People naturally tend to be risk averse. While some individuals live for the adrenalin rush of betting the farm on what seems like a good chance, most people are reluctant to assume even much lesser risks. This is hardly a new story: Insurance evolved roughly 4,000 years ago, when Babylonian lenders and ship owners devised ways to spread the risk of a ship loaded with valuable cargo being lost at sea, and reward those who assumed it.
Modern insurance is based on actuarial science and, increasingly, big data. Insurance companies have vast pools of data on life expectancy and factors that impact it, as well as car accident data such as the percentage of cars that can be expected to get into accidents every day, the damage and injuries those accidents will cause, and costs of recovery and repairs. Insurance companies use all of this data to calculate premiums that allow them to come out ahead, despite the fact that all life insurance policy holders eventually die, and many crash at very predictable rates.
There are, however, scenarios that make life uncomfortably risky even for insurers, despite their risk expertise. Structural changes can render their data inaccurate. Climate change, for instance, is currently playing havoc with insurers as droughts contribute to larger, more intense fires, and warming ocean waters result in more and more powerful hurricanes.
Developing new types of insurance for business lines that are so new that reliable statistics simply do not exist is another risky scenario, and one that insurers took on when they began to offer cyberinsurance. A more basic, ongoing and intrinsically related issue, however, is that since there is no fixed definition of what a covered cyberattack is, insurers cannot properly assess what the potential liabilities are – what the industry calls “possible maximum losses.”
For example, in a discussion about cyberinsurance on Chase Cunningham’s Dr. Zero Trust podcast, Gerry Kennedy, CEO of Observatory Strategic Management, cited an incident in which criminals hacked encoded car keys, then opened the cars, started them up, and drove them away. Auto insurance covers this as an incidence of theft despite it being, in fact, a cyberattack. It is also an unfunded covered loss since this type of incident was not factored in when the auto insurance liability was costed out.
The Problem with Cyberinsurance
Few US insurers underwrite cyberinsurance due to the lack of sound data on the level of exposure. Without stable data – and without knowing how to assess risk — setting reasonable premiums and terms is guesswork, at best. As Gerry Kennedy noted, “Nobody has ever defined it. It’s about naming the perils, which the industry has failed miserably at. They have not inventoried any of the losses.” Regulators, as well, lack expertise when it comes to cyberattack risk.
This is no trivial matter, since in truth, cyber risk is both systemic, in that it can impact vast swaths of modern life, and highly unpredictable.
While ransomware has been around for a long time – the first documented ransomware was the AIDS trojan delivered by floppy disk in 1989 – only lately has it become a business-stopping multi-million-dollar threat to large corporations. In 2020 the direct loss ratio for cyberinsurers – the amount insurers pay out on claims relative to premiums earned – skyrocketed from 47 cents per dollar to 73 cents per dollar. Cyberinsurance became a much less profitable business line overnight. And, of course, ransomware is not the only type of cyberattack that organizations expect cyber insurance to cover.
Failure to accurately identify the risks or accurately predict the sharp jump in costs and frequency of cyberattacks when setting premiums has led some insurers to seek ways to avoid cyberinsurance payouts for ransomware and other attacks. Many of the arguments they’re using are clearly disingenuous and easily recognized as efforts to find ways to cut losses. For example, in one ransomware attack, an insurer tried claiming that they weren’t liable because the data wasn’t actually damaged since it was physically still there, on the client’s server, albeit inaccessible.
Insurance companies are responding to the spike in ransomware-related losses in several ways: massively increasing premiums (by as much as 200%), limiting coverage, and in some cases, dropping coverage entirely.
For cyberinsurance to be a viable offering for insurers, as well as a valuable risk reduction strategy for organizations, insurers must take steps to rationalize the way policies are written — something which should have been done from day one: Specifying coverages, bringing experts on board who understand the cybersecurity field, incentivizing applicants to put better cybersecurity controls in place or making them a prerequisite for obtaining coverage, and adding right-to-inspect clauses to add teeth.
Cybersecurity Features Insurers Want to See
A recent Risky.biz podcast segment on cyberinsurance highlighted eight security capabilities insurers look for when deciding whether to issue a cyberattack policy and what premiums to charge:
- Multi-Factor Authentication (MFA). MFA isn’t foolproof, but it can stop an estimated 99% of all attacks.
- Least Privileged Access. Least Privilege Access is vitally important to reduce both the attack surface (possible access points) and blast radius (amount of damage that can be done by a successful breach.
- Network Segmentation and Data Encryption. Network segmentation, or microsegmentation, works together with least privileged access to minimize east-west traffic between servers on a network, helping minimize damage in the event of a breach.
- User training and incident response time. User training clearly does not stop all attacks, but it can definitely help and should be a part of cybersecurity defenses. Having good intrusion prevention and detection systems is important to spot breaches quickly and minimize damage.
- Offline backups. In a ransomware attack anything connected to your network, whether on your servers or in the cloud, could be encrypted. The only way to be sure you have a backup available when you need it is to have an offline backup.
- Endpoint protection and response. Especially with so many people working from home, it’s not enough to secure your servers – you have to make sure the endpoints are secure too.
- Patch and end of life management. Jerry Kennedy recommends that policies include “newly reported” provisions which would require customers to take appropriate risk-limiting action within X days from the announcement of a new vulnerability or issuance of a new patch.
- Attack surface testing. Insurers want to make sure you know where you are vulnerable, and want to see you take appropriate protective measures.
Now that we’ve seen the insurers’ perspective, what about organizations considering a cyberinsurance purchase? Is it a worthwhile investment or a waste of resources that could be better invested in additional protection?
The answer, of course, is “it depends.”
It’s important to check the fine print and make sure the policy actually protects your organization against the most common and potentially damaging risks, such as ransomware.
Just as automobile insurance doesn’t protect you from having accidents, cyberinsurance won’t stop cyberattacks. It can help reduce the expense and soften the bottom-line blow, but just as auto insurance can’t stop you from being seriously injured in a car accident, cyberinsurance can’t save your business from a cyberattack.
What both auto and cyber insurers can do, however, is condition coverage on actions that will protect you, regardless of what threats come hurtling your way. Just as auto policies might make coverage conditional on installing an alarm or anti-theft device, cyberinsurers can make policies conditional on use of multi-factor authentication, for instance, or Zero Trust Network Access (ZTNA) for remote worker connections, rather than VPNs or RDP. And like back-up sensors that protect your car from any unseen object, insurers should require solutions like RBI, that protect against known and unknown threats.
Organizations that have implemented solid cybersecurity controls should choose an insurer that values their proactive stance and rewards it with favorable terms. It’s a belt-and-suspenders approach that yields the best of both worlds: reduced risk for both insurer and the insured business, and a lower premium for coverage in case a threat does manage to get through.