Posted on April 20, 2022
Want to interview Stewart?Contact
People naturally tend to be risk averse. While some individuals live for the adrenalin rush of betting the farm on what seems like a good chance, most people are reluctant to assume even much lesser risks. This is hardly a new story: Insurance evolved roughly 4,000 years ago, when Babylonian lenders and ship owners devised ways to spread the risk of a ship loaded with valuable cargo being lost at sea, and reward those who assumed it.
Modern insurance is based on actuarial science and, increasingly, big data. Insurance companies have vast pools of data on life expectancy and factors that impact it, as well as car accident data such as the percentage of cars that can be expected to get into accidents every day, the damage and injuries those accidents will cause, and costs of recovery and repairs. Insurance companies use all of this data to calculate premiums that allow them to come out ahead, despite the fact that all life insurance policy holders eventually die, and many crash at very predictable rates.
There are, however, scenarios that make life uncomfortably risky even for insurers, despite their risk expertise. Structural changes can render their data inaccurate. Climate change, for instance, is currently playing havoc with insurers as droughts contribute to larger, more intense fires, and warming ocean waters result in more and more powerful hurricanes.
Developing new types of insurance for business lines that are so new that reliable statistics simply do not exist is another risky scenario, and one that insurers took on when they began to offer cyberinsurance. A more basic, ongoing and intrinsically related issue, however, is that since there is no fixed definition of what a covered cyberattack is, insurers cannot properly assess what the potential liabilities are – what the industry calls “possible maximum losses.”
For example, in a discussion about cyberinsurance on Chase Cunningham’s Dr. Zero Trust podcast, Gerry Kennedy, CEO of Observatory Strategic Management, cited an incident in which criminals hacked encoded car keys, then opened the cars, started them up, and drove them away. Auto insurance covers this as an incidence of theft despite it being, in fact, a cyberattack. It is also an unfunded covered loss since this type of incident was not factored in when the auto insurance liability was costed out.
Few US insurers underwrite cyber insurance due to the lack of sound data on the level of exposure. Without stable data – and without knowing how to assess risk — setting reasonable premiums and terms is guesswork, at best. As Gerry Kennedy noted, “Nobody has ever defined it. It’s about naming the perils, which the industry has failed miserably at. They have not inventoried any of the losses.” Regulators, as well, lack expertise when it comes to cyberattack risk.
This is no trivial matter, since in truth, cyber risk is both systemic, in that it can impact vast swaths of modern life, and highly unpredictable.
While ransomware has been around for a long time – the first documented ransomware was the AIDS trojan delivered by floppy disk in 1989 – only lately has it become a business-stopping multi-million-dollar threat to large corporations. In 2020 the direct loss ratio for cyber insurers – the amount insurers pay out on claims relative to premiums earned – skyrocketed from 47 cents per dollar to 73 cents per dollar. Cyber insurance became a much less profitable business line overnight. And, of course, ransomware is not the only type of cyberattack that organizations expect cyber insurance to cover.
Failure to accurately identify the risks or accurately predict the sharp jump in costs and frequency of cyberattacks when setting premiums has led some insurers to seek ways to avoid cyberinsurance payouts for ransomware and other attacks. Many of the arguments they’re using are clearly disingenuous and easily recognized as efforts to find ways to cut losses. For example, in one ransomware attack, an insurer tried claiming that they weren’t liable because the data wasn’t actually damaged since it was physically still there, on the client’s server, albeit inaccessible.
Insurance companies are responding to the spike in ransomware-related losses in several ways: massively increasing premiums (by as much as 200%), limiting coverage, and in some cases, dropping coverage entirely.
For cyberinsurance to be a viable offering for insurers, as well as a valuable risk reduction strategy for organizations, insurers must take steps to rationalize the way policies are written – something which should have been done from day one: Specifying coverages, bringing experts on board who understand the cybersecurity field, incentivizing applicants to put better cybersecurity controls in place or making them a prerequisite for obtaining coverage, and adding right-to-inspect clauses to add teeth.
A recent Risky.biz podcast segment on cyber insurance highlighted eight security capabilities insurers look for when deciding whether to issue a cyberattack policy and what premiums to charge:
Now that we’ve seen the insurers’ perspective, what about organizations considering a cyber insurance purchase? Is it a worthwhile investment or a waste of resources that could be better invested in additional protection?
The answer, of course, is “it depends.”
It’s important to check the fine print and make sure the policy actually protects your organization against the most common and potentially damaging risks, such as ransomware.
Just as automobile insurance doesn’t protect you from having accidents, cyber insurance won’t stop cyberattacks. It can help reduce the expense and soften the bottom-line blow, but just as auto insurance can’t stop you from being seriously injured in a car accident, cyberinsurance can’t save your business from a cyberattack.
What both auto and cyber insurers can do, however, is condition coverage on actions that will protect you, regardless of what threats come hurtling your way. Just as auto policies might make coverage conditional on installing an alarm or anti-theft device, cyberinsurers can make policies conditional on use of multi-factor authentication, for instance, or Zero Trust Network Access (ZTNA) for remote worker connections, rather than VPNs or RDP. And like back-up sensors that protect your car from any unseen object, insurers should require solutions like RBI, that protect against known and unknown threats.
Organizations that have implemented solid cybersecurity controls should choose an insurer that values their proactive stance and rewards it with favorable terms. It’s a belt-and-suspenders approach that yields the best of both worlds: reduced risk for both insurer and the insured business, and a lower premium for coverage in case a threat does manage to get through.
OWASP®, the Open Web Application Security Project®, recently updated their list of the Top 10 Web Application Security Risks. An online community led by the OWASP Foundation, the project was established in 2003 to provide developers and security professionals with resources to help improve web application security. Because virtually every organization today uses web apps, […]
This year’s DBIR confirms that when it comes to data breaches, users are not their employers’ worst enemies, but they may well be their enemies’ best helpers.
Secure Access Service Edge (SASE) and Zero Trust (ZT) security are two of the most important security concepts being talked about in the industry today. Are they the same? Or different? Interrelated in some way?