The cyber insurance market has been valued at roughly $12 billion and could triple to more than $29 billion by 2027. Cyber insurance, unlike automobile and some other forms of insurance, has not yet been made mandatory, but it’s set to become indispensable to companies involved in merger or partnership negotiations, or in raising money from investors.
Buying the right cybersecurity coverage has become a matter of urgent discussion for CISOs, CEOs and CFOs as a way to navigate what has become a potential minefield. Cyber risk assessment is a relatively new science, as stand-alone cyber insurance policies have only existed since around 2015. Before that, organizations had largely depended on conventional policies to cover cyber breaches. But this strategy was called into question in the wake of the 2017 NotPetya attacks, when some claims were denied on the grounds that the cyberattacks had been initiated by bad actors allegedly backed by nation-states. The NotPetya attacks were regarded as acts of war and were excluded from existing policy coverage against cyberattacks. Cyber insurers frequently dispute claims if the incident does not fall precisely within the stated terms of the policy.
Given the escalation in supply chain and watering hole attacks, third-party cyber insurance coverage has become essential for any company hoping to maintain cordial relations with its customers and suppliers after a significant cyber breach. The escalation in ransomware attacks over the past 18 months and the growing professionalism of gangs, such as LockBit has also forced many companies to consider buying first-party coverage to insure themselves against the potentially devastating impact of an efficiently-executed ransomware attack.
First-party cyber insurance typically covers direct damages in the aftermath of an attack, such as: paying for breach notifications, credit monitoring or specialised consultants. But companies should also broaden the terms of coverage to include network cybersecurity insurance to compensate for data breaches, ransomware attacks or other malware infections. These events can result in multiple and often unforeseen costs, including restoring data, conducting IT forensics, hiring lawyers and employing PR firms to remediate the damage done to the company’s brand image or shareholder value.
The specific terms and the extent of the coverage offered can differ widely from one policy agreement to another. Because it’s difficult to quantify cyber risk in precise terms, insurers increasingly demand that policy holders meet strict criteria, narrowing their own risk by making insurance coverage contingent upon meeting certain minimum specific cybersecurity requirements.
The wording of such a contract presents a potential minefield for the unwary because the insurers are not themselves cybersecurity experts and frequently specify cybersecurity requirements that can have the opposite effect from the one desired. Rather than securing the organization, reducing its freedom of choice regarding future technologies and vendors can inhibit ongoing security.
Common stipulated requirements include having firm written security policies, using multi-factor identification, encrypting and backing-up data, installing anti-virus software and firewalls and other basic precautions. Some go much further, even tying policy into specific cybersecurity products and vendors. This becomes particularly dangerous for small-to-medium sized organizations (SMEs) that may lack either the necessary legal negotiating skills or possess insufficient knowledge of the changing face of the threat landscape in-house to ensure a workable contract.
There are some important steps to securing effective cyber insurance. The process must always begin with a thorough evaluation of the company’s entire attack surface, including mobile device and third-party suppliers. Second, gauge the company’s defensive strength to assess cyber risk. Third, assess risks to third parties, such as customers, vendors, and partners. It’s often hard to assess accurately because a third-party organization’s risk factor can be far more significant than initially apparent. Companies should consider third-party risk assessment as an ongoing policy because any new third-party must also be vetted; this also includes any insurance company with whom the company is in negotiations.
The cyber insurance market offers a wide range of choices, but it’s often particularly confusing for SMEs. Companies should begin by trying to identify precisely what their ideal policy would look like and solicit quotes from a range of insurers. They should then go over the small print of each policy with a fine-tooth comb before selecting the most appropriate one, remembering that it’s far better to delay coverage than go with the wrong coverage.
Finally, automate and streamline cybersecurity wherever appropriate, preferably relying on only a single security consultant where possible, as this can make it simpler to qualify for cyber insurance policies. Along with lowering the likelihood of a successful breach, automation can also secure competitive rates by putting as many defenses as possible on automatic rather than increasing the potential risk from human error.
Bruno Darmon, president, Cynet