5 Reasons Cyber Insurance is a Mess

Cyber insurance is a hot field right now. A well-written cyber insurance policy can help businesses protect against what many see as inevitable — the, “not if, but when” theory. It’s this theory, (or, some would say, strategy) that has businesses searching for non-technical buffers to reduce financial liability should a cyber incident strike.  When hardened cyber controls aren’t enough, insurance is — theoretically — there to pick up some of the pieces. 

The cyber insurance industry is (formally) only about a decade old and still finding its footing. At this stage, the differences between providers’ policies create complexity and confusion for buyers. What’s more, since buyers have witnessed instances of insurance companies wriggling out of substantial claim reimbursements for bona fide incidents, they don’t have the utmost confidence that the monthly premiums they pay to their insurer will pay back when it’s needed.

Insurance, as a general industry, has been around for hundreds of years, and insurers have perfected their formulas for health, home, property, and the like. Cyber, though, is a lot more shaky, not just because it’s a newer field, but because the rules of the game keep changing. 

To insure, or not to insure. That is the question.

Many organizations have determined that cyber insurance is a smart move. But unlike other types of insurance, finding the right plan and qualifying for it can be extremely frustrating and labor intensive. First of all, not all insurance companies offer cyber insurance, so the business may have to start from scratch in the vendor identification process. Once a short list of providers has been identified, the buyer moves to the evaluation phase. But evaluating plans isn’t always straightforward. This is true for the business looking for a plan and for the insurer. To even qualify for cyber insurance, companies have to meet certain technical qualifications, but those qualifications can change from provider to provider. 

And then there are the premiums…

There are numerous reasons cyber insurance premiums are harder to determine than other insurance coverages. Chief among them: change and scope. Corresponding to the hyper growth of the global attack surface, cyber attacks have increased in size and frequency over the past two decades. The complexity of organizations’ digital ecosystems and the sheer volume of things — hardware, software, data, networks, users, transport protocols — means there are ever-expanding ways for attacks to happen. And while attack methods, themselves, haven’t changed dramatically (because they don’t have to), there is simply more opportunity for nefarious behavior. Anyone with a little skill and an internet connection, regardless of where they are in the world, can launch a cyber attack against any person or company, anywhere in the world. Cyberspace is, in effect, the great geographic equalizer. 

Logically, then, the first reason the cyber insurance market is a mess is:

1. The Evolving Nature of Cyber Threats: The cyber attack landscape is constantly changing. Companies’ digital environments evolve and morph (sometimes over the course of just a few hours), new vulnerabilities and threats continually emerge, and attackers change tactics as soon as they see an opportunity or need. As a result, insurers have to make their best guesses about what will happen in the future based on historical data, while taking into account how rapidly cyberspace and its inherent risks change.

Still, there are other elements impacting the insurance market. This doesn’t mean it’s less frustrating for buyers and business operators to navigate, but an understanding of the situation may help. Additional reasons for consternation include:

2. Limited Historical Data: Following on point #1, compared to other types of insurance, historical data on cyber losses is limited. Cybersecurity is a much newer field than others for which insurance is common. Insurance companies have had hundreds of years to perfect their calculations for coverage areas such as life insurance, health insurance, marine insurance, auto insurance, fire insurance, and so on. In contrast, the first known cyber insurance was issued in 1997 by AIG, and the scope of what needed to be included in that coverage was significantly smaller than what needs to be part of a plan today. A lack of comprehensive data makes it problematic for insurers to accurately predict and quantify potential losses associated with cyber incidents. 

3. Lack of Standardization: The nascency of the field also means that insurers have not yet coalesced on terminology, minimum viable requirements for coverage, or even common inclusions or exclusions. The lack of standardization produces disparity in disparate firms’ policy terms, coverage options, and underwriting practices. In turn, businesses often feel like they cannot directly compare coverage and pricing options between insurers. Lengthy legal reviews can slow down the process of obtaining coverage, and the organization may not be able to include all the coverage they want in one provider’s plan.

4. Complexity of Risk Assessments: Evaluating an organization's cyber risk profile is a complex task. Organizations’ IT infrastructures are moving targets (pun intended). Services spin up and down, policies change and become outdated, hardware and software are added and removed, users’ access requirements change, and so on and so forth. On top of that, no two environments look alike. Therefore, to be effective, assessors must customize assessments to each organization, driving up cost, time, and effort. Despite the complexity of assessment, to safeguard their own interests, insurers underwrite policies based on stricter and more uniform measures. To alleviate ambiguity about the state of an insured’s network, some insurance companies have started requiring the implementation of their own or a specified managed detection and response (MDR) technology in the insured’s environment. 

5. Climbing Cost of Cyber Incidents: The financial ramifications of a cyber incident can devastate a business. According to the latest IBM Security “Cost of a Data Breach” report, the global average cost of a data breach is now $4.35 million. The average cost of a ransomware attack (not including any ransom paid) is $4.54 million. The cost consequences, alone, should be reason enough for organizations to constantly improve their security control coverage. From the insurer’s point of view, though, what they’re willing to pay out, should a cyber incident occur, is a straightforward risk-plus-cost calculation. The goal of the insurance company is to make money, not lose it when a customer is the victim of an attack. Therefore, premiums have to be written such that the insurer won’t absorb any long-term financial damage when a customer files a claim. The result is stricter underwriting criteria, higher deductibles, and coverage limits so that insurance companies can mitigate their potential exposure to substantial claims.

Given these factors, businesses wanting to obtain cyber insurance should be prepared for lengthy and sometimes complicated discussions with providers. In advance of these conversations, businesses should determine what’s most important to them and whether they have the means to shore up any existing controls to obtain an adequate level of insurance, or if they want to risk higher premiums should they fail to meet certain insurance requirements. In all cases, regardless of provider chosen, businesses will be required to demonstrate their cybersecurity posture — both initial and ongoing — to remain a covered entity. It will be incumbent upon organizations to regularly show their provider the state of their security measures, engage in risk assessments, and work closely with insurance brokers to adjust as the state of cybersecurity and the organization’s security posture shift over time.