Cyber security is a game of balancing financial, operational and reputational risk. A cyber attack can impact all three, often stopping operations and causing reputational damage through this and data loss, both of these impacting immediate and future revenue. It’s a complex matter, and organisations can spend millions of pounds and still be at risk.
Cyber insurance helps to reduce the financial impact of a cyber attack and can support in getting the organisation operating again with incident response, which insurers may include as part of the service. However, finding cyber insurance is harder for companies than a year ago, and we predict that it will only get harder.
An increase in cyber attacks and subsequent payouts is having a direct impact on the cyber insurance market. To stay viable, many insurers are increasing premiums, dropping coverage, or exiting the cyber insurance market altogether. According to TechTarget cyber insurance premiums have increased by 100%, year-on-year, driven by ever-increasing ‘loss ratios’ for insurers – up to 72.8% (as SPGlobal reports). Despite this, insurance providers do tend to pay out. Sophos reports that 94% of organisations that have insurance against ransomware receive payment from their insurance provider for ransom payments.
What Does Cyber Insurance Cover?
Cyber insurance covers several things. Common coverage areas are data breaches, identity fraud, and personal information theft. There are also the high legal expenses, fines, and costs of retrieving data, fixing systems, restoring impacted customers’ identities, and alerting customers of breaches. Coverage may also include costs related to determining the cause and consequences of an attack, such as business disruption, extortion, or forensic investigation.
Typically, the insurance company would provide £20million of cover for a ransomware and email compromise, which is the cost of recovering a business from a disruptive ransomware attack. The problem is that because what you’re covering cannot be measured very easily, the company is insuring the ransom payment, which is about a fifth of the incident cost. The amount will help rebuild the foundations of the metaphorical house after it’s burned down, but it will not fix everything, and it certainly won’t restore customers’ faith.
Significant Challenges for Organisations
There are many requirements an organisation must adhere to in order to get cyber insurance. Understanding them all is often easier said than done as it requires a technical understanding of cyber security and broader IT, and not all organisations have this expertise in-house.
Cyber insurance checklists vary by provider and policy. So, there are no set-in-stone guidelines a company can follow, but general requirements include technical setup, detection and response capability, protecting employees and protecting data. For instance, a checklist might ask if a company applies security patches within 30 days of release. Not all companies will need every patch, and they might not be able to apply it within 30 days. Another checklist might say the company needs to have a SIEM monitored 24/7 by a SOC. Purchasing, commissioning and managing a SIEM as well as implementing 24/7 response could be a £250k expense that organisations just don’t have the budget for.
Qualification for cyber attack coverage is being carefully assessed and potentially denied based on the answers of prospective and current customers to comprehensive security questionnaires. In a home insurance policy, responding ‘no’ to specific questions can bump up your premium. In cyber security, answering ‘no’ to specific questions means you don’t get the insurance. It might be no surprise then, that some of the biggest insurance providers approve less than 5% of applicants, with the remaining 95% left without the insurance they need. That tiny percentage must remain compliant all year round too, which is hard to achieve with continuous and stringent assessment.
What Are the Solutions?
To overcome the challenges organisations face getting cyber insurance, they first need to understand what is in the fine print of the cyber insurance they are signing up for and the specific incidents it will cover.
One solution is seeking advice and consultancy from cyber security experts to find out what vulnerabilities you need to cover, what gaps need to be filled, and what each bit of criteria means. Once this is understood, most organisations will find it too hard and too expensive to meet the requirements themselves. It’s cheaper, quicker and more effective to use an expert cyber specialist company that provides security as a service. In this way, organisations get immediate assistance and can be walked through how to configure their existing technology and receive help utilising features they weren’t initially aware of so they can confidently answer questions from the insurance provider questions and become more secure.
The cyber insurance process can be daunting for several reasons, but an expert consultant can identify the easiest and cheapest way to conform and then help implement the solution. Additional benefits are achieving certifications like CES, CES+ and PCI along the way by identifying where you are already meeting the requirements or where you will be once changes are made.
The Future Of Cyber Insurance
The cyber security landscape is in flux and will continue to change as new, more powerful threats arise, and businesses look to counteract their effects. CISOs will always be under pressure from the industry, customers and the board as they attempt to communicate the massive figures they have to pay to keep their organisations safe.
Typically, prompting action from the board to pay attention to the latest cyber threats is a challenge. There are always new threats on the horizon, and their cadence means that warnings might fall on deaf ears. However, if a CISO approaches the board now to say the company’s application for cyber insurance has been rejected, they will likely be spurred into action. No cyber insurance means no financial coverage if the worst happens — and this cannot be ignored.
For these reasons, a whole new market is evolving around cyber insurance. Organisations are looking for ways to insure and also provide verification that they are taking the correct hygiene measures with systems akin to black box car insurance. New start-ups and products are also emerging to help customers get the insurance they need.
The reinsurance industry is also uniquely poised to help the cyber insurance sector navigate the current threat environment through insurance-linked securities, or ILS. There are ILS funds representing nearly $60 billion in assets under management (AuM), reportedly interested in providing cyber reinsurance protection. Eight of those funds, representing a huge $41 billion in AuM, would like to provide cyber reinsurance this year. With reinsurers able to secure retrocession (reinsurance for reinsurers), they should be able to deploy more capital to the insurers they support, which in turn will enable a return to cyber insurance market growth.