Tackling Cybersecurity Insurance

Annual Third Party Risk Assessment Now Required To Qualify for Cyber Insurance

Introduction

Cyber insurance premiums increased by an average of 28% in the first quarter of 2022 compared with the fourth quarter of 2021, according to the Council of Insurance Agents & Brokers (CIAB). Among primary drivers for price hikes were a reduced carrier appetite for risk (supply) and a high demand for coverage, in part fueled by greater awareness of the current threat landscape. As a result of more stringent global regulations and increasing cyberthreat volumes, the number of businesses that will be unable to afford cyber insurance, have insufficient coverage, or be refused a policy altogether is set to double in the next 12 to 18 months.

Cyberattacks have grown immensely in frequency and complexity over the past decade, and are predicted to grow 15% year-on-year for the next five years. According to CyberCrime Magazine 60% of small companies go out of business within six months of falling victim to a data breach or cyber attack, with the average cost of a single breach hovering around $3.62 million. It’s no surprise then that more firms are purchasing cyber insurance as a way to cover losses and expenses resulting from cyber incidents. 

To add to the complication, new legislation has been introduced that requires third party annual assessments of your cybersecurity plans and processes to ensure that your business is not at any unnecessary risk. This ultimately puts more responsibility on firms to secure assets and protect themselves.

“Despite premium increases, many organizations believe they cannot afford not to be covered for cyber risk,” Rob Norris, principal analyst, property and casualty insurance, at Celent, remarked.

What is Cyber Insurance?

Cyber insurance is a type of specialty insurance that protects organizations against a variety of risks related to information security attacks such as ransomware and data breaches. Typically these types of risks aren’t included with traditional commercial general liability policies, or are not specifically defined in these insurance plans.

Unlike traditional lines of insurance, such as auto where there are standardized policies, the types of risks covered under cyber insurance may vary significantly from business to business. The nature of cyberthreats, including a limited history of occurrence, unreliability of past data to predict future events, and the possibility of large-scale/multi-company or industry attacks, make it difficult for insurers to write comprehensive policies.

Problems Being Faced

If rates continue to climb, and insurers offer more limited coverage, cyber insurance may become increasingly difficult for business to afford or obtain. In a 2022 report, U.S. Government Accounting Office (GAO) noted that the extent to which cyber insurance will continue to be generally available and affordable remains uncertain.

A key issue for insurers is the limited loss history and lack of modeling to predict future attacks, introducing a high level of risk. Cyber insurers work in a fast-developing market, and have to rely on a number of indirect factors to price policies that may be unreliable. The evolving nature of cyberattacks makes it near impossible to have consistent risk profiles. In addition, cyberattacks are highly scalable and have the potential to hit thousands of companies simultaneously due to the centralized structure of the internet. For example, if a large cloud computing platform got hacked, an insurer may have to pay claims on all of its policy holders at once. We see this similarly in natural disasters, whereby insurers are reluctant to offer flood or earthquake insurance because if one house is hit, it’s likely that the surrounding houses will be hit as well. 

Annual Third Party Risk Assessments

Traditional regulatory frameworks for cyber insurance did not specifically require businesses to adopt and implement comprehensive cybersecurity programs, which meant that these firms may be at greater risk of attack or harm from hackers. Thus providing greater risk to insurers.

New legislation across the United States in 2022 requires that cybersecurity policies and procedures must exist and be tailored based on business operations and complexity. Furthermore, these new rules necessitate that annual reviews must be performed to evaluate the design and effectiveness of cybersecurity policies and procedures, allowing for them to be updated in the name of every-changing cyber threats and new technologies.

Essentially to acquire the proper protection, you must have a cybersecurity strategy this is in place and up-to-date. Whilst this may seem daunting, it will apply pressure where needed to ensure more businesses are protected in the digital world. 

If you would like to see where the gaps in your business might be take a look at our CyberCAST Snapshot, Zyston’s free risk assessment tool that delivers a scored based on benchmarking you against current industry statistics. This will help you understand your cyber strengths and weaknesses, as well as inform your next steps.

The Future

As mentioned, yesterday’s attacks do not currently inform us accurately about tomorrow’s risk. In order to soften the risk for insurers, predictive cyber-risk models must be developed. Additionally, the cyber insurance industry needs to consider how to handle large-loss style events, and create certain standardizations. The new regulation is just the beginning of how cyber insurance could propel the cybersecurity industry, with more companies seeking strategic counsel on how to meet requirements.

Organizations that decide they cannot afford cyber insurance “will be living with a potentially existential threat to their balance sheet,” Rob Norris said. “Also, companies that go bare on cyber liability may see an impact on revenue, as customers and suppliers increasingly make cyber coverage a requirement of doing business.”

Preparation begins with understanding the current state of your cybersecurity, Zyston’s CyberCAST enhances our managed security services, illuminating critical insights into an organization’s threat susceptibility and informing a dynamic cybersecurity strategy that matures over time.