The number of organizations that will be either unable to afford cyber insurance, be declined cover, or experience significant coverage limitations is set to double in 2023, according to Huntsman Security.
Even for those insured, the perfect storm of ongoing attacks, tightening regulations and growing financial pressures is making it more likely that any attack on an organization will leave it exposed.
“Factors like the supply chain crisis, inflation and skill shortages are all adding to the difficulty for organizations trying to execute on their cybersecurity strategy. At the same time, increases in insurance premiums, limits on coverage, increasing underwriting rigour, and capacity constraints are all limiting the accessibility of cyber insurance, for many,” commented Peter Woollacott, CEO at Huntsman Security.
“Loss ratios will not improve until premium incomes better match the current level of pay-outs. With this reduced insurance access alongside increasing cyber threats and tightening regulations, many organizations are losing cyber insurance as an important risk management tool. Even those who can still get insurance are paying a prohibitively high cost,” Woollacott continued.
With a third of UK firms subject to cyber attacks at least once a week, cyber insurance as part of overall risk management is crucial. To bridge this accessibility gap insurers are seeking to improve the quality of risk information, so premiums better reflect the true cost of that risk. Unless organizations can demonstrate they have insurers’ specified controls in place to manage their security risks, insurers will continue to have difficulty quantifying that risk. It’s for these reasons that insurers have changed the basis upon which their products are offered to reflect the risk being underwritten more accurately.
In this environment, improving and demonstrating the effectiveness of security controls will now be essential: both for organizations looking to improve their cyber resilience and oversight while enhancing their eligibility for insurers, and for insurers who need to minimise their own exposure by ensuring the accuracy of their risk pricing process. These are likely to include:
- Multi-factor authentication
- End-point protection
- Restricted administrator privileges
- Patch OS/application
- Staff awareness
- Regular back ups
- Tested business resilience planning
- Disaster recovery planning
Forrester Research, in their “Top Cybersecurity Threats for 2022” report, dated April 2022, predicts that, as risk information improves, it is likely that insurers will include new underwriting requirements and greater scrutiny of risk mitigation and security program maturity. As noted, this is already underway with insurers undertaking more rigorous underwriting processes. If other lines of insurance are any guide, as organizations start to improve their cyber risk management and oversight, insurers will improve their risk pricing models and reward those organizations that can evidence higher levels of security controls with more favourable insurance costs and terms.
Changing buyers’ and sellers’ need for cybersecurity will undoubtedly result in ongoing recalibration in the insurance market. Cyber risk introduced by third party suppliers is a case in point.
“Organizations must not just protect themselves but take responsibility to ensure their suppliers, partners and stakeholders are doing the same,” commented Peter Woollacott. “The best way of achieving this is to follow best risk management practice to ensure that your organization employs effective security controls to quickly identify and manage any emerging cyber risk. This will give businesses the best chance of identifying potential cybersecurity weak spots and if the worst happens, still being able to benefit from a cost-effective cyber insurance policy that funds containment and recovery activities.”
“Right now, the cyber insurance sector is driving security controls world-wide. And even when legislators, regulators and the courts have caught up, it will still be insurers seeking to improve the quality of their risk pricing information that will set security terms. Organizations should ensure they are able to take advantage of any improvement in terms offered by enhancing their security controls and posture.”