Cyber Insurance is a work in progress, with many existing customers effectively guinea pigs
The basic problem for the cyber insurance industry is easy to state but hard to solve. Income (premiums) must exceed outgoings (claims) by around 30% (operating costs + profit). If claims increase, so must premiums for the insurance model to remain viable.
But the cost of cybercrime is rising dramatically and has been doing so consistently for many years. Continually increasing premiums to counter continuously increasing claims is ultimately unsustainable. Sooner or later, the cost of insurance will make it too expensive to be an effective form of risk management for business. The insurance industry must therefore find an alternative method of balancing its books if it is to succeed.
There is a potential solution. Decreasing costs (claims) improves the profit/loss ratio much faster than increasing sales (premiums). This is the area now being considered by the insurance industry. First, costs can be reduced by increasing exclusions in the insurance policy – but that decreases the value of insurance as a risk management tool, and there is a finite limit to its use. Second, if the customers’ security posture can be improved sufficiently to reduce claims, then the cost of insurance can also decrease (or at least be maintained at current levels).
The current cyber insurance problem
According to Moody’s research (October 19, 2021), “The proliferation of ransomware attacks has driven up losses for cyber insurance policies, and losses will likely increase in 2021 for insurers. Although insurers had been gradually raising cyber insurance pricing, rate increases began to accelerate in 2021 in response to ransomware trends, with double-digit rating increases across the board for coverage. Insurers have also reduced policy limits, increased deductibles and tightened terms and conditions, including sublimits or coinsurance, to lower exposure to ransomware.”
Ransomware is the current bête noire for both industry and insurers. But it is not the only threat. BEC can also cause large and unpredictable losses – and many researchers believe BEC will expand in 2022 as deepfake technology improves.
In most insurance markets, the insurers have hundreds of years of data on losses and their causes in marine, motor, home and life insurance. The data, as actuarial tables, provide accurate evidence on which to base premiums for individual cases. But there are no such actuarial tables for cyber; and it is unlikely that they can be compiled.
“I don’t think the insurance industry can create cyber security actuarial tables,” commented Chris Reese, head of insurance at Cowbell. “The risk is unpredictable. The threat actors are smart and keep looking for new ways to exploit victims. Yes, we’re getting better, and we have more data – but the loss experience from three years ago is not relevant today. Will the insurance industry get actuarial tables like it has for the motor industry? I don’t see that happening.”
With no history to help, the insurance industry cannot be proactive in setting accurate premiums. It is forced to be reactive – and it is reacting to increased claims by setting higher premiums and insurance conditions. In short, it is becoming more expensive to get insurance, more difficult to renew insurance, and sometimes not possible.
But despite the increasing cost and shrinking coverage of cyber insurance, the market is expanding rapidly. In May 2021, the US Government Accountability Office issued data from global insurance broker Marsh indicating the take-up rate for clients purchasing cyber insurance rose to 47% in 2020 from 26% in 2016, based on all industries.
The primary reason is the continued growth and success of cybercrime. It has been estimated that cybercrime already costs the global economy trillions, and is expected to continue to grow in the years ahead. For the insurance industry to cover increasing claims for a larger market, it will need to do more than repeatedly increase premiums – and the only viable solution is to reduce claims by improving the cyber security of its clients. The question is not whether it will do this, but how it will do it.
Possible routes for the insurance industry
An insurance security standard
The payment card industry operates a security standard (PCIDSS) to which all companies must conform before they are allowed to accept payment by bank cards. One route to improving the insured’s security could be to develop a similar security standard and require conformance.
There is precedent in the motor insurance industry in the UK. Before a driver can insure a motor vehicle, the vehicle must first pass a Ministry of Transport (MoT) designed test, and acquire an MoT Certificate. The insurance is required by law, so the test is also required by law, and the insurance industry benefits.
There is no direct equivalent in the U.S. – but there is generally a requirement for motor insurance to cover third party liabilities.
There is currently no legal requirement for businesses to carry cyber insurance – but it is not inconceivable that it might happen in the future. The route could be through governments wishing to protect their voters (the consumers) through some form of third-party liability protection backed by insurance.
Insurance required by law would benefit from a worthiness certificate such as the UK’s MoT certificate for motor vehicles. That certificate would effectively allow customers to demand, and insurers provide, lower premiums through proven high security.
Sumedh Thakar, president & CEO at Qualys, thinks something like this could evolve naturally, but stresses that it is too soon to know how it might happen or what it might involve. “Most of the interest in this route seems to be coming from the customer,” he told SecurityWeek. “If I do this and implement that, should I not get a reduction in my premiums? There hasn’t been a lot of work done at the industry level, but I think I can see the basic principle working. You can get cheaper home insurance if you can demonstrate you are protecting the home.”
A potential weakness in a PCI-type standard is that it only requires conformance on the audit day – the company concerned could be out of conformance, and therefore at increased risk of breach, for every other day of the year.
Cowbell’s Reese doesn’t see this as a serious issue. “PCI isn’t required for just one day of the year,” she told SecurityWeek. “The requirement for conformance is for all 365 days. If there is a network security breach and it is due, or potentially due, to a lack of security on behalf of the retailer, then the brand (for PCI, the payment card industry) can withhold the cash. That’s a pretty big stick.” Her argument is the threat to decline a claim if it is shown that a breach occurred due to lack of insurance standard conformance would be enough to ensure that companies maintain continuous compliance.
The question remains, could an insurance security standard reduce insured’s claims sufficient to allow the insurance industry to keep premiums at current or lower levels? “PCI has certainly raised the cyber security bar for a lot of companies,” comments Eric Skinner, head of market strategy and corporate development at Trend Micro. “But it hasn’t magically solved the problem. You can pass a PCI audit, and still get breached. The question for the payment card industry is, does it make a breach sufficiently less likely to be worth it?”
Only time will tell if the insurance industry is able to develop, maintain and require conformance to a solid security standard that actually works.
Requiring specific controls
An alternative approach for the insurance industry would be to require different controls for individual clients. This would be more flexible than a single all-encompassing standard since it could vary between different industry verticals depending on the perception of risk. It could also be amended at renewal time or annually as specified in the insurance contract.
A possible concern here is that insurance could become intrusive on their customers’ security posture. “That’s a valid concern,” said Skinner, “because some of it is already happening – the process of cyber insurance influencing cybersecurity has already begun in a somewhat rudimentary fashion.”
He refers to the ubiquitous questionnaire, in this case asking the customer for a statement on its security posture. “Like annual compliance audits,” continued Skinner, “these questionnaires are a snapshot in time – and they ask questions that may or may not result in reduced risk because the insurance industry is still learning about security.”
Nevertheless, these questionnaires are having an influence on cybersecurity postures “Examples could be, ‘do you have EDR deployed?’ We’re hearing from some insurance brokers that if customers say ‘no’ to this, they run a very high risk of being declined or not renewed.” The problem is that security is not enhanced by deploying controls, but by implementing them correctly, using them adequately, and ensuring they are up to date. None of this can be gauged by a questionnaire. “I’m not sure if such questions are currently delivering the benefits the insurance companies expect.”
The logical extension to enquiring about security postures would be to start insisting on certain controls. This would be a large step too far. To be effective, it would require the insurance company to have the visibility of a CISO, the business understanding of the board, and the purse strings of the CFO within every insured company. This would be far too expensive for the insurer and far too intrusive for the customer. It is, quite simply, a non-runner.
Implementing continuous monitoring
A third approach would be for the insurance industry to base their premiums on recommendations from third-party security scanning companies – such as Qualys, BlueVoyant, ImmuniWeb, Outpost24, SecurityScorecard and many others. This could provide a form of continuous posture monitoring; something missing from both the audited security insurance standard and the questionnaire-based approaches. It also promises to be less intrusive and therefore more acceptable to the customer. The insurance company can simply say, our scans say you are weak in these areas: strengthen them and you will qualify for lower premiums.
The weakness is that most scans only see an external view of the customers’ infrastructure. This is still valid because it is the same view as seen by the hackers, and strengthening all visible weaknesses makes it difficult for hackers to find an entry point.
An evolutionary step up from external monitoring is internal continuous monitoring of the entire infrastructure. This is currently offered by Cowbell, a company that uses an AI engine to scan for posture weaknesses inside the network. The information it returns can be used to strengthen cyber security, but can also allow insurers to make a more intelligent assessment on the premiums necessary to insure individual customers.
In one sense, Cowbell operates as an insurance broker’s assistant. It provides brokers with the information necessary for them to negotiate the best possible premium from among the potential insurers.
The future for the cyber insurance industry
Cyber insurance is still a work in progress, which means that many current customers are effectively guinea pigs. The current model of continuously increasing premiums and exclusions to counterbalance rising claims is unsustainable. But the insurers know this and are actively seeking a realistic solution.
They will eventually succeed. Every party to the process wants the same result: increased security with lower loss to cyber crime.
Vishaal Hariprasad, CEO at Resilience, believes the solution will come with a new relationship between the insured, cyber security, and the insurer. He came into insurance in 2016, having previously been threat intelligence architect at Palo Alto Networks. He was, and is, cyber operations officer at the U.S. Air Force Reserve, and is also (IMA) Director of Operations, 90th COS, 67th Cyberspace Wing.
“In 2016,” he told SecurityWeek, “you could buy a million-dollar cyber insurance policy and they would ask you, do you have your IT person, and did you guys buy a firewall? They never asked is the firewall turned on, because the insurance industry didn’t care back then.”
This is what must change. “Insurers need to know, is your firewall turned on? Is it consistently patched? Are you continuously bringing in the right data feeds? And are you monitoring them?” What is needed is a new cooperative relationship between the insurer and the insured.
For its part, the insurance industry needs to work in lockstep with the standards bodies, the control organizations, and especially with the information sharing groups. “Insurance should be able to leverage that level of information-sharing and standards-gathering and implement them into their policies. And implement them into the holistic risk transfer package, not just insurance, but the loss control and risk engineering services that help that to happen.”
In effect, the insurance company, through relationships with threat information sharing bodies, needs to become a cyber security advisor to its customers. Since both the insured and insurer seek the same end – better cyber security – this could be done in a mutually acceptable rather than officiously intrusive manner.
The key words in Hariprasad’s view of successful cyber insurance are engagement and continuous monitoring: cooperative engagement between the insured and an insurer that fully understands the threat landscape, and continuous monitoring of cyber controls that mitigate threats.
“A lot of folks still think in that old mindset of you set it up once and you forget about it, and just worry about the renewal in a year or two. And I think that’s the danger,” he said.
Cyber insurance and cyber security must learn to work in harmony and not be considered as alternatives to each other. Insurers must become trusted advisors to the board of the insured – and boards must learn to work with the insurer to improve their security hygiene, to improve their cyber security, and to earn the lowest possible premiums.