Security Experts:

Plugging the Discrepancy Between Cyber Insurance Coverage and Actual Risk

One of six 'best practices' highlighted by ESI ThoughtLab in a new report on Driving Cybersecurity Performance is simple: "Make more use of cybersecurity insurance to transfer risk." Use of cyberinsurance is growing, but the insurance industry believes it can be improved.

ESI ThoughtLab surveyed executives in more than 1,000 companies around the world in a report that was sponsored by a range of leading companies, such as Verizon, KnowBe4 and Check Point. It was also sponsored by cyberinsurance firm Cowbell Cyber. Cowbell has extracted and expanded the insurance elements of the ESI ThoughtLab report in relation to SMEs with less than $1 billion in revenue in the U.S.

The first thing to note in Cowbell's report (PDF) is that SMEs are adopting cyberinsurance as part of their resiliency planning at a faster rate (by 65% to 58%) than large enterprises. However, this may partly be because it is a requirement imposed upon them by their customers -- a requirement less likely to affect large enterprises. Thirty-five percent of SMEs buy cyberinsurance for this reason, while another 30% do so because of regulations requiring restitution to individuals and third parties. Whatever the cause, however, these companies are largely satisfied with the ROI of cyberinsurance, with only 3% dissatisfied.

Nevertheless, the figures suggest that 70% of the firms that have adopted cyberinsurance are underinsured. These firms have coverage of less than $1 million where Cowbell suggests the mean cost of a successful cyber-attack is £1.22 million. The industries most at risk of being underinsured are telecom, retail/hospitality, healthcare, and life sciences. Conversely, by the same yardstick, other industries could be considered to be overinsured -- with the media and professional sectors likely to be most overinsured.

The resulting disparity between cost of premium and potential return is part of Cowbell's business argument. "Cowbell is looking at this discrepancy as an opportunity," founder and CEO Jack Kudale told SecurityWeek. "There is a lack of options for small and mid-size enterprises in need of higher limits for cyber insurance. When cyber coverage is delivered as an endorsement to broader policies, limits are too often too low to cover actual cyber incidents. Policyholders might also under evaluate expenses involved in the response and recovery post-breach. There is a need for greater education, insights and need for standalone products."

One of the biggest problems in correctly aligning insurance cost with insurance coverage is the very nature of cyber insurance. It was originally created as a 'gap filler' to fill in insurance gaps not covered by existing insurance. Stand-alone cyber risk insurance policies are not always available, and accurately aligning actual risk with insurance is complicated when every customer has a different risk exposure.

Cowbell's approach is to use its own AI-based risk detection platform to find and quantify individual customers' risk from inside the company concerned. This enables it to develop a tightly tailored risk-focused stand-alone insurance policy for each customer. "There has been a lot of confusion in the past between what’s actually covered by cyber insurance," comments Kudale. "This is where a standalone cyber policy can bring a lot of clarity with detailed definition of coverages that will prevent and eliminate any dispute on the claim side."

The hidden danger in improved cyber insurance is the potential for unintended consequences. Might security vendors start to develop products more primarily designed to please insurers than protect customers? A more common question is whether ransomware insurance (and payment by the insurance company) is actually feeding the ransomware market and driving ransom demands upwards. Finally, is it possible that customers will start to rely more on insurance coverage than their own security controls, thereby lowering the overall security ecosphere.

Kudale dismisses all of these. He does not believe the first is likely. He also believes that by using Cowbell's risk analysis tool, the likelihood of a successful ransomware attack can be reduced, and the coverage more closely aligned to the risk. "The end goal is not to encourage ransomware attacks," he said, "but to provide incentives to policyholders to strengthen the defense with a thorough risk assessment prior to issuing a cyber policy."

Finally, he does not believe that increased reliance on cyber insurance will decrease reliance on security controls. "Nobody wants to face a cyber incident and have to recover from one," he said. "Quite the opposite, the COVID-19 crisis has only heightened awareness around email spam, ransomware, and the emerging risks of employees working from home."

What he believes, he continued, "is reflected in the buying intentions results of this survey (71% plan to invest more in cyber insurance in the next two years). Cyber insurance buyers are getting educated about the need for better protection. We don’t see them turning away from anything that could help avoid a cyber incident. But with the general understanding that cybersecurity tools will not thwart 100% of attacks, they are turning to cyber insurance to cover resilient risks."

Pleasanton, California-based Cowbell Cyber was founded in January 2019 by Jack Kudale (CEO), Prab Reddy (VP, engineering), Rajeev Gupta (chief product officer), and Trent Cooksley (COO). Its purpose is to map insurable threats and risk exposures to deliver tailored insurance coverage. It emerged from stealth in September 2019.

Related: The Case for Cyber Insurance 

Related: Cyber Insurance Provider Coalition Raises $90 Million 

Related: Zurich Announces New Cyber Insurance for Manufacturing Industry  

Related: Norsk Hydro Receives First Insurance Payout Following Cyberattack 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.