The cyber insurance industry is maturing and evolving rapidly following years of escalating cyber incidents and colossal payouts. With the vast financial implications of cybercrime, insurance carriers are beginning their attempt to mitigate the losses from cyber claims, and rightfully so. The frequency of cyber insurance claims increased by 12% in the first half of 2023 with the severity of claims also skyrocketing by 42%, with an average loss amount of more than $115,000, according to Coalition’s 2023 Cyber Claims Report: Mid-year Update.
As more data is now readily available, it is accelerating the maturity of cyber insurance coverage and risk mitigation as insurers are gradually augmenting their quantification of cyber risk. This is a stark contrast to the early days of cyber insurance, when in a bid to capitalize on demand, carriers took on risk with little experience and cognizance of the volatile nature of the cyber realm.
However, with cyber insurance remaining a relatively new offering for most carriers, and with the ever-changing nature of malicious activity, it is certainly no easy feat for those drafting premiums and coverage plans. There are many variables to consider, such as which aspects of cyber risk are protected (data breaches, ransomware attacks, business interruption, etc.), the appropriate deductibles and out-of-pocket demands in the event of an incident, and the distinctive risks or regulatory requirements within certain industries.
Unlike car insurance, in which several core factors have been used for decades to help gauge coverage along with a standardized list of coverage areas, assessing and structuring cyber insurance premiums requires much more rigorous evaluation and contemplation.
Critical Considerations When Structuring Coverage
- Rigorous Assessment of the Insured and Their Industry. Structuring coverage starts with a deep understanding of the industry in which the insured is operating. First, carriers must acknowledge that certain industries are more susceptible to malicious activity given the nature of their work and the data they store. For example, healthcare, retail, and financial services organizations are all prime attack targets and should carry higher premiums with more possible coverage exclusions than others. Carriers must also develop a comprehensive understanding of the services and products an organization provides to its customers, then map out the risks and concerns they and their customers may face throughout business operations. Additionally, every industry has its own set of regulatory and compliance requirements that must be factored into coverage.
- Existing Security Frameworks. Carriers must also ensure that organizations looking for a cyber insurance policy have a comprehensive and robust cybersecurity program in place, including the right tools and personnel. This begins with assessing an organization’s digital management strategy, analyzing what infrastructure they have and how each aspect is protected. For example, how are employee passwords and credentials managed and secured, and what level of security training do users receive to combat rising phishing attempts? Best practice security controls, such as enabling multi-factor authentication (MFA), enforcing privileged access management (PAM) and having a strong backup strategy should be a baseline requirement from carriers. As ransomware attacks continue to persist, comprehensive privilege escalation controls, which can block the lateral movement of attackers, should also be required by carriers. These can help significantly reduce the threat of such attacks and the likelihood of a ransomware payout. Carriers must also inspect how organizations manage the maturity change of their assets. The evolution of assets, such as patching, updating, and decommissioning can implement many unforeseen risks and make organizations more vulnerable to exposure.
- Technology Evolution and Adoption. The criteria for what is included and excluded from cyber insurance policies will continually evolve for years to come as new technologies, and new threats, emerge. The advancements in generative AI and machine learning are core areas that insurance carriers should follow closely to stay informed about the potential risks and remain ahead of any threats that might emerge. Many organizations have begun their implementation of AI tooling to bolster productivity, but few have pondered the risks that it may bring. While it is crucial that carriers monitor these new technological developments closely, it should not take focus away from other areas of security that organizations should already have in place. The reality is that there are plenty of security gaps that organizations need to close before they are granted a policy.
When evaluating an organization, carriers should look for security controls founded on least privilege and Zero Trust, a security strategy that is aligned to the company business and culture with rich employee training, along with robust threat detection and response mechanisms.
Determination of Policy and Exclusions
By analyzing organizations through the lens of these three components, a carrier can then determine what type of coverage and policy exclusions to set forth for a prospective premium holder. While some exclusions will be automatically applied, such as acts of war, others should vary depending on what an organization showcases. In instances where organizations deliver minimal evidence to prove the status of their IT maturity and cybersecurity posture, carriers should approach with caution and perhaps deny the claim altogether or opt to include more policy limitations and exclusions. A comprehensive understanding of an organization’s wider business operations – what they do, who they serve, along with what the unique risks are for their industry – will also help a carrier determine what needs to be excluded. This could include not covering claims resulting from unpatched systems, weak passwords, no enforcement of multi-factor authentication, or poorly secured public facing systems.
Awareness of the potential gaps and risks with possible cyber insurance policyholders is an essential part of the planning and budgeting process for carriers. Cyber insurance policies should not all be created equally, as organizations’ susceptibility to attacks can vary quite drastically depending on their risk profiles, their size, their industry, and other variables.