According to privileged access management Delinea’s report, Closing the Cyber Insurance Gap – 2023 State of Cyber Insurance, a significant gap is emerging between insurance carriers and organizations who are seeking affordable, comprehensive cyber coverage.
More than 20 respondents in the report – based on a survey of more than 300 U.S. organizations – indicated it took longer than six months to obtain or renew cyber insurance, and 67% of respondents noted that their insurance rates increased 50-100% upon application or renewal
The report also found that an increasing list of exclusions could make cyber insurance coverage void, including lack of security protocols in place, human error, acts of war, and not following proper compliance procedures. The survey was conducted by Censuswide on behalf of Delinea and explored trends uncovered in a similar report last year about growing demand for cyber insurance.
However, on this episode of The Insuring Cyber Podcast, Tom Johansmeyer, global head of index products at risk strategy and reinsurance broker Inver Re, said an often overlooked contributing factor to the cyber threat landscape, and ultimately the cyber insurance protection gap, is fear.
“What’s the real problem? Fear,” he said. “The fear of cyber warfare is keeping capital out of the cyber insurance and reinsurance industry, which itself is perpetuating the addressable insurance gap problem.”
The key to conquering some of this fear – or, as he calls it, “alarmism” – is to “always look for the narrative,” Johansmeyer said.
“When you’re building out a realistic disaster scenario or you are contemplating the sort of situations that could cause disproportionate damage to your book, build the story around it,” he said. “Let’s take that example of the three major cloud providers all being taken down at the same time. Build the narrative. How does that happen? Who does it? Are they capable of doing it? What’s their motivation for it? If you can’t build the story in a credible manner, then it’s not the risk.”
The cyber insurance protection gap is an ongoing conversation in the industry as premiums have been rising and exclusions in policies growing on the back of ransomware threats, an everchanging landscape, and a lack of consistent reliable data to assess risk, guests on this episode said.
Joe Carson, chief security scientist and advisory chief information security officer at Delinea, added that part of the reason for this is that the cyber insurance industry is maturing a lot and learning to better understand risk.
“They’re getting a lot more data that allows them to quantify the risk much more clearly, so we find that the insurance industry is maturing and as part of that maturity, they’re starting to realize that to defend and reduce the risk against cyber attacks needs a lot more focus and priority into best practices and enforcing those best practices,” he said. “As a result of that, they realize that the cost of security incidents needs to also be covered higher.”
This means premiums are rising and organizations seeking cyber insurance need to spend a lot more time, money, and resources to even be considered for cyber coverage, he said.
“It’s a massive change in how it used to be done previously and also means that fewer carriers are still making cyber insurance available, and they’re being a lot more selective on who they insure as well,” he said.
Insurers granting cyber coverage are looking for things like multi-factor authentication as a primary security control, privileged access management to be enforced for employees as well as third parties, and strong backup and recovery strategies that are tailored toward being ransomware resilient. These strategies can also be helpful in managing some of the fear surrounding cyber threats, Johansmeyer added.
“There’s this notion that the bad guys are always two steps ahead. That’s only true when the good guys aren’t patching,” he said. “The reality is the good guys are doing a good job. As dependence on the internet has increased, commitment to security has increased profoundly as well.”
Carson said that as the cyber insurance market continues to mature, he hopes more flexible and broader types of policies will allow organizations to have “a la carte” options when it comes to cyber.
“It’s not going to be the same for all businesses. They’re all different. They all have different needs and different risks, and cyber policies should be able to be flexible enough to meet those,” he said. “It’s definitely very different from those traditional types where everything’s very predictable, going back into having years of data and to be able to make very clear quantifiable risk decisions. Cyber is not that. It’s very, very different. It can change from day to day, which needs to be reflected in the policies.”
If insurers can wrap their minds around the risk, conquer the fear, and come up with a solution to fix the flow of capital into the market, Johansmeyer said, “we could actually sufficiently capitalize the industry to the point where the insurance protection gap closes and we achieve a considerable amount of economic security and simultaneous insurance industry profitable growth.”
Check out the rest of the episode to hear what else Joseph and Tom had to say, and be sure to check back for new episodes of The Insuring Cyber Podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.