Skyrocketing rewards AND complicated political terms they have put insurance policies across all sectors under the microscope. And with new compliance regulations aimed at addressing the record number of cyber attacks we saw in 2023, cyber insurance is subjected to the same scrutiny.
The cyber insurance market is more volatile than ever, due to the increase in the total number of claims and the types of cyber threats policyholders face. The hard truth is this only the cyber insurance sector (paywalled article) is unable to respond to a catastrophic cyber attack, causing billions of dollars in losses, which is likely inevitable over time. Cyber insurance, as it is currently structured, requires evolution, not only to make it easier to acquire, but also to offer better value.
Repair a broken subscription process
A crucial change concerns the underwriting process. Right now, customers are wary of massive year-over-year premium increases, threats of non-renewal, and stories of claims being denied due to policy exclusions. However, insurers recognize that many policyholders are not taking the necessary precautions to prevent attacks.
Part of the weakness of underwriting is that applicant environments rapidly evolve and become more complex. Insurers, once entrusted to macro market trends, no longer risk approving policies without considering the specific environment to be covered. The breadth of investigations continues to expand, dragging out the process for policyholders and claimants. In many cases, organizations must demonstrate a certain level of security through features like multi-factor authentication (MFA), endpoint detection and response (EDR), and more.
As insurers continue to collect more data and improve their sophistication in analyzing cyber risks, they are regularly adjusting contract terms and policy exclusions. Premiums also remain volatile, often rising to reflect higher loss ratios and claims.
In some cases, carriers’ overall risk acceptance decreases, reducing individual policy limits or causing non-renewals. This has prompted a search for alternative sources of risk absorption, such as deeper reinsurance markets or through capital markets using insurance-based securities (ILS), sometimes called “catastrophe bonds”. If you have read The big bet or seen the movie, you know where it can go wrong.
To minimize the impact of these trends, airlines and insureds must accept that reducing risk is in their mutual interest and that robust risk analysis leading to fair pricing and terms is the desired outcome.
Modernize intelligence collection
Getting cybersecurity insurance is a long and outdated process. The manual and time-consuming process of data collection and due diligence needs to be modernized. Electronically sharing cyber posture metrics from within the insured entity’s firewall should be the standard, but the question is: how do we get there effectively?
Electronic data collection provides a more accurate snapshot of the environment, with less time and effort. Right now, policyholders tell insurers about policies and procedures rather than the actual effectiveness of their operations. Manually collecting data paints a different portrait of an environment than sharing it electronically, which can provide greater visibility into security posture, such as how effectively a company is patching and whether it is implementing MFA and others critical controls. Sharing this deeper insight into the environment can lead to fears among policyholders that an insurer may refuse to write a policy or charge higher premiums. This broad mentality is somewhat naive; insurers know that gaps exist between questionnaires and living environments. They want a clearer understanding of what the reality is and they still need to write policies to make money: no policy means no business.
Amazon Web Services (AWS) is one of the first cloud services organizations to develop a program to streamline the subscription process using electronic data sharing. His recently announced Cyber Insurance Competency Program is designed to give insurers access to accurate, real-time data on the security posture of the cloud. While this is a positive step in an effort to move towards electronic data sharing, cyber insurers must be concerned with an insured’s entire IT estate.
Companies’ adoption of modern data collection for cyber insurance underwriting is essential, but addresses only one component of the challenges faced by the cyber insurance market. An open issue that needs to be urgently addressed is the risk of a catastrophic cyber event.
Federal assistance may be in order
Insurance is designed to spread concentrated risk, but in some cases there are related events that can wipe out entire communities. Consider insurance that covers natural disasters; think of hurricanes or floods, where billions of dollars of damage can occur in a specific location. In many cases, federal programs are in place to ensure the protection of those affected by such devastation.
Suppose a multibillion-dollar cyberattack occurred today: If a hacker shut down a global cloud provider like AWS, there would be billions of dollars in losses for thousands of affected companies. Even if many of those affected had cyber insurance, the overall claims would devastate insurers’ reserves. Depending on the origin of the attack and the cause of the damage, questions would also arise about exclusions from coverage. In any case, the federal government will likely have to step in to cover much of the fallout. Government agencies such as the Treasury Department, the Office of the National Cyber Director, and the Cybersecurity and Infrastructure Security Agency (CISA) are all evaluating what the federal support program it might seem, with the intention of meeting in April.
While a catastrophic cyber event has yet to occur, large amounts of personal data have been compromised. We must be prepared for worst-case scenarios. CISA’s efforts are in place to combat this risk and the White House has released it executive orders prioritize national cybersecurity. Also, new SEC regulations on the disclosure of cyber incidents recently came into force. These regulations will improve the cyber insurance industry by allowing for closer scrutiny of incidents and improving the level of security. We know: when companies need to disclose more, they usually find a way to do better. These policies are collectively taking us in the right direction. Will the industry and regulators be able to stay ahead of the bad actors? It has been like this until now. Let’s hope it continues.