Cyber insurance - friend or foe?

Just ask yourself: “is saving the cost of the ounce of prevention worth the pounds of cures you’ll need when a cyberattack comes?”

With increasing costs, inconsistently applied assessments, and failure to deliver, we’re seeing organizations drop cyber insurance. Despite a promise to mitigate the financial risk associated with cyber incidents, cybersecurity insurance is plagued with significant issues that can reduce its effectiveness and may even create risks of its own.

Cyber insurance is meant to be a risk transference mechanism – the potential financial cost of a cyber incident is covered by an insurer who in returns for your premiums agrees to pay out in the event of an incident, subject to conditions. However, because cyber insurance is based on more traditional insurance products (such as life insurance) it cannot effectively comprehend and deal with the rapidly changing risk cyber presents. At the same time the measurement of impact is dubious and tends to focus on fines and alerting costs.

To be more specific we can identify the following ongoing problems with cyber insurance:

1. Ambiguity in Coverage

One of the most notable problems with cybersecurity insurance is the lack of standardization in coverage. Policies can vary widely in terms of what they protect, and many include numerous exclusions. For example, some policies may cover data breaches but exclude phishing scams, while others may cover ransomware attacks but refuse to cover attacks that exploit unpatched software. This ambiguity makes it difficult for companies to understand what they are purchasing and leaves them vulnerable to uncovered losses.

Furthermore, some policies contain language that can be vague and open to interpretation, leading to disputes when companies attempt to file claims.

A survey done by Sophos found that the cybersecurity insurance policies their respondents have aren’t adequate for the job. For example, only 64% have insurance that covers ransomware, one of the best reasons to have coverage in the first place.

2. High Premiums and Rising Costs

The rising frequency and severity of cyberattacks have led to higher premiums for cybersecurity insurance, making it financially challenging for smaller organizations. Insurers are adjusting to the increasing risks by raising premiums, reducing coverage limits, and implementing more stringent requirements for underwriting. As a result, many companies are priced out of the market or forced to accept policies that offer minimal protection.

For organizations that cannot afford premium policies, the level of protection may be so limited that it renders the insurance only marginally helpful in the event of a significant cyber incident.

3. Moral Hazard and Reduced Incentives for Cybersecurity

One concern with cybersecurity insurance is that it could create a “moral hazard,” where companies may invest less in cybersecurity because they believe they are financially protected by insurance. If organizations rely too heavily on insurance instead of actively improving their cybersecurity measures, they may remain vulnerable to attacks, leading to higher rates of incidents and insurance claims.

This complacency can undermine cybersecurity overall, making networks more susceptible to breaches and leading to more significant losses in the long run.
Its also a terrible strategy – a reliance on an insurance plan that isn’t actually going to cover your losses. So really is it actually risk transference or just a head in the sand gamble?

4. Underestimation of Systemic Risk

Cybersecurity insurance policies are challenged by systemic risks, where an attack on a single vulnerable system could cascade across multiple companies and industries. This was illustrated by the NotPetya attack in 2017, which caused extensive losses across various sectors. Because of the interconnected nature of modern technology, a single widespread cyber event could lead to massive claims that insurers may be unprepared to handle.

Insurers struggle to accurately predict and price these risks, leaving them vulnerable to catastrophic losses that could jeopardize their financial stability and result in higher premiums or reduced coverage availability for policyholders.

5. Difficulty in Quantifying Cyber Risks

Unlike physical risks, cyber risks are inherently more difficult to quantify due to their unpredictable and evolving nature. Insurers typically assess risk based on historical data, but cyber threats change rapidly, and past data may not accurately predict future incidents.

They also tend to rely on methods which grossly oversimplify risk, for example the various security scoring platforms out there. These provide a simple answer to a complex problem, which is fine if you think the law of averages applies, unless of course your average is way off.

This makes it challenging for insurers to price their products appropriately, leading to either underpriced policies that are financially unsustainable or overpriced policies that discourage businesses from purchasing coverage. Moreover, with limited data, insurers are more likely to impose restrictive conditions or exclusions, further complicating the value proposition for customers.

Read about the reason premiums are not paid out – here

If not cyber insurance, what?

We’re not telling you to not have cyber insurance, in many cases its a must have (doesn’t mean its actually useful, lets not talk about security theater). However if you choose to go without, or want to try and lower your costs the best insurance is what you can do for yourself- close the proverbial doors and windows of your estate and reduce the risk of a breach significantly. It is less costly in terms of money and time to ‘prevent the breach’. A ‘prevention is better than cure mindset’ is key.

We’re not telling you to not have cyber insurance, in many cases its a must have (doesn’t mean its actually useful, lets not talk about security theater)

Conclusion

While cybersecurity insurance may provide financial relief following a cyber incident, the sector faces significant challenges. The ambiguity in policy coverage, high costs, stringent underwriting demands, moral hazard, systemic risk, and the difficulty of quantifying cyber risk all contribute to the complexity, and diminishing use, of the field. Until insurers can address these issues, cybersecurity insurance will remain an imperfect tool in managing cyber risk. Businesses must continue to invest in effective cybersecurity measures and consider insurance as just one part of a comprehensive cyber risk management strategy.

The best cyber insurance is a consistent and comprehensive approach to identifying and fixing vulnerabilities across the technology estate, driven by a knowledge of your own attack surface, threats, vulnerabilities and exploits.

Our Incenter platform and security assessment services firmly place an organization in a proactive place, so regardless of your thoughts on cyber insurance, we can help you minimize your risk.