cyber insurance has become increasingly difficult – and expensive – for organizations in the public and private sectors. Insurers require prospective customers to fill out lengthy questionnaires with no guarantees of post-closing coverage and pricier plans.
Insurance broker and risk management services company Marsh reports that the price of cyber insurance in the US increased by an average of 96 percent year-on-year in the third quarter of 2021. Kirsten Bay, CEO of cyber insurance provider Cysurance, said during an RSA panel last week that coverage “will never go unquoted ‘cheap’ ever again.”
But there could be ways to make reporting more achievable, and Bay and other panelists delved into the challenges and opportunities that lie ahead.
PROVE GOOD CYBER PRACTICES?
Insurance companies face it cyber threats are evolving rapidly and that the elements of a strong cybersecurity posture are likely to change constantly, said Kyle Bryant, international chief underwriting officer for cyberinsurance and cybersecurity solutions provider Resilience. This made it difficult for insurers to fully understand the long-term risk associated with a customer’s coverage.
“These are all things that happen in real-time as threats change, and so a risk that looks good now may not be what looks good tomorrow,” Bryant said.
Nick Schneider, President and CEO of Internet security Company Arctic Wolf said that insurance companies, wanting to better understand risks, are asking applicants to answer an exploding number of questions.
“We had some clients at a recent kickoff here who shared some anecdotes with us… and where their original policy was five questions and guidelines, the renewal is 300 questions and maybe guidelines,” Schneider said.
However, questionnaires may not be the only way for insurance carriers to obtain information. Bryant said the cyber insurance landscape could evolve as applicants start sharing data with insurers to show they are keeping up with good cyber hygiene practices. He compared this to auto insurance policyholders allowing their driving to be monitored in order to receive lower rates for safe driving practices.
“We have the ability to monitor people to understand how fast companies are patching their business, how fast they’re updating their systems, that information is available, but right now they’re essentially sitting in a lot of cybersecurity silos, a lot of MSPs [managed service providers] and many other technologies,” said Bryant.
Bryant and Schneider also suggested that insurance companies work with cybersecurity firms that can help them better understand cyber risks.
WHAT INSURANCE COMPANIES ARE LOOKING FOR
Panelists emphasized that they want customers to think of cyber insurance as a backup support they can turn to when recovering from cyber attacks – rather than making it their overall defense and resilience plan.
“Anyone who has household contents insurance simply doesn’t forget the alarm,” says Schneider.
Insurance companies want to see that prospective customers are following certain best practices that reduce their exposure to risk. Those practices may vary, but Bay said most insurers will reject customers who don’t have multifactor authentication or who can’t patch.
Some insurance companies are discussing striking a balance and offering some level of cyber coverage on the condition that customers follow good cyber hygiene practices, Bay said. Customers who do not adhere to good behavior would see their insurance pay out less for insured claims.
“New policy forums are coming out now that talk about these things, like if you haven’t patched in 45 days, start degrading your limits,” Bay said. “They’re trying to bring skin into play.”
IS EVERYONE INSURABLE?
Bay also said insurance companies should reconsider options for offering cyber insurance.
“I strongly believe that we need to segregate traditional cyber liability to the point where it can almost become catastrophic property insurance, and then we can have lower limits, more flexible but standardized programs,” Bay said.
In the homeowner arena, catastrophe insurance plans protect business and residential policyholders in the event of rare but costly incidents not typically covered by standard homeowner insurance, per Investopedia. These can include natural disasters and terrorist attacks.
MSPs often face daunting prospects of being insured, but insurance companies may be more willing to insure them only for catastrophes, Bay said.
“[MSPs] are almost uninsurable at this point due to supply chain risk,” said Bay. “Many of these organizations are already doing the right things, but that still makes them at very high risk.”
GovTech previously reported that attacks compromising MSP services can spread rapidly across their customer base: The ransomware Attack on the IT software provider Kaseya affected for example an estimated 2,000 public and private customers worldwide.
Bay suggested that it might be more palatable for insurance companies to treat MSPs as a high-risk group, only eligible to receive catastrophe insurance and “no lower, less expensive, or lower deductibles.”
#Cyber #insurers #prospects #achievable #coverage