The hardening of the cyber insurance market is forcing enterprises to come to terms with the impact their cybersecurity posture has on the bottom line and thus viewing it as more than just an IT issue. As ransomware and other cyberattacks capture daily headlines and wreak havoc, it’s hard to ignore the dependent relationship developing between enterprises and insurers. Insurer hesitancy to take on more cyber risk and added coverage limitations and exclusions leave enterprises exposed or paying higher premiums. It’s important to take a look at what has changed in cyber insurance and how enterprises can adapt to and address these uncertainties.
By Yakir Golan, Co-founder and CEO of Kovrr
How has cyber insurance changed?
When cyber insurance emerged in the 1990s, carriers did what they commonly do before understanding a new market: engaged in cash flow underwriting to pad their book with premiums and competed by lowering costs. For enterprises, this meant a wide safety net for diverse cyber events at very little cost to the business. Fast forward to 2021. Amidst a ransomware epidemic, insurance carriers are tightening the reins, asking more granular and invasive questions, diving deeper into a company’s history, and hitting enterprises with capacities, exclusions, and segmented coverages – all with higher premiums. Fitch Ratings found that direct cyber insurance premiums increased by 22% in 2020, reaching almost $3 billion.
Insurers are reassessing their approach to cyber, and enterprises are becoming hyper-aware of their vulnerability to a cyberattack. According to research by Telia Carrier, 51% of global organizations feel more vulnerable to cyberattacks after COVID-19, with the U.S. and U.K. feeling the most at risk. Insurers are pondering if there is enough demand and premium that can offset devastating cyber risk catastrophe claims just when enterprises realize they need coverage more than ever before. There is also the matter of regulatory uncertainty with regard to ransomware reimbursement payments. If they were outlawed, the cyber insurance business would escalate further dramatically. One of the challenges insurers face is the perception that there isn’t enough historical data to appropriately write cyber risk. But there are data and correlations that can help them gain a better picture.
How insurers view and write enterprise cyber risk
Insurers are constantly looking to diversify their cyber portfolios and mitigate the chances of large accumulations. If they can stack their book with policies that don’t share hazard characteristics, that’s one way to be careful. This is not so different from the way insurers approach natural catastrophes, such as hurricanes and wildfires, where they broadly write disasters based on regional zones. There are three primary indicators that can help insurers do this successfully with cybersecurity: location, industry sector and company size.
These variables are heavily correlated to cyber risk assessment because of the depth and breadth of third-party relationships in organizations today. It’s no surprise this is a critical area given that some of the largest and most disastrous cyber attacks in recent memory, including Solar Winds and Kaseya, began with third parties and their links to hundreds or thousands of organizations. Companies within a geographic location and industry sector tend to use the same third-party service providers and technologies, naturally leaving them exposed to corresponding cyber attacks. Organization size is important because it indicates the kinds of technologies used, cyber preparedness, security policies, cybersecurity spending, and the level of sophistication of cyberattacks.
Why is this important for enterprises to understand? Besides getting more insight into how insurers are looking at their business, many of these modeling techniques and data used to help inform insurance carriers of their cyber risk accumulation can also be used by enterprises, to help them better understand their own financial cyber risk exposure.
How can enterprises learn and adapt cybersecurity exposure?
Enterprise cybersecurity posture in the current attack landscape can change moment to moment, and companies must be smarter about how that can financially impact their business, especially because of the limited cyber insurance coverage that is either available or affordable. Thus, organizations must become proactive in understanding their own cyber risk posture in order to identify shortcomings and also be strategic about what parts of their business (and for what type of attacks) insurance is most beneficial. For example, if an organization is investing most of its IT budget in mobile security, but is more susceptible to attacks in its cloud environment, then resource allocation may be misaligned.
Fortunately, cyber risk quantification models are capable of developing analyses that show enterprises a maximum probable loss, which can be used to understand the business impact and inform mitigation in specific areas of their business. Three primary forms of data are used in this quantification.
The first is company mapping, which is equivalent to a company’s ancestral tree. Understanding parent entities and subsidiaries and how they work together inform cyber integrity. The second type is technographic data, which showcases the technologies, services, and data centers that the company relies on. Digital asset data is commonly used to understand the scale of a company’s digital footprint, and thus understand the magnitude of a cyber event, but diligence data is needed to see the potential company exposure to different cyber events. Since organizations face a constantly evolving attack surface, it’s nearly impossible to manually gather this data. Leveraging consortiums from security rating providers that have information on open ports, server configurations, and publicly disclosed security incidents can help fast-track this process. The third type of data is firmographic, which consists of business information about the company. Some examples of this data are revenue figures, employee count, business location, industry type and number of customers.
The three types of data are used and utilized to understand the likelihood of the company to experience a cyber event, and also to estimate the severity an event will have on the company, in the case, it will be affected by one. To calculate the likelihood and severity from the data, we use machine learning models that are developed and trained based on threat intelligence data that is collected and updated periodically.
None of this matters if the model can’t be simulated against event scenarios hundreds of thousands of times that largely mimic the kind of real-world attacks we are seeing today. The process is required in order to build an accurate statistical model. This is why cyber risk modeling vendors need to update event catalogs to include evolving attack techniques and the thousands of characteristics of each recent event involved with third-party service providers. For example, an event catalog must account for double or triple ransomware extortion scenarios that recently became a phenomenon. The way the catalog is built is unique to organizations based on security posture and company intelligence data.
Whether enterprises like it or not, an increasingly dangerous attack landscape means they require cyber insurance at a time where it’s hard to secure. Board members, the C-suite and IT departments must work closely together to navigate the burgeoning challenge because it’s only going to escalate. Introducing an organization to financial quantification of cyber risk establishes a common language among board members and security and IT staff that historically haven’t seen eye to eye about the impact or importance of cyber risk on their business. Approaching cyber risk management in this way means businesses can make more informed decisions about which gaps in their posture should be mitigated immediately. In the modern world, cyber risk must be viewed as a business risk. Insurers are rightly becoming more careful about the risk they take on, and enterprise execs must also be smarter about understanding their own cyber risk and have a clear understanding of how specific actions can reduce their financial exposure.