How has the rise in ransomware changed the way insurers offer their services?
Cyber insurance has been around since the 1990s and is viewed much differently since ransomware started growing and making headlines every day. Insurance companies used to employ cash-flow underwriting on cyber policies, meaning that they would take on a lot of polices just to pad their books of business with premiums. As a result, enterprises would often get blanket cyber coverage for a relatively good price – at least compared to today’s standards. Ransomware has largely struck fear in insurers, and they have reduced coverage significantly and are raising premiums. Some even consider excluding it altogether.
Insurers offering cyber coverage are asking more diligent questions about enterprise risk posture and adding more exclusions. This eliminates coverage for certain acts, property, types of damage or locations. Insurers are also trying hard to diversify their books of business so that a single ransomware attack to a third-party provider doesn’t drive catastrophic losses. Imagine being an insurance company that had many insureds with SolarWinds software during that attack. The financial loss of a catastrophic event can be so large that an insurer may be collecting premiums for 10 years only to have one attack wipe out all those profits.
How has this strategy change impacted organizations who look to insure their assets?
It puts organizations in a very difficult position. At the same time they feel more vulnerable to a ransomware attack than ever before, insurers are pulling back to the point where cyber insurance is more expensive than used to and thus demands clearer justification of the investment for most companies, and policies that cover a broad range of cyber incidents are more scarce. This means enterprises really need to quantify their cyber risk and understand the true potential impact on their organization. Only then can they consider spending more in risk mitigation versus risk transfer. CISOs, Boards of Directors, and the rest of the C-suite all need to understand the ideal combination of cyber insurance and risk transfer that will ultimately cost the least amount of money.
Is there a way for insurers and enterprises to meet halfway?
The future lies in a risk/reward mechanism based on continuous monitoring and analysis of organizational cyber risk posture. This isn’t too different from how insurers handle personal auto or homeowners insurance. Many insurers provide discounts to an insured with a good driving history, and to homeowners that make certain renovations such as redoing the roof. It is unlikely cyber insurance will revert to the way it was written and priced prior to the ransomware epidemic, so the onus will be on the enterprises to ensure they can adequately communicate their cybersecurity posture to insurers moving forward.
How did the increased cyber risk change the overall perception within organizations on the importance of a strong security posture?
They are beginning to understand that cyber risk quantification is key for their enterprise risk management as a whole. Quantifying cyber risk means forecasting loss frequency and severity to make cyber risk financing decisions. It wasn’t that long ago when CISOs had to fight tooth and nail to justify their cybersecurity budgets each year. The IT and business sides of the organization are beginning to speak the same language and see cyber risk from a financial perspective. Financial cyber risk quantification will also help these two sides of the business come together and see cyber risk for what it is – an operational expense rather than a technical one. This will be an accelerating trend heading into 2022 and beyond.
What can we expect in 2022? How will the insurance industry adapt to the growing threats?
This diverging trend of insurers tightening their belts on cyber coverage will drive significant adoption of cyber risk quantification as enterprises try to better understand the potential financial impact of cyber attacks on their business over time and to prioritize investments in cybersecurity and cyber insurance. In addition to cyber risk quantification, the mass publicizing of ransomware should make it much easier than in the past for CISOs to secure higher security budgets.
On the insurance side, they will invest more in tools for underwriting cyber risk, portfolio management and high-end cybersecurity risk mitigation services to their insureds. One thing that could begin to materialize in 2022 is growing cyber insurance regulations to drive standardization. Any progress on this front should help enterprises better understand what’s expected of them in terms of communicating their cyber risk posture and also what they can expect in terms of cyber coverage.