Keely Wilkins is an Evangelist with the Office of the CTO as well as a Pre-Sales Security Engineer in Virginia. She has worked in the technology industry for nearly thirty years, holds an MS of Cybersecurity and a variety of certifications. Keely endeavors to find balance among transparency, predictability, and security.

Overview

In this article Keely provides an overview of the evolving cyber insurance requirements and offers a prevention-first strategy to help rebalance risk in favor of security.

Why is cyber insurance suddenly so expensive?

Cyber insurance companies are losing money on cyber policies.

The below statistics were published by the National Association of Insurance Commissioners (NAIC) in the “Report on the Cyber Insurance Market”.

  • Premiums nearly doubled from 2019 to 2021 ($3.3B – $6.5B, 198%)
  • 2021 Loss Ratio for the Top 20 cyber insurers ranged from -0.5% to 130.6%.  The average loss ratio from premiums in 2021 was 66.4%.
  • Data breaches in 2021 outpaced those in the prior year, increasing by 68%.
  • Healthcare data breaches have tripled over the past three years.
  • Supply chain attacks rose by 430% in 2021

Premiums are increasing and coverage is decreasing. The questionnaires that inform underwriters on the insured’s ability to secure their environment have grown and the insurers are denying claims when the root cause of a breach is in direct contrast to what is stated on the questionnaire. For example, if you state on the questionnaire that you use multi-factor authentication (MFA) then you suffer a breach where the root cause is determined to be related to identity AND you don’t have MFA deployed, your claim will likely be denied, your premiums will increase or your coverage may be dropped altogether. This is what we are hearing from business leaders across industries. Insurance requirements are getting stricter and it is forcing organizations to take action.

How did we get to this point?

Technology is a market driven by innovation. It has a high adoption rate, is integral to every industry and government function, and it is constantly pressure tested by criminals.

The gaps in security strategies became evident as the COVID-19 pandemic forced us into a mass remote work situation that few organizations were prepared to support. It also caused many workers to be displaced and ushered in The Great Resignation, during which 47 million workers vacated jobs.

This upheaval created a prime opportunity to launch social-engineering and ransomware campaigns that accelerated the timeline for the inevitable “moment of truth” with cyber insurers. More breaches occurred, more claims were filed, and more payouts were made.

What impact did the global workforce changes have on breaches and cyber crime?

In a May 2022 article Barron’s reported “The global cost of cyber crime topped $6 trillion last year, as the coronavirus pandemic caused online activity to soar”. In comparison, the estimated cost in 2020 was $1 trillion.

Cybersecurity Ventures predicts the “global cyber crime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015. This represents the greatest transfer of economic wealth in history…”.

The Top 5 Exploits in 2021, as per Verizon’s annual Data Breach Investigations Report (DBIR) 2022 :

  • Credentials, Phishing, Exploiting vulnerabilities and Botnets
  • Ransomware (up 25% from 2020)
  • Supply Chain (responsible for 62% of system intrusion incidents)
  • Misconfigurations (responsible for 13% of breaches)
  • Human Element (82% of breaches involved the human element)

What are the implications for cyber risk?

The current implications are increased scrutiny for insurers, high premiums, decreased coverage, and increased purchases of disparate security solutions.

Information posted by the Cyber Insurance Academy states that “90% of SMBs do not have an SOC”. Building an SOC (Security Operations Center) is expensive and beyond the financial ability of most SMBs (Small-Medium Businesses).  Despite that, “…in 2023 many insurance companies have stated that they will not provide cyber insurance policies unless the insureds can demonstrate 24/7 monitoring of their network…SMBs will be expected to prove that they have the capabilities to supervise their organization’s network.” This puts the SMBs in a position of either building an SOC they cannot afford or contracting with a MSSP (Managed Security Service Provider) organization to provide the service for them.

Speculative implications of cyber risk include vicarious liability insurance, parametric insurance, rating the insurability of an organization based on claim history, reputation impacts, supply chain pushback due to cyber risk ratings, merger and acquisition delays due to cyber risk ratings, and more.

Per the NAIC report, “underwriters do not believe that buying additional cyber insurance should be used as an instrument to alleviate risk”.  I agree!

A prevention-first security strategy is key to rebalancing security and insurance i.e. prevention and recovery.

What can be done to rebalance our security strategy in favor of threat prevention?

We are in a better position to answer this question now that we know why the cost of cyber insurance has increased, the global events that influence how we conduct business, the impetus for the increased volume and cost of cyber crime, and some of the constraints that must be applied to cyber insurance policies.

Next Steps

1. Start with conversations to define requirements, objectives, and build an action plan.

      • Cyber insurance broker – ask about your policy requirements, parametric insurance and vicarious liability insurance. Get a list of requirements from your insurer and determine which (if any) compensating controls are accepted as a short-term solution.  The Cyber Insurance Academy lists the following as the most common minimum requirements:
        • Zero Trust Architecture
        • Multi-Factor Authentication (MFA)
        • Backups
        • Identity & Access Management (IAM)
        • Privileged Access Management (PAM)
        • Patch Management
      • Cyber security consultants (vendors, partners, consultants, etc.) – work with your technical advisors to build a security strategy that aligns with the objectives of your organization and your insurance requirements.  Adding to the minimum requirements listed above, the cyber security strategy should include:
          • Security Workshop (gap analysis)
          • Email and Collaboration security
          • Extended Detection/Prevention & Response (XPR)
          • Incident Response Plan (IRP)
          • Adherence to compliance requirements

2. Service Contracts

        • Contract services with an Incident Response Team (IRT) to ensure you have an experienced team of certified incident responders to manage security incidents on your behalf.
        • Contract services with a MSSP to ensure your environment is monitored and managed 24/7/365 by certified security engineers
        • Engage a credentialed training firm to deliver cyber security training to staff.

In short, engage your advisors. Determine what needs to be done, identify the best way to meet the requirements, work with service providers and vendors to fill the gaps, and have an actionable Incident Response Plan.

Security is prevention; insurance is recovery. Both are needed, but committing to prevention will lessen the burden of recovery.

References

Article references