Cyber Insurance Is Not a Substitute for Cybersecurity

Ransomware is becoming increasingly pernicious — recently, the DarkSide attack disrupted a major U.S. fuel pipeline, and soon after another ransomware attack targeted four countries connected with the Asian operations of a global insurance subsidiary. Overall, attacks are increasing in frequency, ransom demands are rising and the cyber insurance industry has reached a crossroad where cyber insurance cannot be used by victims of a ransomware attack as a substitute for inadequate cybersecurity solutions and practices. The next generation of cybersecurity solutions can prevent these types of ransomware attacks and insureds will need to show the insurance carriers that they are doing their part to prevent such attacks or risk a substantial increase in their cyber insurance premium or even non-renewal of their policy. In a previous blog, we shared a call to action to help insured organizations make sure they have the proper cybersecurity strategies and technologies in place to combat ransomware threats. In this blog, we address the importance of making those changes with respect to maintaining their cyber insurance policy.

 

 

Private Insurance Does Not Fill the Cybersecurity Standards Gap

 

Every organization has an obligation to take reasonable actions to protect its assets — merely transferring the risk of loss due to a cyber breach does not alleviate that obligation. Companies should implement an overarching cyber risk management strategy that includes risk mitigation and risk transfer — both are critical foundations to protecting the company. Cyber insurers’ bottom line has faced substantial difficulties over the last couple of years as a result of the significant increase in ransomware attacks and the size of ransoms, which is driving significant changes in the cyber insurance market. Cyber insurers are being more diligent and requiring more transparency from the insureds that they are taking reasonable steps to protect themselves against a cyber breach, such as deploying next-generation antivirus and heuristic endpoint detection and response (EDR), implementing multifactor authentication (MFA), creating regular and offline/offsite backups, regularly patching critical systems and software, and educating their employees on cyber risks and training them in anticipation of a breach. If a company does all of these things well, it will likely avoid the worst of losses caused by ransom demands, the loss of intellectual property and/or confidential information, and exposure to third-party litigation. However, even with all of those efforts, it is impossible to alleviate all cyber risk — and that is where cyber insurance appropriately comes into play. Cyber insurance is not intended to cover a company’s gross negligence for ignoring their cyber risk. Rather, it is there to cover risks that exist even after reasonable efforts have been made to minimize those risks.

 

Proactive Cybersecurity Is Lacking Despite the Rise in “Insurtech”

There is an ever-expanding niche industry within insurance that is referred to as “insurtech” — insurance that is priced based on the insured adopting the technology offered by the company underwriting the risk. Sometimes the insurtech provider will offer its own proprietary technology, and other times it will bundle insurance with third-party solutions.

 

Insurtech companies are now beginning to address the cyber insurance market. However, it is very difficult for these cyber insurtech companies to gain significant market share due to regulatory restrictions, especially in the United States, which is the largest cyber insurance market in the world. In an effort to maximize market penetration, large insurers submit their insurance offerings for approval by state insurance departments, and can then offer an “admitted” insurance policy — an essential designation to obtaining wide market distribution. Many state insurance departments prohibit selling an insurance policy through “inducement” — in other words, the insurer cannot require an insured to adopt a specific cybersecurity product or service as a prerequisite to obtaining cyber insurance. So, the large majority of cyber insurance policies do not include bundled incident response, or detection and prevention capabilities. While some cyber insurtech companies are making interesting inroads, they collectively have not had a significant impact on encouraging a proactive approach to cybersecurity.

 

Intersection of Insurance and Security Can Increase Adoption of Insurer-vetted Solutions

As an alternative to bundling a cybersecurity offering into a policy, most large cyber insurers offer their insureds a vetted list of cybersecurity products and services, often with pre-negotiated discounts from “retail” prices. These insurers have expended extraordinary effort and monetary investment to evaluate and select offerings that they feel will reduce the risk they underwrite. Unfortunately, the adoption rate of these programs is dismal — often less than 3% of the cyber insurance portfolio. The lack of success of these programs is due to a number of factors:

 

  1. Companies not viewing their insurer as possessing cybersecurity expertise and therefore not seeing them as a credible source
  2. Poorly marketed programs partially due to regulatory restrictions and partially due to uninspired and uncompelling campaigns
  3. An inability to reach the ultimate buyer of cybersecurity solutions, as the insurer often directs its marketing campaign to the risk manager, who never conveys the offerings to the CISO or equivalent security leader
  4. Concerns about having legal liability due to recommending a specific solution that ultimately fails to prevent a breach
  5. The fear of being perceived as biased toward favoring a particular cybersecurity solution

     

  6. The inability to engage the insurance brokerage community in embracing and promoting these programs to their clients
Expanding on this last factor, it is absolutely critical that cyber insurance intersects with cybersecurity — and insurance brokerage firms are best positioned to drive these programs to success through their direct relationship with the insureds.

Rising Premiums Mean Finance and Security Teams Must Start Talking to Each Other

The cyber insurance industry is making strides to raise awareness of cyber risks, provide access to effective solutions and offer broad coverage to their insureds. The year 2021 will be the first that underprepared companies will be facing significant premium increases for the coverage they had last year (anywhere from 30% to 100%) and possibly even non-renewal. Many first-time buyers of cyber insurance will not even receive a quote unless they can demonstrate they have sufficient cyber controls in place.

 

Many companies will be required to make substantial investments in cybersecurity, which hopefully will bridge the massive communication gap that exists between many CFOs and CISOs. We expect that the cyber insurance industry will help advance a proactive approach to cybersecurity in the coming years.

Additional Resources