Cyber insurance is on the rise, and organizational security postures must follow suit
Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Despite best efforts to the contrary — ransomware, hacks and data breaches are more prevalent than ever.
Close to 75% of global cyber-risk decision makers report that their company experienced at least one cyberattack in the past year — and just 3% of respondents rated their company’s cyber hygiene as “excellent.” Furthermore, recent research puts the average ransom payout at $211,529.
Naturally, to protect themselves, more organizations are investing — often significantly — in cyber insurance, particularly as cybersecurity breaches, hacks and ransomware attacks are often not included in traditional policies.
Cyber insurance companies, in turn, are increasing premiums and becoming ever more selective about the companies they’re willing to insure.
“The cyber insurance market is changing,” said Jon Siegler, cofounder and chief product officer at governance, risk and compliance software company LogicGate. “Cyber insurance companies aren’t making as much money as they used to because they’re paying more claims due to the increase in cyberattacks.”
Even when they do provide coverage, insurers are carving it out based on a company’s risk posture.
“Cyber insurance won’t reimburse you for related incidents if you’re failing to update software or using an out-of-date patch,” said Siegler.
Insurance at a premium
Cyber insurance is much like other insurance coverage. It is a means to manage risk and loss from certain events — in this case, cyberthreats.
Although it varies by insurer and amount carried, policies can cover costs associated with business email compromise, ransomware attacks, phishing attacks and other social engineering attacks, explained Jennifer Mulvihill, business development head for cyber insurance and legal at cyber defense platform company BlueVoyant. Policies can also provide both first-party and third-party coverage, she said.
All told, the cyber insurance market is expected to be $25 billion by 2026, according to an annual cyber report by The Howden Group. The National Association of Insurance Commissioners also reports that cyber insurance premiums collected by the largest U.S. insurance carriers in 2021 increased by 92% year-over-year.
This trend will only continue, predicted Norman Krumberg, managing director at cybersecurity company NetSPI. Today’s unpredictable threat market makes it challenging for insurers to accurately evaluate an organization’s IT management and security control maturity. He anticipates that it will be more and more difficult to receive payouts for claims, particularly if there is a breakdown in controls.
Further, cyber insurance brokers and companies have increased the complexity of the underwriting process and underwriting questions, he said. Insurers previously relied on questionnaires and self attestation and lacked the internal acumen to evaluate the merit of proposals.
But insurers are hiring experts in security controls to review responses and proactively evaluate an organization’s attack surface and understand its full portfolio of controls, said Krumberg.
Siegler pointed to research from S&P Global Market Intelligence revealing that the average cyber insurance loss ratio was nearly 73% in 2021, reflecting a 25% increase from 2019. Cyber insurance companies kept just 27 cents of every dollar paid by customers in premiums — compared to 2019 when they earned 52 cents on the dollar.
Modern companies: Tech companies
So, why is cyber insurance so important?
“To a certain extent, every modern company is now a technology company,” said Siegler. “Even if you don’t think of yourself as a technology company, you store sensitive information about customers, sometimes even personally identifiable information (PII).”
It could be as simple as storing such information in an email, he said. Sending an email to the wrong recipient can constitute a data breach. Your organization could easily be taken to court. Similarly, storing PII requires complying with a myriad of federal and state data laws.
“From this perspective, almost every modern organization could use cyber insurance,” said Siegler.
Still, Mulvihill emphasized that cyber insurance is more than just a reactive policy that provides reimbursement for claims.
“Cyber insurance provides support even before there is a claim,” she said, explaining that this could include pre-claim cyber assessment offerings and reduced-rate access to experts.
Cyber insurance savvy
As with all other types of insurance, organizations should know what to look for — as well as what is expected of them.
To that point, organizations should consult brokers about what coverage matches their particular risks, Mulvihill said. This could be based on sector and/or business services or products. They should also understand carriers’ risk appetites, what ancillary pre-claim benefits (such as education) that they might provide, and their typical claim response times, as well as whether there are co-insurance or sub-limit requirements.
Similarly, understand underwriting requirements, Krumberg advised, and how those could impact coverage over a policy period. Also of key importance: How insurers define a cyber event or incident, as there may be crossover with other policies.
Siegler agreed, pointing to common cyber insurance exclusions: Incidents due to third-party vendors; lost or stolen portable devices; consequences of war, terrorism or invasion; and the insured’s failures to maintain agreed-upon security protocols. He said he is also seeing more insurers requiring organizations to carry minimum amounts of cyber insurance to quality for other types of coverage.
Business leaders are also trying to determine how much coverage their company needs and whether a single policy or a combination of secondary policies suffices, said Siegler. Risk quantification can aid this process, as it communicates risk through the shared language of monetary value. This can offer a baseline, along with an existing financial model, to set a target limit.
Risk quantification can also help organizations evaluate and quantify the cost of a data breach to determine whether current coverage can absorb the cost of most likely risk scenarios, said Siegler. And when additional coverage is needed, the method enables CIOs and other technology leaders to use financial — rather than technical — jargon so that the C-suite better understands risks.
“By communicating risk in business terms, IT leaders can demonstrate the cost savings of managing vulnerabilities and improving security against the cost of insuring or absorbing the risk directly,” said Siegler.
Improving security posture
There are many steps an organization can take to make themselves more appealing to insurers. Most notably, said Siegler: “The better your security, the better your rates.”
A formal, mature security program helps organizations secure coverage, and may also reduce overall premiums and ensuing premium increases.
“In this new era, organizations should be prepared with a documented security program,” said Krumberg, who added that orgs should also ensure that their responses to underwriting requirements are in place and operating.
To decrease their chances of being deemed ineligible, organizations might consider consulting a cyber insurance broker to improve their cybersecurity program, Siegler suggested. These experts will have specialized insights into what beneficial changes can be made based on current risk profiles, industry and company size.
Preparation is an organization’s best chance to be insured more quickly, said Siegler, especially as insurers’ due diligence process can take as long as six months — even when it comes to a renewal. As the demand for cyber insurance has increased, the process has expanded from surveys of 20 to 30 questions to as many as 200 questions, and insurers are increasingly requiring interviews as well.
But, Siegler cautioned, “remember that cyber insurance is not a substitute for security best practices. Cyber insurance can give companies a false sense of security.”
The reality is that a cyber insurance provider might not cover an incident if a company acted negligently, he pointed out.
“A better lens for any organization is to ask: ‘Are we doing the right things to secure our customers’ data as well as our own?’ If you’re not, get your data practices in shape,” said Siegler.
Strong management, controls
Organizations would do well — whether seeking an insurance policy or not — to strengthen their identity and access management (IAM), advised Siegler. While this isn’t a new process, he said, next-generation security systems have raised expectations.
Instead of relying on usernames and passwords, a more robust IAM uses multifactor authentication (MFA), device history, geolocation and user behavior to ensure that only authorized users access resources. Most insurers will require MFA and the use of VPNs, said Siegler.
Zero-trust architecture goes beyond those controls, requiring users to prove their authenticity each time they access a system or resource. While it isn’t a requirement, zero-trust can also improve IAM.
Siegler encouraged organizations to demonstrate effective asset management. Providers want to see the proactive discovery of new assets and vulnerabilities via device discovery, continuous policy enforcement and vulnerability management.
“Insurers want to know that, should a cyberattack succeed, your company can quickly determine the extent of the impact and begin the incident management process,” said Siegler.
Furthermore, organizations should improve their data encryption and networking, as insurers want to see how secure data remains as it moves through stages within infrastructure — data in transit; data at rest and stored internally or externally; and data in use.
Another important safeguard is refining incident response plans, said Siegler, as cyber insurance providers will look for problems there. An ideal plan ensures a consistent process from initial response to recovery, and includes several steps, including:
- Identification: Security staff reviewing policies, identifying affected assets and prioritizing critical affected assets before acting.
- Containment (both short-term and long-term): Detecting deviations from normal operations and determining whether those deviations derive from a breach.
- Eradication: Identifying and correcting the breach’s root cause.
- Recovery: Bringing affected systems back online by thoroughly testing affected assets.
- Improvements: Following a breach (Siegler suggests within two weeks), determining ways to refine security to prevent similar incidents in the future.
Simply put, “providers don’t want to insure an organization that is likely to negatively impact loss ratios,” said Siegler. Thus, “expect potential insurers to assess and scrutinize your entire risk posture.”
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.