The 2017 Russian-backed NotPetya attack (1) that affected numerous verticals in over 65 countries worldwide, crippling computers with a worm that prevented systems booting, is a benchmark case showing why cyber insurance is behind the times and needs to evolve. Attributed to the infamous Sandworm group, the attack crippled nearly 80% of cyber installations in Ukraine, besides other countries, racking up over USD 10 billion in bitcoin ransom collections.
By far the biggest cybercrime ever, notoriety resulted equally from the insurance fiasco that ensued. Chicago-based Mondelez International, a multinational snack food company manufacturing Oreos and Triscuits, was one of those affected by the attack. Mondelez filed an insurance claim for losses incurred only to have their claims denied by their insurer Zurich who termed the attack ‘an act of God.’
At a time when nation states were already causing damage in the cyber world, the case showed the cyber insurance industry what it was on many fronts—archaic in its approach to cyber insurance, wanting in its insurance assessment criteria, and inconsistent in its treatment of claims.
What is cybersecurity insurance?
To appreciate exactly where it needs to change, it is necessary to understand what cybersecurity insurance, or cyber liability insurance as it is sometimes called, actually is. Gartner (3) describes it in simple terms as ‘a contract between an insurer and a company to protect against losses that are related to computer or network-based incidents,’ in the form of an insurance policy that can help to minimize business disruption during a cyber incident and its aftermath.
Delinea (2), calls it an insurance policy with an insurance carrier to mitigate a business’s financial risk exposure by offsetting costs related to damages and recovery after a data breach, ransomware attack, or other cybersecurity incident, with the scope extending to costs of investigations, forensics, compliance fines, lawsuits, and even extortion payments.
As with other businesses, the cyber insurance market comprises brokers, insurers, and re-insurers. Brokers are the intermediaries between customers and insurers, the go-to persons for organizations looking to embark on their cyber insurance journeys. Reinsurers are those who insure the insurance companies, hardly ever interacting with insured organizations.
In its essential form, cybersecurity insurance covers:
- First-party coverage for ‘discovery-triggered’ losses and expenses arising out of a breach or cybersecurity incident
- Third-party coverage for ‘claims made’ by a customer, vendor, partner, or other party sues for failure on the part of the insured to prevent a data breach which caused losses to them
These are however very broad definitions, and policies can change from insured to insured, based on the cyber security posture of the insured, types of incidents, the industry and sector of the insured, organizational insurance needs, and insurance industry practices.
Cyber insurance today is characterized by:
- Self-assessment based insurance criteria where the insured answers questions pertaining to his or her security posture
- Insurance policies that exclude claims from such now-common events or effects as nation-states cyber attacks, ransomware, and loss of reputation
- Exorbitantly-priced insurance policies
- Insurers who are still on a learning curve, and are either still recovering from the turn-of-the-decade Covid losses and staggering ransom payouts, or have left the insurance business altogether
The history and evolution of cybersecurity insurance
The start of cyber insurance can be traced back to the late nineties, with Lloyds writing the first cyber insurance policy in the 2000s. That makes the industry a mere two decades old, a far cry from the first insurance policy which covered maritime activities in the 1700s.
Still very much regarded as being in its infancy, the evolution of cyber insurance has been shaped to a great extent by a few crucial factors. These include:
- Increased digitization that has in turn triggered cyber crimes, which raised the demand for insurance
- Large changes in the volume, nature, sophistication, and magnitude of these cyber crimes including ransomware, which also raised the demand for insurance
- Higher insurance losses due to increased data breach volume, resulting in insurance companies raising insurance premiums
- The introduction of data privacy laws
- The Covid years which saw insurers incur losses as the pandemic took its toll
- An assessment system that relies on self-assessment questionnaires by customers and lack of actuarial data covering just the two decades the industry has been around
- Reluctance on the part of insurers to honor claims for ransomware, nation-state attacks, and loss of reputation arising from data breach
What ails cyber insurance (and where it needs to change)
The unprecedented growth in the digital world and the accompanying increase in cybercrime is widely regarded as the main reason for the increase in the demand for cyber insurance. Still growing, the cyber insurance market is expected to reach USD 27.83 billion by 2026 (4). Despite this, reforms in the industry are notably slower than desired.
While insurance companies cite their own reasons for this, the fact remains some of these practices will need looking at sooner than later. Many industry experts say cyber insurers need to take a leaf out of the steam boiler insurance playbook, where during the mid-nineteenth century, with industrial America struggling to contain explosions in steam boilers, a boiler insurance company (5) built risk mitigation into their product by proactively engineering a boiler in a manner that would reduce the accidents that were frequently occurring.
Here are some areas of improvement that the industry could target in the near future:
- A shift from traditional methods of risk management, caused by the absence of actuarial data arising from the nascent state of the industry
- A more rational and stabilized approach to insurance that would take into consideration unprecedented events like Covid 19
- Policies to offer greater coverage and less exclusions/limitations including ransomware, loss of goodwill/reputation, and nation-state attacks
- Evolution from the presently-used self assessment basis for cyber insurance to the more scientific Continuous Control Monitoring (CCM) methodology, in collaboration with Managed Security Service Partners (MSSPs), which determines insurance based on the security posture of the organization
- Ability to absorb changes in legislature like data privacy laws, which may vary from one country to another in terms of depth and timeline
What changes organizations can expect
As the threat landscape expands even further, it is to be expected that organizations will tighten their security posture and increase their cybersecurity spends. But an increase in their insurance spends is also to be expected. Despite insurance premiums still being high—after stabilizing to an extent this year after all-time highs in 2022 and 2023—the cyber insurance market is still set to experience significant growth.
Though it will be quite some time before the cyber insurance industry reaches maturity, the coming periods should bring some changes. We can expect:
- Premiums to continue to be on the higher side (leading insurer AIG’s premiums rose 40% in the past year)
- Risk evaluation techniques to evolve from the self-assessment questionnaire to a more sophisticated underwriting process combining data science and CCM to compensate for lower levels of actuarial data
- Collaborations in the cyber insurance industry to increase as cyber insurers join up with security providers and MSSPs to offer their products
- Insurers’ roles to evolve into that of a business partner, and a risk advisor from the erstwhile position as a lender of last resort
- Forensic evidence to be called for from organizations when making claims, alongside establishing attribution of the attack
One school of thought has it that investment in cyber insurance will discourage cybersecurity spends. However, there is little evidence to support this thinking.
In fact, as threats proliferate, cyber insurance looks set to grow. The more stringent terms and the limited liability clauses that will continue are expected to be met with increases in risk appetite the security posture and insurance-worthiness of organizations.
One thing will be moot in the short term: cost. Yet the rather steep price of insurance—something organizations will look at and hold CISOs accountable for—could be forced down in time as organizations do more to insulate themselves adequately against threats.
In other words as they do more to win the war against bad actors.