We wake up every day to a pattern of record ransoms being paid as well as record increases in cyber-insurance cost. The Bloomington School District in Illinois published its cyber-insurance renewal costs and reported a whopping 334% increase in premiums. Faced with challenges, it is common knowledge that businesses must continually evolve due to circumstances such as opportunity, missions, and risks. The cyber insurance industry is no different. In this climate of record ransoms and cyber incidents, these challenges are creating a shift in insurance market conditions signaling that cyber insurance will fade towards demise as we know it. While this seems like a bad thing, there is a silver lining in all this.
Mounting Ransom Costs
We are living in the greatest period of data vulnerability in history. There are risks everywhere, all of which carry significant financial burdens including ransomware, downtime, compliance fines, and data loss. The global pandemic opened opportunities for threat actors to escalate their attacks and seize, causing dramatic increases in ransomware attacks alone. Amid the shifting security haze of 2020, the consumer GPS company Garmin paid a significant $10 million in ransom and the tales of ever-increasing ransoms go on. While the average cost of a data breach now hovers around $4.24 million, organizations routinely find their insurance only covers about 40 percent of the costs incurred due to a cyber incident.
The Trend was Not a Friend
Cyber insurance is built on the careful analysis and management of risks in a present-day environment. It is unimaginable to think of a scenario where the cyber insurance industry is not challenged by the rising challenges and costs of cyber-crime now. Reported cyber losses continually reach into figures in the billions of dollars. Each month is a record now. Meanwhile, the historical loss data continues to shift according to changes and escalation of risks. There is a palpable element of unpredictability that does not work well for the cyber insurance market and those looking for coverage.
One can reasonably wonder how the cyber insurance industry got this wrong. How did they miss this trend? After all, insurance relies on heavy predictive analytics based on historical data. Sadly, in this case, the historical trend was far from predictive. The calculus was based on historical patterns of small-time hackers or lone wolves looking to get a quick hack of a hit. However, in the last two years, all of this has changed at such a pace, that the cyber insurance industry was caught ill-prepared. What is now driving the acceleration of costs, attack volume, and social engineering are nation-state threat groups. These new hacker groups are incredibly well organized. Organizations of cybercriminals from around the world who are demonstrably sponsored or ignored by their respective governments. What this means is that in addition to financial gain to sustain their operations, the disruption of the target’s operations is also their constant and perhaps primary goal. Attacks on infrastructure, military, and business entities have been continually associated with outside countries, such as the SolarWinds attack discovered in 2020.
One way of looking at this tells the tale of a dying industry, slammed by rising challenges and costs and a lack of interest to back cyber liabilities. For example, it is easy to draw a line between ransomware-related claims and capacity throughout the industry. As it stands, just a small sample of losses within the industry could quickly wipe out the premiums collected well ahead of time. This is classified as unbearable risk within the pool and in insurance terms, losses are not acceptable.
Indemnification and Comprehensive Security to the Rescue
In addition to the array of risks, one must now consider whether the state of cyber insurance constitutes an additional risk to the organization. The stakes are high and legal conditions abound. New coverage and rising renewal rates are a major concern. Premiums are rising by 10 to 20 fold, and that is if a renewal is even available. Enterprises are left exposed, or have to pay exorbitant premiums. The answer lies in going back to the fundamentals of minimizing heavy reliance on cyber insurance through a comprehensive security framework. Comprehensive security frameworks provide better security outcomes and a better posture for the insured. Furthermore, enterprises can leverage the indemnification provided by their cybersecurity provider in lieu of getting their own cyber insurance coverage. However, in order to do that, organizations need to embrace a comprehensive security approach. There is no wiggle room on that.
- Protecting data means protecting data everywhere, all the time— including the perimeter, malware detection, finding threats, ensuring encryption and access.
- The benefits of recovery include virtualized and ready-access redundancy/restoration of systems that are available in any type of disaster including a breach.
- Building out an assurance program means life cycle assessments of security, compliance, logging, and the integrity of compliance within a given environment.
In a challenging threat and cyber-insurance environment, comprehensive security augments risk aversion and minimizes reliance on more stringent insurance scenarios.
A New Dawn for Cyber Insurance
Cyber insurance has and will adapt to these conditions, and we will see this evolution include demands for improved cyber-hygiene and exclusions that will shield insurance companies from providing coverage when the insured fails to maintain high security standards. We see that in the home insurance industry when security alarms actually reduce the premiums. Similarly, the cyber insurance industry, while nascent, will mature. It has just emerged from two years of nightmare losses and a risk climate that was hard for them to anticipate. You can expect specific adaptations ahead and an emphasis towards better education and improved cybersecurity practices. The rebirth of cyber insurance is in the cards, but it will be in combination with proper, responsible security planning and comprehensive security strategy.