Cyber Insurance Needs to Evolve to Ensure Greater Benefit

Skyrocketing premiums and complicated policy terms have put insurance policies across industries under a microscope. And with new compliance regulations geared toward addressing the record-breaking number of cyberattacks we saw in 2023, cyber insurance faces the same scrutiny.

The market for cyber insurance is more volatile than ever — due to an increase in the total number of claims and the types of cyber threats that policyholders face. The harsh truth is that the cyber-insurance industry alone (paywalled article) can't respond to a catastrophic cyberattack, causing billions of dollars in losses, which is likely inevitable with time. Cyber insurance, as currently structured, requires evolution, not only to make it easier to acquire but also to deliver better value.

Fixing a Broken Underwriting Process  

One crucial change is in the underwriting process. Right now, customers are wary of massive year-over-year premium increases, threats of non-renewal, and tales of claims being denied due to policy exclusions. However, insurers recognize that many policyholders aren't taking proper precautions to prevent attacks.    

Part of the weakness in underwriting is that applicant environments rapidly evolve and become more complex. Insurers, once relying on macro market trends, no longer risk approving policies without considering the specific environment being covered. The depth of inquiry is continually expanding, dragging out the process for policyholders and applicants. In many cases, organizations must show proof of a certain level of security posture through capabilities such as multifactor authentication (MFA), endpoint detection and response (EDR), and more.

While insurers continue to collect more data and progress their cyber-risk analysis sophistication, they regularly adjust contract terms and policy exclusions. Premiums also remain volatile, often increasing to reflect higher loss ratios and claims experience.

In some cases, the carriers' overall risk acceptance is decreased, reducing individual policy limits or causing non-renewals. This has driven a search for alternative sources of risk absorption, such as deeper reinsurance markets or through the capital markets using insurance-linked securities (ILS), sometimes called "catastrophe bonds." If you've read The Big Short or seen the film, you know where this can go wrong.

To minimize the impact of these trends, carriers and policyholders must accept that risk reduction is in their mutual interest — and robust risk analysis resulting in fair pricing and terms is the desired outcome.

Modernizing Information Gathering  

Cybersecurity insurance underwriting is an outdated, lengthy process. The manually driven, time-consuming process of data gathering and due diligence requires modernizing. Electronically sharing metrics regarding cyber posture from inside the firewall of the insured entity should be the standard, but the question is: How can we get there effectively?

Gathering data electronically provides a more accurate snapshot of the environment, with less time and effort. Right now, policyholders tell insurers about policies and procedures rather than the actual efficacy of their operations. Manually gathering data paints a different portrait of an environment than electronic sharing, which can provide greater visibility into a security posture, like how effectively a company is patching, and if it's implementing MFA and other critical controls. Sharing this deeper insight into the environment may lead to concern among policyholders that an insurer could refuse to write a policy or charge higher premiums. This broad mindset is somewhat naive; insurers know gaps exist between questionnaires and the live environments. They want a clearer understanding of what reality is, and they still need to write policies to make money — no policies mean no business.

Amazon Web Services (AWS) is one of the first cloud services organizations to develop a program to streamline the underwriting process using electronic data sharing. Its recently announced Cyber Insurance Competency program is designed to grant insurers access to accurate, real-time data around cloud security posture. While this is a positive step in the quest to move toward electronic data sharing, cyber insurers must concern themselves with the entirety of an insured's IT estate.

Companies adopting modern data collection for cyber insurance underwriting is essential but addresses only one component of the challenges faced by the cyber insurance market. A lingering open question that must be urgently addressed is the risk of a catastrophic cyber event.

Federal Assistance May Be in Order

Insurance is designed to spread concentrated risk, but in some cases, there are correlated events that can wipe out entire communities. Consider insurance that covers natural disasters; think of hurricanes or floods, where billions of dollars of damage can occur in one specific place. In many cases, federal programs are in place to ensure people impacted by such devastation are protected.

Let's say a multibillion-dollar cyberattack happened today: If one hacker shut down a global cloud service provider like AWS, there would be billions of dollars of losses from thousands of companies impacted. Even if many of the stakeholders impacted had some cyber insurance, the aggregate claims would devastate the reserves of the insurers. Depending on the source of the attack and the cause of the losses, there would also be questions about coverage exclusions. In any case, the federal government likely would need to step in to cover much of the fallout. Government agencies like the Treasury Department, Office of the National Cyber Director, and the Cybersecurity and Infrastructure Security Agency (CISA) are all considering what a federal backstop program could look like, with plans to meet in April.

While a catastrophic cyber event has yet to come, vast amounts of personal data have been compromised. We need to be prepared for worst-case scenarios. Efforts from CISA are in place to combat this risk, and the White House has released executive orders prioritizing national cybersecurity. Moreover, new SEC regulations regarding cyber-incident disclosures recently went into effect. These regulations will improve the cyber insurance industry by allowing a closer examination of incidents, driving improved security posture. We know this: When companies must disclose more, they usually find a way to do better. These policies are collectively moving us in the right direction. Can the industry and the regulators stay ahead of the bad actors? So far, that has been the case. Let's hope it continues.