Cyber insurance failing to live up to expectations

A RUSI paper finds that the contribution of the insurance sector to improving cyber security practice is ‘more limited than policymakers and businesses might hope’, and recommends government and industry action.

Key findings

• To date, cyber insurance has failed to live up to expectations that it may act as a tool for improving organizations’ cyber security practices.
• However, insurers are increasingly providing cyber security services that could address this.
• A potentially insurmountable challenge for the insurance industry is the inability to collect and analyse reliable cyber risk data. Without this, there are significant questions around the insurability of cyber risk.
• Ransomware has become an existential threat for some insurers. At a time of mounting losses and rising public criticism, the paper argues for a reset in the industry.

Identified along climate change and pandemics as ‘one of the most challenging risks facing societies in the next five years’ by the World Economic Forum, cybercrime is a complex, rapidly growing and severe threat to both government and business. In 2020, cybercrime costs the world economy more than $1 trillion.

This rise is taking place at a time of rapid change in the online environment as organizations seek to digitalise, increase connectivity and accommodate increased remote working, heightening the need for protection. With both national infrastructure and economic security at risk, ‘one tool that has gained traction is cyber insurance’.

Not only is cyber insurance seen as a way for organizations to reduce the impact of cybercrime by transferring financial risk to insurers, but, as the market grows and matures, cyber insurers are seen as potentially able to fulfil the role played by insurers in other industries.

Being “well placed to incentivise better cyber security practices… they can reward ‘good’ risk management”, or offer financial benefits and specialist knowledge to organizations implementing higher security controls or standards.

The insurance industry must overcome significant challenges

However, the report concludes that if cyber insurance is to have the desired impact, the ‘insurance industry must overcome significant challenges’.

Based on interviews and workshops with experts across the insurance and cyber security industries, government, academia, the paper identifies an insurance industry that is not only struggling to understand cyber risk itself, but that it is ‘struggling to collect and share reliable cyber risk data that can inform underwriting and risk modelling’.

Without data, insurers and reinsurers are unable to accurately assess an organization’s risk or security practices and so cannot price policy premiums accordingly. In addition, the cyber insurance market is yet to embrace use of financial incentives or impose security obligations to improve the cyber security practices of policyholders.

As a result, while some cyber insurers are beginning to move in the right direction, the industry is still struggling to transit from theory into practice when it comes to incentivising cyber security.

In fact, the reverse may be taking place. The paper notes that ‘cyber insurers have received considerable criticism for facilitating ransom payments to cybercriminals’ and in doing so are ‘incentivising cybercriminals’ engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities’. The losses from ransomware have also contributed to some insurers leaving the market.

Due to these shortcomings, the impact of cyber insurance to the goal of improving cyber security practices is ‘more limited than policymakers and businesses might hope’.

Recommendations for cyber insurance providers

• Insurers should collectively agree on a set of minimum security requirements as part of risk assessments for SMEs.
• Cyber insurance carriers should explore partnerships with managed security service providers, cloud service providers and threat intelligence providers to gain access to internal sources of data.
• The Cabinet Office and Crown Commercial Service should develop a policy and legal framework to mandate cyber insurance coverage for all government suppliers and vendors.
• The National Security Secretariat should conduct an urgent policy review into the feasibility and suitability of outlawing ransom payments.
• The NCSC, the NCA and insurance industry stakeholders should leverage existing public–private partnership models for combating cyber threats and financial crime, and establish a dedicated information-sharing partnership to exchange anonymised threat intelligence and ransom payment data.
• Insurers should specify that any ransomware coverage must contain a requirement for policyholders to notify the NCA and the NCSC in the event of an attack and before a ransom is paid.
• The insurance industry should work with the NCSC and cyber security partners to create a set of minimum ransomware controls based on threat intelligence and insurers’ claims data.