Cyber insurance providers are at a crossroads. The unknown risks of cyberattacks are complicating the market and endangering the profitability of insurance companies. And while insurance companies work to better quantify cyber-related risks and costs, premiums will increase for their clients.
The White House held a summit last week, bringing together leaders in big tech, critical infrastructure and insurance to address creating a more secure business landscape. For leaders in the insurance space, incentives are the future.
When industry leaders met with President Joe Biden, various takes of the same view were repeated, according to Vishaal Hariprasad, CEO of Resilience, who attended last week's summit. What the government and industry want is a middle ground between mandates and guidelines.
"Are there clear standards and do we all agree to what those are?" he said. "Can the insurance world just consistently provide or reinforce that optional behavior?"
Rather than crafting new laws or regulations, the summit focused on what voluntary tools and incentives would motivate cybersecurity improvements.
"The president asked me specifically, 'How can insurance drive better cyber resilience for the nation?' And my response was pretty clear," said Hariprasad. Industry needs three things, he said:
- Clarity: Be clear with the expectations of cybersecurity standards
- Actionability: Do not give organizations a checklist of controls or standards, make an actionable list
- Incentive: Offer companies something in return for engaging with new standards of behavior and checklists
"We don't want to turn our clients into victims because they weren't properly prepared," said Hariprasad. But likewise, if a client's security posture is below the threshold of preferred security standards, "your ransom payments will be significantly sublimited from an insurance perspective," for example.
Following the summit, a number of cyber insurers made promises to help create standards and support ongoing efforts to improve security. Resilience pledged to make policyholders meet a "threshold of cybersecurity best practices" before they are accepted for coverage, according to the White House's fact sheet from the event. Coalition intends to make its risk assessment and continuous monitoring platform available free of charge.
For Hariprasad, the White House meeting showed a willingness to address gaps in cybersecurity without mandates. The leaders want to find opportunities to improve without an all-or-nothing strategy. "I don't think it's a black and white, where you're either insurable or you're not insurable," he said.
But insurance could give companies more perspective on their risk, allowing them to adjust their security controls. Higher standards of cybersecurity are needed to balance the cost for insurance companies and their clients — profitability and premiums.
The private and public sectors know there is an undeniable need for cyber insurance, evidenced by its increased adoption. At insurer Marsh McLennan, 47% of existing clients elected to take up cyber insurance policies last year, up from 26% in 2016, according to a report by the Government Accountability Office (GAO), released in May, with adoption dominated by healthcare and education.
Prior to 2020, "most organizations were buying insurance, although I think most didn't really have a clear view of what coverage they needed or what they were getting," said John Livingston, CEO of Verve Industrial Protection. "I think what's happening is awareness of the risk is growing at the same time the rates are increasing."
Cyber insurance pricing increased by an average of 32% year over year in June 2021, according to a report from Howden. As a partial result, insurers are "demanding more from businesses' cyber resilience and are only willing to deploy capacity if they are satisfied by the strength of companies' risk management frameworks," the report said.
The more willing a company is to upgrade and engage with higher security standards, the higher limits their insurance provider will give them. "And if you're not fully there, then you'll just qualify for lower limits or sublimits until you achieve that level of maturity," said Hariprasad.
Improving on security basics, including multifactor authentication, endpoint detection and response, threat hunting, and network segmentation are a good start. Yet, there's no clear formula for how spending on cybersecurity tools correlates to a company's resilience.
A company will unknowingly send a red flag to a possible insurer if they show an unwillingness to update and engage, said Hariprasad.
It's not necessarily the technology; "ransomware is a symptom, not a cause," he said. "None of these topics are end-all-be-all, and if all you focus on are the symptoms, you'll never get to the cause."
Insurers can use available data from security providers to translate the information into cost containment, but it's still an imperfect science. The question that remains is the impact on insurers from other organizations in the value chain, said Livingston. For example, consider the losses Colonial Pipeline's partners accrued during the pipeline shutdown in May.
Though standalone cyber claims have eclipsed cyber policies in packages for a while, insurers are trying to protect themselves from "silent cyber exposure," or losses related to a cyberattack, including stalled business operations, said A.M. Best. If a policy does not make coverage conditional to cyber events, the policy is liable for those losses "even though that was never the intent of the policy," the report said.
According to Markets and Markets' cyber insurance market report, insurance typically covers the following:
- Network security liability
- Data privacy liability
- Operating expenses related to incident recovery
- Extortion payments in ransomware
- Money loss due to interim business disruptions during an incident
- Costs related to replacing or restoring lost or destroyed data
Mechanisms traditional insurance providers offer do not always translate to cyber. For example, insurers typically have individual subrogation, or a benefit to the policyholder where the insurer seeks reimbursement from the third party responsible for the incident. It's a term used in other types of insurance coverage, like auto, but not yet ransomware, according to the Ransomware Task Force.