Cyberinsurance Now a Strategic Concern

Cybersecurity leaders have begun to view cybersecurity insurance as topic for strategic conversation. In the past, organizations often viewed cyberinsurance similarly to traditional liability insurance—a commoditized transfer of risk that the company would purchase as a matter of course for protection against loss.

But with the explosion in breaches and ransomware, rates have skyrocketed, and the process for obtaining cyberinsurance has become more like a SOC-2 audit than a P&C application. In response to these changes, many senior leaders now view the organization’s ability to obtain cyberinsurance and premium rates as reflections of their overall cybersecurity posture. Stratascale client CISOs have echoed this sentiment a number of times in research interviews and round table discussions.

Industry losses drive increased costs, stricter underwriting, and reduced coverage

Cybersecurity insurance is becoming more costly and more difficult to obtain, with insurers requiring that businesses invest in higher levels of security. And insured businesses that experience attacks are finding that insurers are less willing to pay out. Before processing claims, insurers are now demanding proof that the controls cited in the insurance application were in place and effective.

Cost, availability, and scrutinized payouts all reflect the insurers’ need to mitigate the massive hemorrhaging from industry loss rates. Cyber insurance loss rates have nearly doubled from 35 cents for every dollar of premium collected in 2017 to 73 cents in 2020 (S&P Global, 2020). Last year, two of the largest cyber insurance issuers, AXA and American International, paid out 98.2% and 100.6% of the money received through premiums respectively. Insurers are looking to mitigate these losses by increasing premiums, reducing coverage, and tightening requirements for underwriting and for claims. Insurers are looking to mitigate these losses by increasing premiums, reducing coverage, and tightening requirements for underwriting and for claims.

Exclusion of Ransomware; Cyberinsurance as a Driver of Ransomeware attacks

Ransomware claims have been the biggest driver of this increased cost. In fact, many insurers have begun to exclude coverage for ransomware payments or remediations, in response to a rise in hacking groups actively targeting firms who have cyber insurance. Some authorities now view cyber insurance oversight as a national security issue. The French government, for instance, believes that cyber insurance is causing ransomware attacks to increase in frequency.

James Turgal, a former FBI agent, now VP of Optiv, claims “New hacking groups are getting into ransomware attacks to go after what they see as an ‘endless pot of money’ facilitated by insurance companies”. AXA (the second largest player in the cyber insurance space) has announced they will no longer cover ransomware attacks at all in France, and this trend is expected to accelerate by industry analysts as the space matures.

Businesses are reducing coverage

In response to increased costs, businesses are opting to purchase less coverage. One analysis has shown premiums increasing 174% in the last 12 months, and the average policy coverage amount dropping by 50%. Marsh, a leading cyber insurance company, reports that 23% of businesses are experiencing either a voluntary or involuntary decline in coverage. Cyber insurance is becoming more costly and less useful as more companies have had to take on increased retention, essentially a deductible to keep premium rates at acceptable levels.

Tackling Cyberinsurance Audits

To help combat this trend towards reduced cyber insurance availability (and correspondingly, more cyber risk to businesses), Europe has provided a framework for a successful cyber insurance audit. Cyber insurance information requirements issued by the Federation of European Risk Management Associations (FERMA) provide a useful template for businesses looking to qualify for cyber insurance – or simply evaluate their own cyber readiness – in any jurisdiction:

1. Business profile: Main activities, percentage of activity in B2B and B2C space, jurisdictions in which the company operates, turnover and security budgets, legal requirements (GDPR, HIPPA).
2. Security awareness culture and training: How is security embedded into the culture and user training, who is responsible for IT security? (is it just a group or a focus for everyone within the organization?).
3. Internal mapping: Mapping physical systems both on premise and connected to the network, specifically identification of the most sensitive servers and infrastructure.
4. Data classification & architecture: What is the most important data? Who has access to this data? Is it backed up, and how is it backed up?
5. Authentication roles & access: Management of critical access to networks, equipment and maintenance, management of outside access by third parties.
6. Mobile working security: Policies for securing mobile devices that have access to sensitive information and encryption of said information on mobile devices.
7. Networking: Segmentation and micro-segmentation, access to internal resources from the internet (for example, can payroll system be accessed from the internet?), secure access gateway to the internet, security of interconnections with partners, physical access controls, redundancy.
8. Identity management: Access rights, password management, 2FA, and implementing zero trust identity policies.
9. Industrial control Ensuring that large scale controls are secured and having detailed information on operations and controls.
10. Supply chain management: Ensuring that software and physical supply chain partners are also secure.
11. Update / patch management: Timely and comprehensive deployment of patches and updates.
12. Risk management, DRP, and business continuity: Plans to mitigate and remediate damage caused by attacks to help limit the damage dealt to operations by a breach.

Readers should be aware that while the above provides a starting point, there isn’t a one-size fits all approach. Terms and requirements vary depending on the insurer.

Conclusion

 Given the increased costs associated with the changing landscape of the insurance market, and the increasing difficulty of obtaining cyber insurance, enterprises must take on additional legwork. CISOs must be prepared with relevant information and plans, not only for obtaining the coverage, but also for maximizing the chance of success for any future claims. In a world where the cost of a data breach averages $4.24 million dollars according to IBM, it is critical that companies manage this risk effectively, and cyber insurance is a key part of the larger risk management picture.

Enterprises can’t pass the buck to insurers any longer. The days of filling out a brief form and obtaining cybersecurity insurance are long gone. As the industry matures and exposure increases, processes and requirements are maturing as well. Firms must be prepared to address these new requirements and prepare for larger investments—both on the insurance side, in the form of direct premium and retention costs, and on the operations side in the form of increased staff resources.

But security leaders will find, as the CISOs we speak with have noted, that there is ancillary benefit to these activities: increased visibility into issues that are important to risk-responsible senior executives and board members also helps the security team to ensure that cyber defenses are up to the task of protecting the enterprise.