As the market for cybersecurity insurance evolves and matures, insurance giant Lloyd's of London is preparing to exclude most nation-state attacks from its coverage policies. In the wake of such changes, organizations are reassessing their cyber insurance strategies.
While the Lloyd's announcement does not explicitly exclude all nation-state or nation-inspired cyberattacks, it does solidify some definitions around what is and is not covered.
"This guidance will now be trickling down into cyber insurance policy providers' wordings," explains Chris Denbigh-White, security strategist at Next DLP.
Organizations must figure out what policies offer the best value and coverage, and look into other risk treatment measures, if they wish to understand the risks that cyber insurance cannot address, he says.
Self-insuring may allow companies to tailor their insurance coverage and costs more carefully.
Opportunities and Risks in Self-Insurance
"A well-implemented self-insurance strategy has the potential to give an organization granular control of costs and coverage," Denbigh-White says. "In the short term, it may offer a certain degree of cost savings, as its purpose would be to cover remediation of potential cyber incidents as opposed to generating income for a third-party insurer."
However, if a self-insured organization doesn't focus resources on improving security controls and capabilities to reduce the probability of an event that requires an insurance claim, it runs a serious chance of bankrupting at least its self-insurance fund — if not the entire company — through one or two events.
"Self-insurance requires an organization to be responsible for covering all losses," Denbigh-White says. "Whilst this may seem obvious, a self-insured organization can only draw on the money it has invested in its self-insurance to address any future claim."
In contrast, commercial insurance companies not only have access to funds from a multitude of client premiums, but they also may benefit from upstream support. This often includes reinsurance (underwriting) and maybe even backstopping from governments in certain cases.
In addition, the administrative burden of setting up such a self-insurance function within an organization may prove prohibitively complicated and costly. Self-insurance is not something organizations can just "switch to" in the same way they might change an external insurance provider, Denbigh-White notes.
"Implementing such a program requires in many cases a business function to be set up to support management, claims processing, regulatory communications, and day-to-day operations," he says.
Saving Money Could Be Costly
For organizations with the administrative and financial capacity, self-insurance could prove a viable approach. But for those without, it could prove an expensive enterprise that serves to cost more and protect less.
Bud Broomhead, CEO at Viakoo, says that self-insurance has the benefit of forcing the organization to focus on running an accurate risk assessment that is specific to its business.
"In the end, an organization can achieve significant cost savings through self-insurance, which is ultimately the main benefit," he says.
The main risk lies in getting it wrong. A self-insured organization that is the victim of an attack cannot offset its losses as it might through insurance. "'Black swan' risk is fully absorbed by the company and, because it was not considered in risk assessment, could be much more expensive," Broomhead adds.
Improving Security Is an Insurance Strategy
Bill Bernard, area vice president of Deepwatch, says the best insurance strategy is to avoid needing to use insurance.
"As an analogy, buying a car with automatic crash protection braking lowers the probability I'll have to file an auto insurance claim," he explains. This type of preventative thinking will be critical to successfully self-insure against cybersecurity incidents, he says.
The way to minimize the number of claims events is to have a robust security program, including a well-prepared capability to detect, respond, and recover from events before they become claim-generating events.
"Sadly, these capabilities have often been treated as cost centers by companies, and that thinking will have to change," Bernard says.
Influence of Federal Regulations
With new regulation coming to critical sectors — water, rail, aviation, and health have already received such — and an increased focus on third-party security, many organizations are shoring up controls to be able to better compete for government contract work.
"As controls improve, the conversation with the insurance company is worth revisiting to demonstrate those controls to hopefully result in lower cost of coverage," says Mike Hamilton, CISO of Critical Insight. "Further, with the federal government examining becoming a reinsurer along the lines of the TRIP program, insurance companies are being given more breathing room, and this may result in lowered premiums as well."
Adds Next DLP's Denbigh-White: "In relation to the US market specifically, I will be watching closely for further announcements around a potential federal backstop for cyber insurance."
Hamilton points out that self-insurance is alternately called "no insurance."
"If an insufficient amount is set aside, a cyber event could be existential," he says. "On the other hand, rolling those dice for a year and making investments in controls will have the effect of lowering premium costs, as risk has been demonstrably reduced."
Broader Changes in the Cyber Insurance Market
Much like car insurance based on a device in your vehicle that reports back to the insurance company how you drive, cyber insurance needs data to price risk through continuous monitoring of a client's cybersecurity practices, Hamilton says,
"Eventually, insurance companies will begin bundling this service as a condition of being insured," he explains.
Denbigh-White predicts greater emphasis will be placed on risk management, with insurers requiring a greater level of "proof" that robust cybersecurity measures are not only in place but effective in their stated purpose.
"Policies may move beyond simple exclusions and become increasingly tailored, allowing customers to choose coverage that addresses their specific needs and risk profile," he says. This may include insurers supporting hybrid arrangements where clients have decided to self-insure a proportion of their risk.
Adds Denbigh-White: "Overall, 2023 will see a definite maturing of the cyber insurance industry and a greater understanding of its place within customers' risk mitigation strategies."