Cyber Insurance: Trends & Challenges
Keeping pace with the rapidly evolving landscape of insurance requirements in cybersecurity has proven to be a formidable challenge over the last few years. The dynamic nature of cyber threats demands constant adaptation, and insurance requirements have mirrored this need for agility. In the upcoming blog post, we will explore key highlights from a recent presentation by an insightful insurance broker who provided valuable insights into the shifts and nuances in cyber insurance. From the stability and retention of coverage to the encouraging decline in loss ratios, controlled cost increases, and the evolving nature of renewal questionnaires, we will delve into the broker's perspectives, offering a comprehensive view of the challenges organizations face in meeting these ever-changing insurance requirements.
Stability in Coverage and Retention
In 2023, the realm of cyber insurance coverage and retention (deductibles) has displayed stability. This consistent trend serves as a solid groundwork for organizations seeking financial protection amidst the escalating threat of cyberattacks. It suggests a potential maturation within insurance carriers in this domain. It raises the question of whether their actuarial tables are becoming more accurate, reflecting a growing proficiency in assessing and managing cyber risks.
Shifting Loss Ratios: A Positive Outlook
A positive trend comes to light when examining the loss ratios in cyber insurance. In 2022, the loss ratio is 44.6%, marking a noteworthy improvement from the 66.4% documented in 2021. This decrease signifies improved risk management strategies and heightened cybersecurity measures within the industry, contributing to a more robust insurance landscape. It could be indicative of insurance carriers becoming more adept at evaluating risk and potential loss, showcasing a growing proficiency in navigating the complexities of the cyber risk landscape.
Controlled Cost Increases
Over the past few years, analyses within the insurance industry foresaw the possibility of triple-digit increases in insurance premiums, coupled with higher deductibles and elevated executions. Contrary to these ominous predictions, the costs linked to cyber insurance have experienced a moderate upswing, falling within the range of 0% to 15%. This increment is notably lower than initially anticipated, bringing positive news for organizations seeking cybersecurity coverage.
Evolution of Cyber Insurance Renewal Questionnaires
I recall that insurance questionnaires five years ago comprised perhaps ten questions on a single sheet. With each passing year, new items were incorporated, and now, they span 20 pages, seeking highly detailed information. There is a distinct transformation evident in the annual renewal questionnaires for cyber insurance. Over time, these surveys have progressed from a mere handful of inquiries to extensive assessments, now requiring explicit evidence of an organization's cybersecurity posture.
As an additional point, I was once asked for a checklist on how to reduce cybersecurity insurance premiums. The solution is straightforward: utilize the questionnaire. The questions are there because underwriters consider them significant enough to influence the premium. That serves as your guide; proceed to implement those measures.
The Cost of Coverage: Looking for Evidence
I want to underscore a crucial aspect: insurers are currently seeking evidence to validate the information provided on the questionnaire. This represents a substantial shift in their approach. Regrettably, there have been instances, including my own experiences, where individuals have been untruthful on the questionnaire in an attempt to secure a more favorable premium. Engaging in such practices is detrimental, as it can result in denial or reduction of coverage if dishonesty is uncovered. Consequently, insurance carriers find themselves compelled to request proof that specific controls are genuinely implemented.
Insurance carriers do not seek evidence for all the controls listed in the questionnaire. Instead, they prioritize specific controls, making it imperative for you to focus on implementing those as your top priority. The rationale behind this emphasis is clear: these controls contribute significantly to reducing losses. It's essential to recognize that insurance companies share a mutual interest in minimizing losses, as they do not thrive on paying claims. Therefore, it's in your best interest to heed what they are specifically asking for and prioritize their implementation accordingly.
I'd like to emphasize that the controls mentioned by the broker, for which insurance companies are now seeking evidence of implementation, align with CISA's Cyber Performance Goals. CISA's Cybersecurity Performance Goals (CPGs) represent a subset of cybersecurity practices meticulously chosen through a comprehensive process involving industry, government, and expert consultations. The primary objective is to effectively reduce risks to critical infrastructure operations and the American people. These voluntary CPGs are designed to assist small- and medium-sized organizations in initiating their cybersecurity efforts. They achieve this by emphasizing the prioritized investment in a select number of essential actions that yield high-impact security outcomes. I highly recommend exploring these goals for a more in-depth understanding.
Insurance carriers will be asking for tangible proof your organization has the following:
Multi-Factor Authentication (MFA)
Endpoint Detection and Response (EDR)
Privileged Access Management (PAM)
Employee Education and Training
The demand for evidence in these critical areas reflects the increasing recognition of their significance in mitigating cyber risks. As organizations, if we prioritize these controls, not only are we enhancing our cybersecurity posture, but we are also securing more favorable insurance rates.
The Crucial Role of Backups
A critical area where insurers actively seek evidence is in the realm of data backups. It is evident that insurers recognize the pivotal role backups play in ensuring continued operations and eventual recovery. This understanding is reflected in the escalating requirements imposed on backup practices. Insurers now delve into specifics, going beyond mere confirmation of the existence of backups:
Number of Copies: Do you maintain at least three copies of your data?
Air-Gapped and Offsite: Is at least one copy air-gapped and stored offsite?
Testing Frequency: Do you conduct backup tests at least twice a year?
Recovery Time Objective (RTO): Can you recover within 24-78 hours?
Monitoring by Anti-virus: Are the backups actively monitored by anti-virus software?
Immutability: Are the backups immune to tampering?
Encryption: Are the backups encrypted?
The devil lies in the details; a simple "yes" to having backups is not sufficient. These meticulous questions on backups underscore the crucial importance of an organization's capability to recover effectively from potential cyber incidents.
Underwriters evaluate robust cyber practices, with one emphasized metric being the allocation of 10% of the IT budget to cybersecurity. However, the challenge arises as not every organization classifies expenses in the same manner. This prompts the question: are they truly comparing apples with apples? For example, one entity might categorize firewall expenses under infrastructure while another designates them to cybersecurity. The lack of consistency in classification suggests that this metric might not be entirely accurate, casting doubt on its usefulness in underwriting.
When maneuvering through the dynamic realm of cyber insurance, organizations can employ the insurance questionnaire as a roadmap to identify practices or controls that can mitigate their risks. There is a discernible maturation in the insurance market, and we anticipate witnessing a stabilization in the market in the foreseeable future.