Every time a driver buckles up or an airbag is deployed we see the powerful influence of the insurance companies who insisted those measures become mandatory. Now, those insurers are poised to drive cybersecurity investment by insisting that organizations meet certain criteria to qualify for coverage.
Still unclear is whether this will serve the cybersecurity community well, or distort strategies to protect data and networks.
"I believe this to be the next tectonic shift,” said Bryan Hurd, vice president at Aon Cyber Solutions. He referenced an insurer’s role in designing pressure relief valves for the steam engines powering Philadelphia in the 1800s: “They said if you wanted to have insurance, you have to have this piece of architecture on your system.” In so doing, “they drove security or solutions to avoid large insurance claims.”
It would make sense, then, that they turn their attention to the fast-growing area of cybersecurity. “Now we’ve come to know our cyber engines are crashing into stuff and blowing up and hurting people,” said Hurd, who is also a member of of CyberRisk Alliance’s Cybersecurity Collaborative, a forum of CISOs, and worked for a period of time in the insurance industry after roles with the federal government's National Counterterrorism Center and Microsoft, among others.
But when it comes to cybersecurity coverage, the relationship between enterprises and insurers has been rocky and uncertain. With mitigation of some breaches costing well into the six figures – cyber losses topped $1.8 billion in 2019, according to Hiscox – companies crave coverage. And insurers are equally eager to meet that need as well as open up another lucrative stream of revenue.
Still, hammering out the terms of coverage as well as pricing have proven difficult. And in a few high-profile cases, insurance companies have bailed. In one notable example, insurers refused to pay Mondelez International's claim after the NotPetya attack was labeled an act of the Russian government, claiming the attack fell under the policy’s “hostile or warlike action in time of peace or war” exemption.
"Cybersecurity is, for many people around the world, still not a clear, tangible concept,” said Patryk Brozek, CEO and co-founder of Fudo Security.
A maturing model
The relationship between enterprises and insurers, like the cyber insurance market itself, is evolving.
“Cybersecurity insurance is only in its infancy and through its business operating model maturity it will have the huge positive impact on both individuals being insured and/or organizations,” said Niamh Muldoon, global data protection officer at OneLogin. “Partnering with cybersecurity industry expertise will drive this maturity within the industry.”
Over the last few years, Brozek said, “the awareness has grown, as more people, and not just corporations are feeling the effects and consequences” of stolen medical data stolen and credit card details – and worse.
Propelled by the surge of cyber incidents and ransomware attacks, businesses and insurance providers are rethinking and redefining how they engage each other, said Trent Cooksley, chief operation officer at Cowbell Cyber. “In order to maintain a profitable loss ratio, insurers might have to request specific controls on businesses before offering coverage,” he said.
Ultimately, he believes “this is good for businesses as, through the insurance process, they will gain better visibility into their cyber risks and measures they can deploy to keep digital operations secure and compliant to data privacy regulations.”
According to the Harvard Business Review, though, companies with at least $200 million in cyber insurance account for a bit more than 20% of what is believed to be $5 billion in global cyber insurance premium, amounting to roughly $1.1 billion in premium.
That’s quite the incentive for insurers to assert themselves in this market. Citing cybersecurity insurance as an important “component that businesses are investing in as a layer of protection,” Muldoon said no business should be operating without it.
"It helps business leaders make informed risk-based decisions to support their businesses moving forward while reducing risk to an acceptable level,” he added.
Insurers “are pushing for areas of improvement and focus,” said Brandon Hoffman, chief information security officer at Netenrich, though “it is hard to tell whether those actually align with best practices or if they somehow fit into their actuarial science conveniently.”
In an ideal world, he said, “the insurers would push for the basic security processes to be the most important with less focus on advanced technology or processes, as these are harder for organizations with less resources to effectively pursue.”
What might that include? Businesses should expect insurers to demand more systematic proof that security best practices are in place before they can get insured, said Cooksley. “This can range from validating configuration of cloud services for security to having a third-party risk program in place or deploying cyber awareness training to all employees. This is where industry resources and standards such as the CIS controls will help in driving consistency of security controls required.”
But Brozek warns that “a one-size-fits-all approach won’t work,” and many questions must be sorted out, like who decides the value of data, how it will be quantified and what type of risk is assessed.
“Yes, insurance companies may with certain policies they offer demand a bare minimum in cybersecurity/infosec mitigation tools and solutions,” he said. “It could very well drive companies and certain industries like finance or health care to have a common standard.”
But much will rely on regulation. “If anything, I can see a greater impact on cyber awareness,” Brozek said. “Not just for the c-suite but also for the common worker.
Since hackers often go through weaker links in the supply chain to get to bigger fish (think the HVAC vendor that served as a way in for the Target hackers), it could be that insurers will compel companies to show they’ve done due diligence in assessing the security postures of their partners or bear the consequences if a breach occurs.
Cyber improvements, or cyber degradation?
Still, for all their potential power in driving cybersecurity, the fruits of that influence won't be recognized overnight. In the case of seatbelts, air bags and other safety measures intended to save lives and mitigate injury, "it was a long process until the general rules and common practice," said Brozek. Consider that it was in 1968 when seatbelts became required in all cars sold in the U.S; it wasn't until the 1980s, however, when seatbelt became required.
Others factors will increase pressure on strengthening cybersecurity, too, as will unexpected events like, for instance, a global pandemic.
“There isn’t just one force leading this shift, and although cyber insurance is going to continue to be more commonplace, there are other actors in this story,” said Eddy Bobritsky, CEO at Minerva Labs. “Governments, industry, private individuals and the interplay between them will determine the course of how we all regard cybersecurity and the need to protect against threats.”
Multiple stakeholders and forces “are changing our perception and the public’s view on cybersecurity and threats,” said Brozek. “What the global COVID-19 pandemic has shown us is that our reliance on digital tools and devices has exposed not only how easy it is to interact in a connected world but also of our vulnerabilities. Every sector has suffered breaches and no nation can claim to have been spared.”
And Bobritsky contends that a reliance on insurers to lead the way may actually degrade cybersecurity. “So far, the cyber insurance industry has had a negative influence on the level of cyber defenses that organizations build,” he said.
About 80% of organizations cannot afford to buy or maintain cyber security solutions, Bobritsky maintained. "Organizations’ security depends on the security team size, skillset and tools and this is huge problem. These organizations found a shortcut, cyber insurance. But the past few years, especially 2020, showed that this will not work.”
Brozek cautions against a false sense of security, that "insurance companies will lead the way," which may cause some to minimize the impact of other factors. He pointed to nation states, which “are playing both a political and an economic role in cybersecurity policy,” and national governments that demand compliance with such regulations as the European Union’s General Data Protection Regulation, the California Consumer Privacy Act and Brazil’s Lei Geral de Proteção de Dados.
“There is still much to be done and the geopolitics of the world cannot be underestimated in seeking to understand the future of cybersecurity and its impact on businesses and the public,” he said.
Indeed, it’s important not to forget who really steers enterprise efforts to build up cybersecurity. “Let’s keep it real: malicious actors, attackers and cybercriminals are in the driver’s seat,” said Muldoon. “Insurance companies are just another safeguard on the road to reduce the threats to other vehicles, both drivers and their passengers. The road is long and full of hazards so insurance companies on it are welcomed.”