This year saw some important geopolitical developments that have led to some equally significant changes within the cyber insurance market.
Here’s a quick list:
- Increased damages: IBM’s 2022 Cost of a Data Breach Report reported the average cost of a data breach increasing to $9.44 million in the U.S. A separate report from Palo Alto Networks Unit 42 showed the average ransom payment increased 82% from 2020 to 2021.
- Increased loss ratios: Higher damages result in higher payments. Fitch Ratings reports that insurance payouts on claims compared to premiums (direct loss ratio) have increased from 34% of premiums in 2018 to 65% of premiums in 2021.
- Higher cyber insurance premiums: Increased damages and payouts require insurers to charge higher premiums. Insurance broker Marsh's cyber practice found insurance prices increased 133% in the fourth quarter of 2021. This year was not much better, rising 110% in the first quarter and 79% in the second quarter. In the UK, Marsh reported that premiums increased for greater than 90% of clients during this period.
- Decreased coverage: Lloyd’s of London announced in August that its insurance policies will no longer cover nation state-backed cyberattacks. Lloyd’s left unsaid how it will determine attribution. Was the attack "state-conducted?" Was it "state sponsored?" Was it "state inspired?" or was it simply a criminal organization piggybacking an existing conflict for financial gain?
The notion of insuring away cyber risk has become now and arguably always was somewhat unrealistic. With both premiums and insurers prerequisites/policy exclusions increasing, the actual scope of what’s covered has also rapidly narrowed.
Insurer's side of the story
There has been much debate around the actions of Lloyds of London, but companies must understand that the insurers are acting rationally. The costs of data breaches continue to rise and insurers cannot take on additional risk without increasing premiums. Insurance companies are also heightening their due diligence of potential clients’ security practices. Pre-cover activities that were once little more than form filling exercises now resemble more of a security audit with corresponding evidence requirements and walk-throughs. In some cases insurers place technology within customers' environments to assess the risk programmatically, much like the telematics boxes seen in the motor insurance sector. In short, insurers have become more rigorous in their assessment of their customers’ cyber risk. An organization with poor security controls presents greater risk than one with a mature security program and as such will generally pay more.
Organizations looking to maintain their coverage while minimizing premiums need to present evidence that they are taking appropriate steps to protect those assets targeted by attackers: data that attackers can use for identity theft, financial gain, or competitive advantage. Unlike similar scenarios with home insurance these security mitigations are not “one-time point in time” security controls – such as enhanced door locks and smoke alarms – cyber insurers are looking for evidence of ongoing security controls and processes.
The World Economic Forum found that 95% of cybersecurity incidents occur as a result of human error; actions by users that were taken incorrectly or inadvertently. The work from home (WFH) movement sparked by the pandemic has likely exacerbated this as users work outside the protective umbrella of the corporate network. Such a disconnect from direct corporate life can also see a rise in the use of non-sanctioned applications and devices. These users are not necessarily malicious and many are just seeking to perform their roles in less than ideal situations. This however, does not make their actions any less risky.
Risk insurers are also looking at infrastructure security. A misconfigured cloud storage bucket can expose sensitive data to anyone looking for it: this even happens at mature organizations like Microsoft. From an insurer’s point of view, they will focus on what the company actual does to identify and mitigate threats and protect its data.
What can companies do?
So how can organizations stave off high cybersecurity premiums? Guardrails and evidence. Insurers want the visibility to understand the real cybersecurity posture of a policy holder and how that may change or improve over time. Mature organizations will proactively take steps to place guardrails around their data and processes to ensure that the risk of data compromise is minimized. This is achieved in a number of ways:
- Visibility: Cybersecurity insurers are focused on the data. If an organization lacks visibility into how their data gets accessed, moved and used then there’s no way for an insurer to be confident the data has been protected from adversaries looking to issue ransomware attacks or exfiltrate the data in any other attack vector.
- Training: A company’s security posture is only as good as the people and talent defending it. Making sure to have an incident-based training program in place will ensure that the company covers the people component of the equation has been covered in the event an attack.
- Understanding the data journey: Most organizations have little understanding of where sensitive data resides within their environment, leaving an opening for attackers to access this data without anyone knowing.
- Reportability: If a company can’t report on the progress of these pieces to the cyber insurance provider and show movement or improvement there’s little value to decreasing premiums. Sadly, there’s often a nuanced difference between doing the right things and evidencing doing the right things.
The cyber insurance market and models will continue to evolve. Treating security as a “tick box” will not provide acceptable controls in an increasingly stringent market. Smart organizations can mitigate risk, minimize premiums, and maximize cyber insurance coverage by proactively addressing the security of sensitive information.
Chris Denbigh-White, global director of customer success, Next DLP