Cyber insurance is quickly becoming an inevitable part of doing business as more organizations accept the inevitability of cyber risks. There is a growing awareness of the need to be prepared for the consequences of disruptive security incidents, such as those caused by ransomware, just as firms invest in coverage for potential physical threats such as fire or criminal damage.
But while other potential disruptions benefit from stable insurance providers that have been around for decades or even centuries, cyber insurance is a nascent field that has proven difficult to tackle. Even more experienced representatives of the insurance industry struggled to cope with this task. In many cases, premiums have skyrocketed as vendors have become more wary of being left on the hook for multimillion-dollar breaches.
Accordingly, cyber insurance has become unaffordable for many small firms. Studies indicates that the number of businesses that cannot afford these costs will double.
So what makes cyber insurance so much more complicated than other forms, and how can companies afford increasingly higher premiums and access requirements?
Why is cyber so different from other areas of insurance?
At first glance, cyber insurance should function just like any other form of protection. Risk is assessed based on a variety of known factors, and coverage and premium levels are developed based on the likelihood of an incident and its potential severity and consequences.
The challenge lies in the sheer complexity of the cyber landscape and the number of variables involved.
Let’s take fire insurance as an example of an area where the variables are very well understood – after all, we have several thousand years of experience in understanding fire. It is relatively easy for insurers to assess fire safety based on the material used for construction, precautions such as fire extinguishers and other factors such as topography and climate. Where there is change, it is very visible. For example, I grew up in a forested area of Australia where there is an increased risk of fire.
Cyber is infinitely more complex compared to the almost unlimited number of variables in play. Individual IT environments are complex enough, but they can be effectively analyzed and evaluated in the same way as a physical structure.
But the real problem lies in the swirling, ever-changing chaos of the cyberlandscape. A record 18,439 new vulnerabilities were reported and cataloged National Vulnerability Database last year, an average of more than 50 new discoveries every day.
Each new software product release or update presents an unknown number of new vulnerabilities and vulnerabilities that threat actors may discover, as well as the opportunity to discover problems with older systems. At the same time, adversaries have become more organized and better able to exploit vulnerabilities. New methods and tools of attack are also constantly emerging. As the cyber mantra goes, we don’t know what we don’t know.
As a result, the cyber landscape is much more difficult to understand and monitor than any previous business risk. Despite the progress, the insurance industry has yet to balance the cyber sphere. Providers are still unsure what an acceptable level of risk looks like for their customers, leaving them vulnerable to paying huge sums through coverage that turns out to be too generous. Higher premiums with tighter claims are one result of providers seeking to hedge against this risk.
The danger of two-level reality
In addition to the cost of the premium itself, there is a growing trend towards more complex policies that place more complex requirements on applicants and contain more clauses that void coverage. For example, firms may need to adhere to a very strict recommended list of security solutions and precautions in order to qualify for coverage.
This trend threatens to create an unequal two-tier system of cyber insurance. While insurance should always be seen as a last line of defense when all else fails, smaller firms will be deprived of this safety net and will be more vulnerable as a result.
If premiums continue to rise, only larger organizations with bigger budgets will be able to afford them. This provides an effective last line of defense along with the fact that these large corporations can already afford more security and staffing solutions.
As a result, smaller firms that cannot provide for increased premiums will remain even more vulnerable to cyber threats. Criminal groups are well aware that not only are these businesses easier targets, but they are also more vulnerable to devastating attacks such as ransomware or data theft and blackmail because they lack the insurance capital to help them recover.
How can smaller firms increase their chances of getting cyber insurance?
The cyber insurance market will likely take some time to mature as providers determine how they can best keep pace with the rapidly changing security landscape and protect their margins against major incidents.
At the same time, organizations that want to take advantage of the additional protection of insurance coverage will need to focus on meeting higher and more restrictive premiums without spending their entire budget. Proactive thinking is very important here, given the threats that may already be in the system.
Efforts should be focused on reducing as much risk exposure as possible with each investment. Ransomware is one of the most high-profile threats at the moment and one of the biggest concerns in the insurance industry. AXA made waves last year as the first major vendor to drop ransomware coverage in its policy, but ransomware can be a very expensive prospect even aside from the demand itself.
Firms that have clearly taken this risk seriously and invested in their ability to detect and eliminate extortionists will be more likely to reassure uncertain suppliers. Key factors here include the ability to identify attacks early and minimize damage through processes such as segmentation.
Likewise, data theft is a serious issue that will be the focus of many policies. In addition to the impact of data loss, attackers are increasingly doubling down on victims with ransomware-like blackmail demands. Companies will need to prove that they can reliably detect and prevent exfiltration attempts.
Automation is one of the most important assets for achieving these capabilities on a tight budget. Automating key processes such as access permissions, detection and response will free up both resources and manpower that can be redeployed to other high-value activities. Done well, automation can help small firms punch well above their weight in terms of their ability to detect and respond to threats.
While a two-tier scenario may be inevitable, smaller firms may be able to keep up with the right strategy. Focusing on the biggest risks and streamlining and automating processes will increase the likelihood that they will be able to meet strict regulations and be able to plan for higher premiums. And, of course, the same actions that will meet policy requirements will also increase the firm’s chances of having to return to the insurance system at all.