Listen in on any boardroom cyber discussion this year, and you are going to overhear some tough conversations. Many of them involve security leaders being quizzed about cyber insurance coverage.
As boards lean on CISOs to evaluate cyber insurance, they leave security leaders with a major problem. Insurance is becoming harder to find, offers less coverage, and is getting exponentially more expensive. The growth rate of insurance premiums was 100% last year.
This is because although cyber risk is growing rapidly, the cyber insurance industry is still trying to get their heads around what exactly to insure and how much to charge for it.
Whether covering automobiles, earthquakes, or cyber-attacks, insurers need reliable information to price coverage. In cybersecurity, insurers look at factors like the increased frequency & complexity of cyber-attacks, more availability of data, and the ability to measure and/or quantify cyber risk.
Unfortunately, as they learn more about the real costs of cyber-attacks, insurance providers are concluding that covering certain cyber risks may not be good for their bottom line. Rising premiums and leaner coverage are the result.
Recently, the CEO of Zurich Insurance even told a reporter that certain types of cybercrime could soon become “uninsurable.”
So, what is a CISO to do? Three critical tasks jump out. Faced with a tightening insurance market, CISOs need to:
- Make sure they understand what cyber insurance is and isn’t.
- Be able to quantify risk and risk mitigation to insurance providers to get the best policy price.
- Realize and communicate that cyber insurance can be a double edge sword.
Insurance Is a Safety Net, Not a Capability
Simply put, cyber insurance is a safety net.
Cyber insurance is not a defensive strategy, but is still something that creates a tangible benefit for operational security.
In a recent World Economic Forum study, 74% of respondents who reported being confident in their cyber-resilience efforts had insurance. Only 45% of respondents without insurance said the same thing.
Therefore, it makes sense that most companies will need some level of insurance.
The key task for security teams is to understand the following:
- What can be covered and what can’t be covered?
- What are the data and cyber qualification requirements from insurance companies to obtain a policy?
- How much will the premium cost?
Once you have this information, you should be able to determine if cyber insurance is right for you.
To Reduce Insurance Premiums, Start with Risk and Risk Mitigation
As a former CISO and CRO (Chief Resiliency Officer), one of the first questions I always asked a vendor was, “how is the capability/platform/tool that you want me to buy (or renew) will accomplish my mission to define, identify and mitigate risk?”
In my opinion, cyber insurance companies want answers to the same questions. Evidence of this is that as the insurance sector matures, it is demanding better data from companies and minimum qualifications before they even entertain writing a policy.
This wasn’t always the case. Before ransomware came on the scene, risk assessment was relatively straightforward. Insurers would ask clients simple questions, look at historical surveys and make educated guesses. Today, with an incredibly hostile threat landscape on the one hand and sprawling attack surfaces on the other, it’s very hard to get reliable data on risk at a company level.
Misinterpreting risk can have serious consequences. Cyber-attacks like the Colonial Pipeline hack or the SolarWinds breach cause a level of systematic risk that can wipe out an insurer’s profit margin.
Insurers are adding additional “qualifiers” or rolling back coverage. Lloyds will soon stop covering losses created by nation-state threat actors in times of war. In 2021, French insurer AXA dropped its coverage of ransomware payments and was, ironically, hit by a ransomware attack a month later.
In response, companies will need to make sure they understand emerging requirements and plan for them, especially if there are formal qualifications needed. This planning process needs to be baked into your cyber strategy to make sure you have checked all the cyber insurance boxes well in advance of obtaining a policy.
Adversaries Will Continue to Mature (Or Why Having Cyber Insurance Is a Double-Edged Sword)
Cyber insurance must be considered as you put together your cyber strategy, but you also need to be aware of how insurance helps adversaries.
Threat actors always look for targets of opportunity. The ones looking to profit from their attacks want to do just that, make a profit. To that end, the case can be made that cybercriminals are more likely to go after companies that carry insurance.
Sophisticated threat actors even tailor their attacks to target assets they know their victims have insured. Attackers know that companies with insurance in place are more likely to pay ransoms. In an interview with The Record, a hacker from the REvil group described companies with cyber insurance as “the tastiest morsels” for this reason.
As cyber criminals weaponize insurance coverage, security professionals need to do two things:
- Ensure that insurance information, i.e., what kind of insurance is in place, what’s covered, etc., is kept as confidential as possible.
- Vet insurance companies to make sure they’re keeping your data safe. You should ask your insurance company how they are protecting your and other clients’ data, what their cyber security program is like, and what formal qualifications they have in place. Basically, you should require the same controls from your insurance company as they require from you.
Unlocking Insurance Benefits by Understanding Risk
You are not alone when trying to understand cybersecurity insurance and whether it makes sense for your organization.
Finding and fitting some level of cyber insurance to their organization’s needs is something all CISOs and security leaders will have to explore. Pressure from board members and other executives will make sure of that.
However, tackling insurance questions does not have to be an impossible task. To make your insurance journey easier, use risk as your north star to reduce premiums and the chances that your insurance could be used against you.
Specifically, look at risk across two core domains:
Insurance providers. As part of your evaluation process, ask the right probing questions of your insurance vendor to make sure they are not adding risk to your company.
Attack surface. Your attack surface is what attackers target and is a key risk area insurers worry about. An attack surface management (ASM) platform can help you define and communicate risk in this area. For example, Randori’s ASM platform can help you reduce risk by allowing you to find and fix the right/most critical vulnerabilities in your attack surface, tailor policies, and communicate real-world risk to insurers.
Final Thoughts
As a cyber security executive at an offensive cyber security company in the attack surface management (ASM) and continuous automated red teaming (CART) market, I want to emphasize that having effective risk reduction solutions will not only help keep your company safe but will also help obtain the most cost-effective premium.
Randori’s (an IBM Company) ASM solution helps to quantify risk, mitigate risk and give solid, measurable data that will resonate with insurance companies.
THE RESULT: You will have a more cyber-secure company, a more confident insurance provider, and lower premiums.
