Challenges and Opportunities of the Cyber Liability Insurance Market
As an advisory CISO and part of Cisco’s strategy group, an essential part of my role is talking to CISOs from every kind of organization. From these conversations, it is clear cyber liability insurance is steadily rising to the top of the agenda, due to the sheer amount and scale of cyber-attacks hitting firms.
As well as talking to CISOs, I also believe it is crucial to get perspectives from all sides. So, on a recent webinar, I sat down with Darren Thomson, Head of Cyber Intelligence Services at CyberCube, a firm that provides data-driven cyber risk analytics for the insurance industry. The conversation gave me plenty of food for thought and provided fresh perspectives that feed into my goal of making CISOs more successful. Here are my key takeaways.
Hard market woes
Unsurprisingly, insurance has become a ‘hard market’ over the past three or four years, meaning that premiums have increased (by 96% in Q3 2021 in the US as reported by the World Economic Forum) while capacity has decreased across the board. Some organizations have found it nigh-on impossible to get policies to cover their businesses, and those that manage to get coverage have found it to be not only a more complicated process than it was before, but a more expensive one as well.
So, what is the chief contributor to this hard market from a cybersecurity and threat landscape perspective? As we discussed on the webinar, it's undoubtedly our common adversary, ransomware. To quote Darren:
Five or six years ago, ransomware attacks were demanding an average of $500 and going after consumers, rather than enterprises. Now that demand can be millions of dollars, even tens of millions of dollars in some cases. The general sophistication, the tactics, techniques and procedures utilized by the criminal gangs, all of that has driven insurers to harden the market and to be in a situation where they really want to understand what the risk of ransomware is to their potential client before they underwrite a policy.
So how do insurers get hold of that kind of insight?
Because cyber liability insurance is still one of the newer kids on the block, originating from the post dot-com bubble, there is a distinct dearth of information for insurers and reinsurers to draw from when devising an underwriting strategy for a cyber liability insurance policy. This is compared to, say, catastrophe insurance which can use data from 200+ years' worth of earthquakes.
To overcome this, many insurers, including Lloyd's of London, rely on ‘signals’ - enormous amounts of raw data that are smashed together and served to underwriters to inform their decision making. These signals will tell them two things about a firm. The first is the level of their maturity when it comes to security, and the second is how exposed they are/how likely they are to experience a breach. Because of this, it is crucial firms take their cyber hygiene seriously.
As well as assisting underwriters to create policies, signals can also provide a goldmine of information for a CISO, alerting them to information they don’t know about their firm; things that could be heeded in order to implement the right controls to bring security maturity levels up and make an organization more resilient. Which brings us to the next point…
The right controls
Luckily, there is no ‘secret recipe’ that insurers have invented when deciding on what kind of controls they look for. Firms offering cyber liability insurance are taking heed of well-known practices that have been formed over the past 10-20 years, such as the Cyber Essentials, NIST, ISO 27001, and the Mitre ATT&CK frameworks.
And as is the case with all these best practice guidelines, it all comes down to being able to demonstrate a structured security programme and making sure that you're addressing issues like ransomware very clearly with a cyber hygiene plan in place. This kind of plan should cover the following:
What your company expects an attack might do
How your company can respond to it
Knowledge of the defences that have been put in place to show visibility and control (particularly around network ports like RDP and FTP – huge red flags to insurers)
The extent to which you understand your hardware estate:
How many devices you have
What their current state is
How you run your patching programme to reduce or limit the risk
How you manage to map those against some of the aforementioned basic standards (NIST, Cyber Essentials, etc.)
This all sounds logical… but one or two of these could prove to be sticking points for many firms, as demonstrated in some of our recent research.
The value of visibility
Our latest Security Outcomes Study, where we explore some of the concerns that CISOs have and what they think would help them best, showed that nearly 40% of over 5,100 IT professionals in 27 countries thought they had outdated technology in their organization. When it comes to trying to get cyber liability cover, that kind of scenario is going to be incredibly difficult to defend to an insurer.
The same study also showed that the probability of maintaining business resilience doesn’t improve until business continuity and disaster recovery capabilities cover at least 80% of critical systems. Anything less and it starts to become very difficult to prove a firm has an adequate level of visibility and control. Having this information at hand will go far in any discussion with an insurer. It shows that a firm is actually aware of the risks, mitigating them wherever possible, and that they are making sure that they can defend their organization.
Ultimately, having the tools in place to demonstrate a firm has seriously considered its security posture will go a long way to ensuring they get optimal cover at a reasonable rate. As Darren excellently summarized on our webinar - those who approach cyber liability insurance without comprehensive visibility and control is like someone driving a Fiat 500 and having the broker determine that they need a policy worth half a million dollars to cover it. You don’t want to be in that boat…or car!
Want to see how Duo can help improve visibility and control?
To experience the difference that Duo can make when it comes to security and visibility in your organization, sign up for a 30-day trial today.
Or, check out some additional resources we’ve compiled, like: