Protecting against cyber-attacks can feel unsatisfyingly intangible. It is not always clear how much risk protection you are buying with security interventions. And it is not always clear how your insurance is being priced, and how that relates to your investment in security. The purpose of this post is to interrogate the insurance market and seek to gain some clarity into how pricing operates.
Imagine you are a small-to-medium business (SMB), wondering how much you’d expect to pay for a 1-million-dollar cyber insurance policy premium. Given only your company’s industry and revenue, we could make a pretty good prediction, as shown in Figure 1. Based on a sample of data from 2023 – 2024, we built a simple machine learning model to predict premiums for various SMBs (shown on the x-axis), and then plot those results against the actual lowest premium quote they were offered (shown on the y-axis). We also include a lower and upper bound function (in red and green respectively), which form confidence interval bounds; about 80% of all predictions (blue dots) fall between these bounds.
Figure 1. Predicted vs actual lowest-offered insurance premiums on a sample of SMBs, using only industry and revenue as model features.
Some of these findings are trivial; of course, larger companies in more dangerous industries will be expected to pay higher premiums. More interestingly– why such large variance, and what is the nature of that variance? For SMBs predicted to pay $2,000 for a 1-million-dollar policy, 80% of the values range between as low as $1,300 and as high as $2,700.
Let’s look at a specific group of SMBs who have less than $10 million in revenue per year, and either have a:
- “Strong” cyber posture: they use MFA for email, encrypt sensitive data at rest, and have tested their backups within the last 6 months.
- “Poor” cyber posture: they don’t use MFA for email, don’t encrypt sensitive data at rest, and have no tested backups within the last 6 months.
If we look at the average price for a 1-million-dollar policy across these two groups, we see a wide variance:
- The strong cyber posture group has an average premium of $1,118
- The poor cyber posture group has an average premium of $2,248
The strong cyber posture group has a price that is over 50% less than the poor cyber posture group! This is why DataStream helps SMBs working with their managed service providers (MSPs) identify key areas that could impact their price, with an automated gap analysis tool in our application system (see Figure 2 for an example). If you are missing any controls which we believe will increase your premium, we will highlight these areas and make it easy to start a conversation with your IT provider to improve those security areas before applying.
Figure 2. Automated gap analysis example, highlighting missing key controls.
To learn how affordable cyber insurance can be for your business in just a few minutes, click the “Get A Quote” button on the top right corner of this page to get free quotes today!
And if you’re an MSP/MSSP curious about exploring these automated gap analysis tools, click on the “Refer Clients” button on the top right corner of this page to demo the tool!