Cyber insurance is becoming increasingly important as the threat landscape grows more severe and organizations face surmounting pressure to get insured. However, securing an affordable policy comes with challenges — both for the insurer and the insured. So how can both sides of the equation work together to make cyber insurance more accessible? Before we dive into it, let’s take a moment to wrap our arms around the challenges impacting both sides of the equation.
The Complexities of Cyber Insurance
Perhaps the most obvious challenge when it comes to cyber insurance is the sheer volume of organizations that have yet to secure coverage. Research shows that more than half (55%) of organizations do not have any form of cyber insurance. And out of those who have secured coverage, only 19% have coverage that exceeds $600,000 — a glaring disparity given the fact that the average claim for an organization is more than $800,000.
While organizations are struggling to secure coverage, insurance providers are simultaneously struggling to understand the nuanced risks of today’s security landscape. Stakes are getting higher as attacks continue to increase (the number of cyberattacks jumped 15% just from 2020 to 2021). In order for underwriters to provide profitable margins, it requires an understanding of what security practitioners are up against. Unfortunately, this is easier said than done.
Helping Insurers Understand Today’s Security Challenges
Cyber insurance has been available for more than two decades, but it’s only recently come into the limelight. Back in its inception, underwriters guessed what service disruptions would mean, and policies proved profitable, leading insurance to cover more incidents. However, the cybersecurity industry has experienced immense changes throughout the past decade — new attack techniques and trends, new technologies to exploit and more data than ever before. With these changes, insurers have raised premiums and added requirements that organizations must meet to qualify for coverage.
But in order to truly understand when and how they will need to pay, Insurers must roll up their sleeves and do their research on the industry. After all, how can you ask an organization to prove its cyber posture when you don’t have a firm understanding of a strong cyber posture to begin with? I recommend underwriters obtain a foundational understanding of the following protections: Multifactor authentication, password management, patch management, endpoint protection, data encryption, continuous monitoring, incident response plans and drills, cyber hygiene training, least privilege principles and network segmentation. The best place to start is finding a good blog or podcast on the topic of your choice.
Insurers also need to ensure their questionnaires to potential insureds are detailed in order to help organizations go beyond “checking the boxes” to guarantee the protocols are in place and the implementation is effective.
The Buyers’ Part of the Equation
For buyers to contribute to the partnership, they need to work with the broker to drill down as clearly as possible into what exactly is being purchased and what is/is not covered. Look at it this way: insurers are using a discerning eye to evaluate companies, and due diligence is a two-way street.
Buyers should leverage smart risk management and quantification to understand and communicate about their threat landscape and what’s being protected. Isolate key risk areas in order to buffer them with security, and ensure risk managers are providing in-depth clarity in contracts for insurers — distinguish a list of pre-approved vendors, outline processes and timelines for mitigating risks, and have an outside source conduct an evaluation of the company to ensure nothing slips through the cracks.
Working Together to Move Forward
In order to make cyber insurance more accessible for organizations and more efficient for insurers, both sides of the equation need to work together. The insurer needs to better understand the security industry so underwriters can create more strategic policies. And the buyers need to leverage risk management and quantification to better get ahead of their risks, button up their security posture, and lock in rates they can actually afford.