior to the new insurance policy taking place. 

Therefore….. the entire claim was denied.      

Add EDR to Remain Insurable 

By now, you’ve seen what is happening in the cyber claims world and why EDR is becoming mandatory by underwriters. Ascension Global Technology can guide you through the EDR and cyber insurance marketplace to get the financial protection and compliance fulfillments your organization needs to stay secure and operational. Schedule a consultation with one of the AGT experts today to get started and find more ways to improve your firm’s security posture.  

Related Posts

Leave a Reply

About Us

"AGT" offers complete end-to-end security protection through technology tools, cybersecurity strategy, consulting, and project management services. From addressing specific security gaps to a full environment cybersecurity strategy. With services designed to improve any organization’s overall organizational security posture, AGT develops strategies to implement and deploy successful cybersecurity solutions to protect companies from data and financial loss.