As breaches continue and cybersecurity costs spiral, cyber insurance has become an accepted risk transference tool. Organizations buy these policies, expecting to be paid out in the event that their security practices and tools fail them. security.org projects the market size of cyber insurance to be $20 billion by 2025, but will it really mitigate your financial exposure if you are “popped?” .
The cyber insurance industry is a relatively new and rapidly evolving field. As such, there are a number of challenges that have yet to be fully addressed. Insurers have built exhaustive questionnaires to guide their decision making around coverage and pricing, but premiums continue to grow at an alarming rate (more than 100% per year in some cases).
What if, for instance, a hacker gets the formula for Coke? How do you price that coverage and what would you pay for it? Furthermore, clauses abound, such as the common one that states if you are breached as a result of a nation state activity, no pay out for you (more here) . However, what makes a nation state attack? And will you necessarily know instantly that you’ve been breached by one? If malware starts as nation-state activity, then morphs into a wider threat actor activity, will the consequences of this be paid out? The answer predominantly seems to be “no” at the moment.
Some of the challenges we note in the industry include:
- Lack of standardization: There is currently no standardization in terms of coverage or pricing, which makes it difficult for businesses to compare policies, make informed decisions, and choose a policy which suits their needs. Additionally, a lack of standardization can make it difficult for insurers to accurately assess and price risk, which can lead to policies that are either too expensive or not comprehensive enough. This can also create problems for policyholders, who may find themselves under-insured or overcharged for coverage.
- Limited data: Insurers have limited data on historical cyber losses. Think about the cyber landscape 20 years ago versus today. The velocity of the acceleration of external threats as well as the exponential increase in attack vectors which makes it next to impossible to accurately assess and price risk.
- Ambiguity: The coverage of cyber insurance policies can be ambiguous and difficult to understand, leading to disputes over coverage and claims.. Ambiguity can also make it difficult for insurers to accurately assess the risk associated with a policyholder, which can lead to issues with pricing and underwriting. This can result in policies that are either too expensive or not comprehensive enough to provide adequate protection.
- Under-insurance: Many companies purchase cyber insurance thinking that it will fully cover them in the event of a cyber attack, but in reality, the coverage may be limited or not cover certain types of attacks (especially anything that can be classified as a nation state attack). Additionally, the costs associated with a cyber attack can be much higher than the coverage provided by the insurance policy, leading to significant uninsured costs. Furthermore, some policies may have high deductibles or exclusions that further limit their scope.
- Lack of expertise: Competition for cybersecurity talent is intense, and it’s expensive. Many insurance companies do not have the necessary expertise to fully understand and assess cyber risks, leading to issues with coverage and claims. This has led to a simplification of company “scoring” often being used, relying on measures which have no real bearing on the actual risk and organization faces (if you have 50 websites which are all secured, you may well be at least risk then an organization which has 1 that’s wider open and connected to everything). This has created further risk for insurers, which means more costs for buyers.
- Cybersecurity standards: Many insurance policies require businesses to meet certain cybersecurity standards to be eligible for coverage. This can be difficult and costly for businesses to implement and guess what? The bad guys know those standards better than you do, and how to get around them. While no one will dispute that there are benefits to improving your internal control postures, their usefulness against a targeted attack from an skilled adversary that knows how to monetize your crown jewels are muted. Furthermore, different insurers use different standards (or work with differing scoring vendors) which creates a lack of consistency. This creates even more confusion.
- Quantum computing: There’s still some time (hopefully) before quantum computers cause problems with encryption, which is a control you (hopefully) utilize. There will then be an arms race with quantum proof encryption, quantum crypto attacks and so on…. will you be able to a) protect your data and b) know when it’s gone?
The comparison of pricing cybersecurity policies to insurance you may buy in your personal life is tempting. For your automobile, if you’re a safe driver, you have anti-theft systems installed, and your alma mater is listed in the insurer’s favored customer list, it spits out a premium that relates back to known likely estimated losses. For your home, insurance companies can limit their exposure in hurricane zones, or share it with others. For life insurance, there are tediously built actuarial tables supported by extensive datasets. None of these analogies are useful in the cyber context.
Fast forward to 2023, there are giant cloud and SaaS providers. Each with thousands of clients. What happens if one of those were to suffer a huge breach? For example, AWS probably has over 1 million users, lets say 50% of those are companies. So we have 500,000 organizations, maybe half of which have insurance? So 250,000 policies. AWS gets breached at scale, all of those demand payment, on top of which AWS demands payment. This is potentially a messy situation… Could a major provider suffer such an attack? Maybe, in 2007 the risk of the housing market collapsing at scale was considered highly unlikely also.
So tread carefully when weighing up your insurance options, and even more carefully when deciding how much of your security program is going to rely on insurance. One last thing, there has been talk of threat actors going after organizations with insurance (Graham Cluley) – since they know they will get paid – this is also not going to play out well on the premium front.
Next time – how to improve cyber insurance.