The rising cost of ransomware attacks is helping push significant premium increases in cyber-insurance policies in the UK and US, new data shows.
With the average payouts across the past two years averaging more than $3.5 million in the US, a growing number of cybersecurity insurers want direct access to customer security metrics and measures. This would help prove the status of security controls, according to a Panaseer report on the state of the cyber-insurance industry.
However, insurance firms are struggling to accurately understand a customer's security posture, which is in turn affecting price increases.
Nik Whitfield, founder and chairman of Panaseer, notes that 82% of insurers surveyed said they expect the rise in premiums to continue. "The increasing cost of ransomware is putting premiums up, and the increase in the number of attacks, as well as the number of successful attacks, means insurance is getting harder to get and is getting more expensive," he explains.
Meanwhile, 87% of insurers surveyed say they want a more consistent approach to analyzing cyber-risk. "Fundamentally, insurers need better information in order to price the risk — questionnaires aren't going to cut it," Whitfield says. "Having real live data coming from a customer about their security posture is what's going to be required for them to accurately price risk, in the same way that telematics did for car insurance."
The survey found that the most important factor when assessing potential customers' security posture is their cloud security — cited by 40% of survey respondents — followed by security awareness (36%), application security (32%), vulnerability management (31%), privileged access management (31%), and patch management (30%).
One of the likely challenges in the market, Whitfield points out, is the high degree of hesitancy many organizations may have about handing over privileged information about the inner workings of their security posture. "No one wants to share their security information with anybody else because that creates a security risk, and it feels vulnerable to expose intimate information about your security posture to others," he says.
Worst case, there will be companies unable to get insurance because they can't provide sufficient information to get reasonably priced insurance, according to Whitfield.
"In those cases, they will have to do something more extreme, such as providing evidence, information, and hopefully work with their insurer to improve their security posture," Whitfield notes. "It's like any type of risk — the better the risk looks to the insurer, the better your premiums and the easier it will be to get insured. And it'll be no different in cyber."
Cyber Insurance Market Waffles on Pricing
The survey indicates that many insurers don't yet have the answer to how to price cybersecurity insurance: While 47% of total respondents said they are "very confident" in their underwriting process, 44% are only "somewhat confident."
"There's some conflicting results that show on the one hand, they're confident in their models, but on the other hand, they're not really confident that they understand how to price it," Whitfield explains. "This is going to evolve over time. But there needs to be an openness and awareness and a conversation with the market about how to do this."
Complicating matters is that the past is never a good predictor when it comes to cybersecurity. "For some kind of risks, the past can give you a good handle on what's going to happen in the future," he says. "In cyber, it's just not the case. We have active adversaries. We have new tools, techniques, and procedures to gain access to our environments, new malware, new applications. The past is no predictor of the future. And that's what makes it so difficult for them to price this."
Insurers and brokers are charging more for policies and setting higher requirements as they face an increasingly complex threat landscape that has taken on a global nature, while the frequency and severity of attacks are increasing.
A Kaspersky study released in January 2022 and conducted in October 2021 indicated investing in cyber insurance is a growing proactive trend; 28% of respondents said their company annually invests anywhere from $25,000 to $50,000 per year.
From Whitfield's perspective, the outlook for cybersecurity threats is going to get worse before it gets better. "The risk to businesses has been increasing, and the number of breaches and the cost of a breach has been rising steadily in the last few years," he says.
So, how can the insurance industry both support business and make a return at the same time? It will take a partnership between the insured and the insurer, he explains. "I don't think it could be forced by one party or the other, and it needs to be settled with evidence rather than a questionnaire finding out what the opinion of an organization is about a security posture."
That means insurers getting hard data about an organization's security posture, provided in an efficient, timely way, and with high-quality data that can be relied on. "That will be the real revolution in the cyber-insurance industry," Whitfield says.