Back in April of this year I wrote this blog: “Major Cyber Insurance Overhaul Begins Now.” At that time I wrote: “One thing is clear about cyber insurance in the spring of 2023: The status quo is not sustainable.
“And now, Lloyd’s of London, a major player in the global insurance market, is calling for dramatic changes in the cyber insurance market. According to The Financial Times (FT), “From next month, Lloyd’s will require the dozens of insurers that operate in the market to include exemptions that would prevent policies paying out if a major attack is judged to be ‘state-backed.’”
Fast-forward to November 2023, and the numerous weekly headlines on cyber insurance continue to amaze, confuse and even contradict each other.
WHAT’S HAPPENING AS WE HEAD INTO 2024?
Allow me to highlight a few headline examples to show you what I mean:
“As businesses deal with the fallout of massive ransomware waves, from Lapsus$ to Cl0p/MOVEit, an unlikely new entity is joining the regulatory bodies to raise the bar for cybersecurity: the cyber insurer. These experts do more than just process claims in the aftermath of an attack. Their coverage requirements and metrics-driven approach to risk put organizations not meeting cyber-hygiene basics on notice."
Security Week: Business see rise in cyber insurance costs and requirements
“A new report reveals that more than 40% of businesses have reported an increased requirement from insurers for cybersecurity tools.
“The 2023 Data Health Check, released by Databarracks, surveyed 500 UK IT decision makers across several industries.”
Insurance Journal: Global Insurance Prices Continue to Stabilize in Q3 as US Cyber Premiums Drop: Marsh
“Global commercial insurance prices increased 3% in the third quarter of 2023, the same as the prior quarter, according to the Global Insurance Market Index released by the insurance broker Marsh, a business of Marsh McLennan. …
“Cyber insurance pricing continued to decrease in the US, declining 6% in the quarter, compared to a 4% decrease in the prior quarter.”
Dark Reading: How MOVEit Is Likely to Shift Cyber Insurance Calculus
“Cyber insurers don’t have the historical data or developed risk models that others do, like car or home insurers, which means they are constantly adjusting their ‘risk appetite,’ according to Mark Millender, senior advisor for global executive engagement at Tanium. He thinks payouts like the one Progress Software is seeking will both drive up premiums and ratchet up requirements for coverage across the cyber insurance ecosystem.”
NEW DEVELOPMENTS WITH CYBER INSURANCE AND AI
One media headline that grabbed my attention last week was the release of a white paper: “How Generative AI Will Transform Cyber Insurance in the Next 24 Months.” Here’s an excerpt:
“Measured AI’s research highlights the power of Generative AI to revolutionize cyber insurance, benefiting insurers, brokers, and customers. The paper delves into innovative applications in underwriting, risk assessment, and claims processing that will improve cybersecurity, reduce risk, and increase customer satisfaction.”
The paper shows many compelling ways that the insurance market is changing and now using GenAI.
Another interesting story from Security Week was “Why mandates work for traditional insurance categories, but not for cyber-insurance”: “Risk profiles for traditional lines of insurance such as health, auto, or property and casualty insurance, are relatively static. Furthermore, insurance companies have large collections of actuarial data and are able to reliably predict risk based on fairly static conditions.
“Cyber threats, on the other hand, are constantly changing. Bad actors are continually developing new tactics, techniques, and exploits. At the same time, companies’ computing infrastructure is continuously evolving, and each change brings the potential for new risks. To ensure security in this ever-changing environment, continuous monitoring of internal networks is required. Continuous monitoring provides insurance companies with actuarial data and ensures mandates are followed.”
Another good read comes from Information Week: “What Happens When You Lose Your Cyber Insurance?”
“Even the most well-prepared organizations can fall prey to cyber attackers, but some organizations are vulnerable due to lack of proper controls. ‘Was the claim brought about by some entrenched structural, systemic problem with the company’s cybersecurity that may make them undesirable or uninsurable?’ asks Avery Dial, partner at Kaufman Dolowich and chair of the law firm’s data privacy practice group.
“If the answer to that question is ‘yes,’ companies could face more expensive premiums or nonrenewal.
“Companies may even lose their coverage before the policy period is up if the insurer determines it misrepresented its cybersecurity posture in its application. When a cybersecurity incident occurs, a forensic investigation will most likely be conducted. ‘Those forensic reports sometimes reveal that things were not as they were represented, at least in the insurer’s view. And the insurer will then seek to rescind the policy,’ Andy Moss, a member of Reed Smith’s insurance recovery group in the law firm’s litigation department, tells InformationWeek.”
TIPS, PLEASE!
While the news seems all over the map on cyber insurance, there are plenty of helpful insights to assist organizations in this journey. The National Association of Counties (NACo) offered this article on their website: “Cybersecurity insurance can be affordable.” They end with advice that I have been giving for years: Get started with a maturity assessment.
“Selecting the appropriate broker and cybersecurity advisor will help you navigate this challenging path. With the right approach, you will experience the benefits of both a stronger cybersecurity posture and more affordable insurance rates. Additionally, you will be better equipped to cost-effectively protect your organization and minimize the impact if a breach occurs.”
And finally, a podcast on what should we look for in a cyber insurance policy?
I encourage you to listen to this excellent podcast on the topic, with guest speaker Marc Schein. My favorite quote:
“It all goes back to really having a good risk profile. Now, how do you get a good risk profile? Starting with the top 12 controls is a great place. Making sure that you have somebody in-house, whether it be a CISO, CIO, or perhaps you have an MSSP, somebody outsourced that’s really managing your cybersecurity. They’re going to help you complete the applications to get started. Another area that we strongly recommend when you're contemplating cyber insurance is looking at the panel, who’s part of that carrier’s panel.”
