How accurate security data can solve the cyber insurance market crisis
The cyber insurance industry looks bleak. The market has hardened due to increasing cyber-attacks, such as widespread ransomware, so premiums are going up and insurers are increasingly less willing to take on risk. Many organisations are therefore struggling to get cyber insurance.
At the tail end of last year, our founder and chairman Nik Whitfield shared his cybersecurity measurement predictions for 2022. Among these was the topic of cyber insurance, specifically that the current state of the market will drive improved cybersecurity measurement.
The idea is that if an organization can demonstrate it has a good cybersecurity posture and prove it with evidenced metrics, then an insurer will be more willing to offer a policy at a reasonable premium. Could this be the answer to the current problems facing the cyber insurance market?
The state of the cyber insurance market
First, let’s look at the state of play. When the cyber insurance market started in the 2000s, it was a ‘soft’ market, meaning low premiums and high capacity. It was cheap and straightforward to get cover. But now, the market is becoming considerably less profitable for insurance companies. Loss ratios are increasing – this means that the ratio of claims paid by a cyber insurer compared to the amount of premiums collected is going up.
Research by S&P Global shows that the loss ratio is around 73%, meaning that for every dollar brought in by premiums, an insurer pays out 73 cents. For context, loss ratios for property and car insurance typically range from 40% to 60%. Gallagher’s recent Cyber Insurance Market Conditions report highlights four key challenges for the cyber insurance market: rate increases, coverage limitations, capacity constriction, and greater underwriting scrutiny.
Rate increases
Cyber premiums have increased considerably. Some rates have increased by 100-300%, and sometimes quotes are simply not given, particularly if the organisation lacks specific data on security controls. This increase is partly due to demand.
While cyber insurance is harder to get, the market is still growing. In 2020, the market was worth an estimated $7.8 billion, and is predicted to hit $20 billion by 2025, according to security.org. It’s also a response to increased cybercrime over the past few years, particularly ransomware. Ransomware demands are now exceeding $10 million, so it’s no wonder premiums are rising.
Coverage limitations
Many insurers will not fully cover specific risks such as ransomware or known vulnerabilities. Research by Sophos shows that while 84% of organizations have some form of cyber insurance, only 64% have coverage for ransomware attacks.
If an organization fails to remediate known vulnerabilities, payouts can be withheld. Not only that, but insurance companies also provide valuable recovery and forensic services in the event of a breach. If the organization hadn’t been truthful in their declarations, that might mean not just loss of payout, but loss of support too. That’s why an organization needs to be confident that its security attestations are accurate. Ideally with evidence for that.
Capacity constriction
Cyber insurance providers are limiting capacity in order to limit risk exposure. Policy limits are being cut in half. According to RPS, where an insurer may have been willing to give a $5 million dollar limit in 2020, the 2021 figure was around $1-3 million, even for renewals.
Greater underwriting scrutiny
The underwriting process is becoming more strict and more rigorous. Sophos reports that, to get insurance, organizations have to “jump through more hoops than ever before”. Almost all insurers are asking for more details about security controls.
Some companies are denied coverage if their security posture doesn't meet the insurer's minimum requirements. Tracie Grella, Global Head of Cyber Insurance at AIG said for an article: “If clients have very, very low controls, then we may not write coverage at all, but mostly what we’re doing is reducing the cover that we’re offering.”
This increase in scrutiny is an essential step forward. While it may cause difficulties for some organizations, it pushes for a more holistic approach to measuring cyber hygiene and the effectiveness of security controls.
With answers to simple questionnaires, it is difficult to get a realistic understanding of an organization’s cyber risk, so insurers don’t fully understand what they are underwriting.
The current process is often a manual response to questioning, without providing evidence for answers. With more complete and accurate data-driven metrics, insurers can get real evidence of the organization’s risk profile. They can then offer a more reasonable premium for better coverage, being fully aware of the risk they are underwriting.
How can we fix the cyber insurance market?
The cybersecurity industry needs to work collaboratively with insurers to come up with a solution to this problem. As cyber insurance premiums become too steep, some companies can self-insure – i.e. maintain a fund to cover possible losses rather than purchasing an insurance policy. But that’s not an option for most.
We believe that insurers will be more willing to give a reasonable premium to a company that can prove its security posture. This will be one of the most important applications of CCM (Continuous Controls Monitoring) technology in the future.
How does CCM help with the cyber insurance challenge?
As the cyber insurance market matures, organizations will need to provide more detailed and accurate information about their cybersecurity posture to insurers to obtain better premiums. Our own research has shown that security leaders would be willing:
But insurers also need to speed up the move away from static questionnaires to dynamic models based on up-to-date metrics and measures. Here’s how this process could work. You go shopping for cyber insurance.
You receive a list of questions from an insurer. Here are a few examples:
- How many devices do you have deployed?
- Are EDR solutions utilized across the organization on all endpoint devices?
- Do you vulnerability scan and penetration test applications on a regular basis?
- Do you have a secured/hardened baseline configuration of cloud assets in line with industry standards?
- Do you have a process for managing user accounts?
- Do you provide regular employee awareness training and phishing and social engineering?
CCM gives answers to these questions and more, providing accurate and trustworthy evidence to back them up. It brings together data from across your security, IT, and HR tooling to create a comprehensive inventory of assets, and the effectiveness of security controls on those assets.
Our customers use data queries to get quick and accurate answers to these kinds of questions. Here’s a cyber insurance dashboard from our platform, which gives instant access to the information insurers will likely ask for:
You can provide access to the dashboard with secure permissions, so insurance providers can view the exact metrics and data you intend to show them.
On top of that, you can also share continuous monitoring of security controls with historic trend data, to give an exact picture of security posture at a specific point in time. If you’re interested in seeing how it works, get in touch for a demo.
The final word
The cyber insurance market is certainly facing challenges, but it won’t always be so. In the future, as CCM becomes more widely used among both organizations and insurers, we expect to see more consistent measurement and reporting emerging from the cyber insurance market.
All the data and measurements will be available and shareable between clients and insurers. This kind of collaboration will benefit both parties, with lower risk for the insurer and lower premiums for their clients.