Cyber insurance must become an essential component of a company's cybersecurity strategy as it assists in mitigating financial losses resulting from cyber incidents, such as cyberattacks, data breaches, and ransomware attacks.
The increasing frequency of large-scale cyberattacks — WannaCry, NotPetya, Log4j, ProxyNotShell — has highlighted the potential for such catastrophic events. And as the frequency and severity continue to increase, businesses must take a more proactive stance to protect themselves.
While cybersecurity programs focus on proactively protecting a company's network from an attack, cyber insurance protects the company in the event of an attack. It covers portions of the expenses and services a company needs to recover from an attack, including investigations, forensics, fines, lawsuits, and ransom payments. The insurance can cover the costs of containing a breach, notifying affected customers, and repairing damage to the company's systems and reputation.
The cost of cybercrime and cyberattacks continues to increase and it’s estimated to reach $10.5 trillion annually by 2025. As a result, the demand for cyber insurance continues to grow, estimated to reach $17 billion in 2024 and $20.5 billion by 2025, a substantial increase from $7 billion in 2020.
Changes in the cyber insurance market
Insurers have reacted to this risk environment with various methods, such as enforcing limits on coverage and capacity, raising premiums, and seeking coverage from reinsurers. But these traditional adjustments are not always a sufficient buffer against cyber risk in the long run. And that puts pressure on insurance companies to find new ways to mitigate risk and protect their policyholders.
Insurers are innovating and increasingly undertaking a more comprehensive and proactive approach to cyber risk management, including the following:
- Practice risk selection informed by the latest cybersecurity threat landscape,
- Maintain constant awareness of the digital assets they insure.
- Scan continuously for emerging risks.
- Identify vulnerable companies quickly and accurately
- Proactively monitor insureds and ensuring they implement security patches as quickly as possible.
From these tactics a novel approach in insurance has emerged: active cyber risk management. Cybersecurity professionals should stay aware of how insurers will evaluate their company going forward – and how that impacts their cyber insurance coverage. Two primary trends in insurer assessment include:
First, insurers are increasingly employing active scanning to determine the digital assets and overall security posture of each applicant at the time of underwriting. This gives insurers real-time views of a company's digital assets and vulnerabilities – and creates a much better risk selection and pricing decisions.
Second, insurers supplement active scanning with continuous risk monitoring. Continuous cyber risk monitoring of an organization's digital infrastructure over the course of the policy periods lets insurers keep pace with the changing threat landscape and the technological evolution of companies.
This two-pronged approach lets them lessen their risk, improve their loss ratios, and better protect their policyholders against cyber risks.
Cybersecurity pros need to align with insurers
It’s important for cybersecurity professionals to know that as the frequency and severity of cyber incidents continue to increase, cyber insurers are adapting their assessments – and these assessments are no longer static. Insurers are taking a more comprehensive approach to cyber risk assessment and underwriting, using active scanning and continuous monitoring to gain real-time views of an organization's digital assets and vulnerabilities.
With the increasing complexity of evaluation and monitoring by the insurance companies, cybersecurity professionals should understand that insurers are evolving into more knowledgeable and engaged participants in the cyber risk mitigation landscape. Companies should no longer view insurers solely as risk transfer partners. Recognizing this, cybersecurity professionals should evaluate their approaches to interacting with insurers and consider these two approaches:
- Align and collaborate with insurers: It’s recommended that cybersecurity pros prioritize an understanding of their insurer's assessment criteria – and offer feedback on it. They should also align their cybersecurity practices with these criteria as closely as possible, taking the insurer's assessment criteria into account when making strategic decisions and adapting cybersecurity practices where needed. Businesses need close alignment with insurers, particularly in the event of a significant incident.
- Think of insurers as a source of intelligence: Cybersecurity professionals should also recognize insurers as a possible and valuable source of intelligence, both prior to and during a possible cyber incident. Insurers are increasingly employing continuous risk monitoring, which can provide data and insights into incidents promptly. Although companies conduct their own incident response, an additional source can offer unique perspectives and information. While companies may have deep intelligence on their own business, insurers may have a broader perspective on trends and history of data for the broader industry and market. Sharing information serves everyone's best interest.
As insurers adapt to the evolving cyber risk landscape, cybersecurity professionals should align and collaborate closely with insurers, understanding their assessment criteria and incorporating this into strategic decision-making. By embracing these practices, cybersecurity professionals can strengthen their risk management and ensure better protection for their organizations.
Lewis Guignard, director of data science, Guidewire