Cyber insurance is quickly becoming an unavoidable part of doing business as more organizations accept the inevitability of cyber risk. There is a growing awareness of the need to be prepared for the impact of devastating security incidents such as those caused by ransomware, just as a firm invests in coverage for potential physical threats such as fire or criminal damage.
But while other potential disruptions benefit from stable insurance providers with decades or even centuries of practice behind them, cyber insurance is a nascent field that has proven hard to get a handle on. Even the more experienced stalwarts of the insurance industry have struggled with the task. In many cases, premiums have rapidly increased as providers have become more cautious about being left on the hook for multi-million-dollar breaches.
Accordingly, cyber insurance has become inaccessible for many smaller firms. Research indicates that the number of businesses that cannot afford the cost is set to double.
So, what makes cyber insurance so much more difficult than other forms, and how can businesses afford increasingly steep premiums and access requirements?
Why is cyber so different from other insurance fields?
On the surface, cyber insurance should function much the same as any other form of protection. The risk is assessed based on various known factors, and coverage levels and premiums are worked out based on the likelihood of an incident and its potential severity and impact.
The problem is the sheer complexity of the cyber landscape and the number of variables involved.
Let’s take fire insurance as an example of a field where the variables are extremely well understood – we’ve had a few thousand years of practice in understanding fire, after all. It’s relatively easy for insurers to assess fire safety based on the material used for construction, precautions such as extinguishers, and other influences like the terrain and climate influences. Where there are changes, they are very visible. I grew up in a forested area of Australia where fire risk has increased, for example.
Cyber is infinitely more complex by comparison, with a nearly unlimited number of variables at play. Individual IT environments are complicated enough but can be effectively analyzed and assessed in the same way as a physical structure.
But the real issue is the swirling, ever-changing chaos of the cyber landscape. A record-breaking 18,439 new vulnerabilities were reported and catalogued by the National Vulnerability Database last year, averaging out at more than 50 new discoveries every day.
Each new software product release or update represents an unknown number of new vulnerabilities and exposures for threat actors to discover, as well as the potential for issues being unearthed with older systems. At the same time, adversaries have become more organized and better able to exploit vulnerabilities. New attack techniques and tools are also constantly emerging. As the cyber mantra goes, we don’t know what we don’t know.
As a result, the cyber landscape is far more difficult to understand and track than any previous business risk. While progress has been made, the insurance industry hasn’t equilibrated the cyber field yet. Providers are still unsure what an acceptable level of risk looks like for their customers, leaving them vulnerable to paying out huge sums through coverage that turned out to be overly generous. Higher premiums with stricter requirements are one result of providers aiming to protect themselves from this risk.
The danger of a two-tier reality
In addition to the cost of the premium itself, there is a growing tendency for more complex policies that make complicated demands of applicants and contain more clauses that will void coverage. For example, firms may need to meet a very strict prescriptive list of security solutions and precautions to qualify for coverage.
This trend risks creating unequal two-tier system for cyber insurance. While insurance should always be thought of as a final line of defense when everything else has failed, smaller firms will be denied this safety net and be more vulnerable as a result.
If premiums continue to increase, only larger organizations with expansive budgets will be able to afford them. This provides an effective final line of defense alongside the fact that these large corporations can already afford more security solutions and personnel.
As a result, smaller firms that cannot budget for increased premiums will be left even more vulnerable to cyber threats. Criminal gangs will be all too aware that these businesses are not only easier targets, but more likely to cave into disruptive attacks like ransomware or data exfiltration and blackmail because they lack the insurance capital to help them recover.
How can smaller firms increase their chances of gaining cyber insurance?
The cyber insurance market will likely take some time to work itself out as providers determine how they can best keep up with the fast-moving security landscape and protect their own margins from serious incidents.
In the meantime, organizations that want to benefit from the additional protection of insurance coverage will need to focus on meeting higher and more restrictive premiums without expending all their budget. A preventative mindset will go a long way here, along accounting for threats that may already be within the system.
Efforts should be focused on reducing as much risk exposure as possible with each investment. Ransomware is one of the most high-profile threats right now, and one of the issues that has the insurance industry most on edge. AXA made waves last year as the first major provider to pull out of covering ransomware payments in its policies, but ransomware can be an extremely costly prospect even aside from the demand itself.
Firms that have clearly taken this risk seriously and invested in their ability to detect and mitigate ransomware will have a better chance of appeasing uncertain providers. Key factors here include the ability to identity attacks early and minimize damage through processes like segmentation.
Likewise, data exfiltration is a serious issue that will be a focal point of many policies. In addition to the impact of data loss, attackers are increasingly doubling up hit victims with blackmail demands similar to ransomware. Firms will need to prove they can reliably detect and prevent exfiltration attempts.
Automation is one of the most important assets for achieving these capabilities on a budget. Automating key processes such as access permissions, detection, and response will free up both resources and manpower that can be put back into other valuable activities. When done well, automation can help smaller firms punch well above their weight in terms of their ability to detect and respond to threats.
While a two-tier scenario may be an unavoidable scenario, smaller firms can keep up with the right strategy. Concentrating on the biggest risks, along with streamlining and automating processes, will make it more likely they can meet strict policies, as well as being able to budget for higher premiums. And of course, the same actions that will meet policy requirements will also increase a firm’s chances of needing to fall back on the safety net of insurance at all.