The challenges of cyber insurance

Cyber Insurance has quickly become one of the hot topics when attending events, meeting with clients and partaking in roundtable discussions.  With the prospect of cyber insurance premiums rocketing or even a loss of cyber insurance, in conjunction with increased underwriting process rigor, how can organisations tackle this challenge head on and keep premiums at a minimum?

Below we take a look at the changes that are taking place to cyber insurance cover, the challenge that insurers have, the reasons why insurers are clamping down, and what actions can be taken to maintain cyber insurance at a level that represents the needs of the business whilst maintaining cyber resilience on an ongoing basis.

Why do companies get cyber insurance?

Cyber Liability has been around for a few decades, but has become more prevalent in the last 5-10 years, which has certainly been accelerated in recent years following the change in working environments due to the pandemic.  Whilst many organisations moved swiftly to enable remote working, with many budgets being stretched to enable this, security investments were not always at the level required. We saw many home workers operating over the same internet as their partners, housemates and children.  There was a considerable increase in data breaches during 2020, where some 36 billion records were exposed in the first half of 2020 alone.  According to the DCMS Cyber Security Breach Survey 2022, 83% of all identified attacks in 2021 were phishing, although there have been plenty of other notable attacks in the headlines, such as SolarWinds Sunburst attack and the more recent Kaseya incident. 

Cybercriminals are also attacking vulnerabilities more often as patching is not being performed in a timely manner, and sometimes not picked up at all, due to the lack of time and skills.  What we do know is that cyber criminals are becoming more organised and sophisticated by using the latest techniques and tools which is increasing their success rates.

We have read the stories about the organisations who have been fined due to data breaches, and these stories are not going away as the cyber threat constantly evolves.  The short term and long-term cost to recover from and investigate breaches are costs that organisations look to mitigate, so investing in cyber insurance coverage has become essential. 

The challenges of cyber insurance

The challenge with cyber insurance is that the severity, sophistication and frequency of cyber attacks is increasing, which has pushed cyber insurance policies to breaking point, making it increasingly expensive for insurance providers to honour, and even more challenging for policy seekers to either obtain or maintain.

The challenge across the insurance world is that there is no industry standard method of measuring cyber risk and as such assessing the risk appetite is difficult. The key points to note around cyber insurance challenges are

• Lack of experience with cyber incidents.
• Confusion around premiums. 
• Accumulated risk. 
• Threat metrics and coverage types. 
• Governance challenges. 
• Quantification and limitation of the loss

How is cyber insurance changing?

In the past, insurance has been considered by many organisations to be a viable and more cost-effective alternative to implementing proactive measures to prevent and protect against potential attacks. In the years leading up to the pandemic, although attacks existed, the losses suffered by the insurers, although high, were at acceptable levels.  According to S&P Global in a June 2021 report, by the end of 2020, despite the premiums growing by double digits in 2020, the loss ratio (total value of losses divided by total value of premiums) continued to climb by more than 25% year on year, to reach 72.8%  by the end of 2020. To combat this, the insurance market reacted by increasing premiums upwards of 50% and in some cases renewal quotes increasing closer to 100%, often with a reduction in the total liability cover. According to recent research by global insurance firm Marsh, the premium increase year on year peaked at 133% in December 2021, and in April 2022 fell back to 90% driven mainly by the increase in policies being sold to new buyers.

The reality is that while cyber insurance presents a significant market opportunity for the insurance industry as a whole, the industry is not willing to write policies at any cost.  As we have seen to date, one option is to increase premiums and reduce cover, or the alternative is to take a more drastic approach such as that posed by reinsurance giant, Swiss Re who in June 2022 stated that they would be biding its time before increasing its appetite for cyber risk with Chief Underwriting Officer, Thierry Leger, stating that he believes that “this type of risk is only partly insurable”.

What is therefore becoming increasingly evident is that insurance alone being selected as the sole method of protection for businesses is no longer an option.  Businesses, need to put in the appropriate processes and controls before an insurer will consider underwriting the risk.  Moreover, increasing premiums as a measure to offset the losses expected is also no longer considered to be sufficient.  Subsequently, insurers are becoming much more selective in the policies that they will write, and typically that requires businesses to take proactive action themselves, or it is likely that the business will be refused cover.  This is in much the same way that a business is unlikely to obtain fire cover if it doesn’t implement adequate fire suppression measures in the first place.  

What can organisations do to obtain cyber insurance?

What we do understand is that there are ways for organisations to actually help themselves when it comes to obtaining or maintaining cyber insurance, and this is through much improved cyber security.  This means being able to demonstrate to underwriters the exact controls that are in place and working with specialist cyber security third parties who can assist in both improving cyber resilience whilst supporting to demonstrate and validate the controls that have been deployed.

How to keep premiums at a minimum?

Whether you are looking for your first cyber insurance policy, or have a renewal coming up, underwriters will be asking more questions about your current cyber security position, and if you do not meet the requirements then you can expect your premiums to be significantly higher than those who do, or you may even be refused a policy entirely.  There are some general additional questions insurers are now asking about the current security measures in place and the processes which align to cyber resilience.

Experts at norm. are constantly speaking with and helping new prospects, clients and partners about cyber insurance and the process they’ve had to go through in order to obtain their policies. Insurance providers are now requesting that some minimum basic controls need to be in place before an organisation is considered for a policy. Insurers are now providing feedback and advising on some ‘best practice’ measures that if implemented, would keep the premium of the policy as low as possible and allow the business to obtain or retain cover.

Typical Minimum basic controls that insurers are requesting businesses to implement include;

• Multi-factor authentication
• End Point Detection and Response solutions
• Continuous and comprehensive vulnerability management and patching processes
• Segmentation of systems
• Offline or isolated backups
• Documented and Tested Incident Response plans
• Email Security
• More regular staff cyber awareness training
• Supplier information security evaluation processes

Best Practice:

• Proactive Log monitoring and analysis by independent experts who can identify, alert and respond rapidly to suspicious or potentially malicious behaviour.
• Privileged Access (System Administrator) Management
• Data Encryption
• Regular Penetration Testing
• Recognised Information Security certification such as ISO27001 or as a minimum Cyber Essentials PLUS.

Depending on the industry segment that your business operates in, without the above measures in place it is quite likely that obtaining cyber security insurance will be much more challenging.   Therefore, before seeking to obtain cyber insurance, organisations need to consider implementing the above measures as a priority.  Zurich covered this specific point in its September 2021 article, Cyber Resilience before Cyber Insurance.

What is Cyber Resilience?

Cyber Resilience is viewed in the industry across 3 key pillars:

Process – Do you have the right processes, for example Cyber Essentials Plus and ISO27001 certification?

People – Are you regularly training your employees to make them the strongest first line of defence for your organisation and ensuring that they are confident and competent when it comes to cyber protection?

Technology – Have you invested in the technologies that can see where your vulnerabilities are at any given moment, can spot an emerging threat within your environment, have access to the global intelligence for any emerging threats that may affect your environment?

And the final piece to resilience is making sure you have the cyber specific skills and capabilities to monitor, manage and respond to all of this 24x7x365.

Conclusion

Much like a cyber criminal’s methods of entry, cyber insurance is having to evolve to deal with the ever-changing cyber threat landscape.  Cyber insurance is no longer, and in our opinion never was, a substitute for a solid cyber security strategy. Instead, basic cyber hygiene is a precursor to even being able to take out a cyber insurance policy. Therefore, organisations should look at adopting cyber security best practice and instilling a sound Cyber Security Strategy to a. keep the organisation, assets and data safe and b. obtain cyber insurance to help minimise the financial impact in the event that the inevitable happen.

Check out our Cyber Readiness Tool for a free GAP analysis report to find out if your cyber defences could be improved.