Cybersecurity leaders have begun to view cybersecurity insurance as topic for strategic conversation. In the past, organizations often viewed cyberinsurance similarly to traditional liability insurance—a commoditized transfer of risk that the company would purchase as a matter of course for protection against loss.
But with the explosion in breaches and ransomware, rates have skyrocketed, and the process for obtaining cyberinsurance has become more like a SOC-2 audit than a P&C application. In response to these changes, many senior leaders now view the organization’s ability to obtain cyberinsurance and premium rates as reflections of their overall cybersecurity posture. Stratascale client CISOs have echoed this sentiment a number of times in research interviews and round table discussions.
Cybersecurity insurance is becoming more costly and more difficult to obtain, with insurers requiring that businesses invest in higher levels of security. And insured businesses that experience attacks are finding that insurers are less willing to pay out. Before processing claims, insurers are now demanding proof that the controls cited in the insurance application were in place and effective.
Cost, availability, and scrutinized payouts all reflect the insurers’ need to mitigate the massive hemorrhaging from industry loss rates. Cyber insurance loss rates have nearly doubled from 35 cents for every dollar of premium collected in 2017 to 73 cents in 2020 (S&P Global, 2020). Last year, two of the largest cyber insurance issuers, AXA and American International, paid out 98.2% and 100.6% of the money received through premiums respectively. Insurers are looking to mitigate these losses by increasing premiums, reducing coverage, and tightening requirements for underwriting and for claims. Insurers are looking to mitigate these losses by increasing premiums, reducing coverage, and tightening requirements for underwriting and for claims.
Ransomware claims have been the biggest driver of this increased cost. In fact, many insurers have begun to exclude coverage for ransomware payments or remediations, in response to a rise in hacking groups actively targeting firms who have cyber insurance. Some authorities now view cyber insurance oversight as a national security issue. The French government, for instance, believes that cyber insurance is causing ransomware attacks to increase in frequency.
James Turgal, a former FBI agent, now VP of Optiv, claims “New hacking groups are getting into ransomware attacks to go after what they see as an ‘endless pot of money’ facilitated by insurance companies”. AXA (the second largest player in the cyber insurance space) has announced they will no longer cover ransomware attacks at all in France, and this trend is expected to accelerate by industry analysts as the space matures.
In response to increased costs, businesses are opting to purchase less coverage. One analysis has shown premiums increasing 174% in the last 12 months, and the average policy coverage amount dropping by 50%. Marsh, a leading cyber insurance company, reports that 23% of businesses are experiencing either a voluntary or involuntary decline in coverage. Cyber insurance is becoming more costly and less useful as more companies have had to take on increased retention, essentially a deductible to keep premium rates at acceptable levels.
To help combat this trend towards reduced cyber insurance availability (and correspondingly, more cyber risk to businesses), Europe has provided a framework for a successful cyber insurance audit. Cyber insurance information requirements issued by the Federation of European Risk Management Associations (FERMA) provide a useful template for businesses looking to qualify for cyber insurance – or simply evaluate their own cyber readiness – in any jurisdiction:
Readers should be aware that while the above provides a starting point, there isn’t a one-size fits all approach. Terms and requirements vary depending on the insurer.
Given the increased costs associated with the changing landscape of the insurance market, and the increasing difficulty of obtaining cyber insurance, enterprises must take on additional legwork. CISOs must be prepared with relevant information and plans, not only for obtaining the coverage, but also for maximizing the chance of success for any future claims. In a world where the cost of a data breach averages $4.24 million dollars according to IBM, it is critical that companies manage this risk effectively, and cyber insurance is a key part of the larger risk management picture.
Enterprises can’t pass the buck to insurers any longer. The days of filling out a brief form and obtaining cybersecurity insurance are long gone. As the industry matures and exposure increases, processes and requirements are maturing as well. Firms must be prepared to address these new requirements and prepare for larger investments—both on the insurance side, in the form of direct premium and retention costs, and on the operations side in the form of increased staff resources.
But security leaders will find, as the CISOs we speak with have noted, that there is ancillary benefit to these activities: increased visibility into issues that are important to risk-responsible senior executives and board members also helps the security team to ensure that cyber defenses are up to the task of protecting the enterprise.
Alex is a cyber security research analyst at Stratascale. His background in both research and practical security gives him a unique perspective on providing security with a risk-based approach. He focuses his expertise on emerging technologies, data-driven IT strategy, and tactical solutions to large security problems.