Cyber insurance is no longer deemed a nice-to-have accessory for businesses. In 2023, its importance will only increase, as coverage becomes a seal of approval, indicating the organisation’s strong cyber security posture to customers, partners and peers. However, to attain coverage, businesses need to demonstrate good ‘cyber health’ credentials in the first place – creating a vicious cycle where neither goal can be reached without achieving the other.
But what is ‘good’ cyber health anyway? This is the dilemma both insurers and businesses will grapple with in 2023. The solution won’t come from either side, but somewhere else entirely: managed security service providers (see 5 Most Important Cybersecurity Controls).
Cyber Insurance trends: pressures, perplexity and precaution
The UK and US cyber insurance market is rife with complexity. On the one hand, UK businesses face a plethora of pressures from rising cyber insurance premiums – an increase of 66% year-on-year by 2022 Q3 – and shrinking coverage (see about Global Cyber Market).
Lloyds of London announced in August 2022 that it would no longer cover losses as a result of nation state attacks.
But perhaps the most impactful change in the market is one that high-risk industries such as construction have long-been warned about: with cyber insurance no longer seen as a mere risk-mitigation tool, it falls to businesses to reduce cyber risk internally before applying for cyber insurance (see Biggest Cyber Unicorn Startups).
On the other hand, insurers can only do so much to help businesses get their house in order.
The common trend among insurers today is to look at what controls businesses have in place and how responsive they might be in the event of a cyberattack.
The problem is that they need much more information than is currently available to them, something akin to the wealth of empirical data health and car insurers can benchmark against (see Top Cybercrime Predictions for 2023).
Businesses must – and will continue to – manage the following issues:
- New architectures facilitating digital operations. The combination of digital transformation projects and the pandemic caused complexities in IT ecosystems. New VPN options, network segmentations, and tenants are a few components that most companies changed in their architectures.
- Larger attack surfaces to defend and observe. Business processes have become more complex and specialized, resulting in the adoption of more applications tuned to specific processes and purposes.
- Personnel limitations for Security Operations Centers (SOCs). SOCs have historically been reliant on the concentrated roles and responsibilities of a few security specialists. The entire response process has a single point of failure if these specialists either leave, become unavailable, or overloaded.
- More sophisticated attacks. Risk has become increasingly more dynamic and expansive. This is in part a combination of complex IT ecosystems, and growing attacker sophistication in how to take advantage of these complexities.
‘Cyber health’ is not the only unquantifiable factor in the cyber space – risk is similarly elusive. This is why, for example, insurers are treading with trepidation around building reputational damage into business and cyber packages. In other industries, reputational damage tends to occur in the aftermath of one-off events – such as natural disasters – and can often be predicted to some extent (see Global Cyber Crime, Fraud & Ransomware Survey).
By contrast, in a cybersecurity context, attacks can have a snowball effect, with stolen data sold and circulating on the dark web for years. It is virtually impossible to quantify the risk.
1. “Inside-out” underwriting
Sophisticated underwriters are using third-party scanning technologies to help detect security weaknesses. They will make endorsements around the vulnerabilities scanned, and if not addressed, these could impact an organizations’ coverage.
2. The return of ransomware
Ransomware losses have dropped in the past few months, but they have increased in severity. Ransomware-as-service is also on the rise; it’s predicted to be among the biggest threats to face the cyber market in the next few years.
3. Social engineering fraud
Social engineering attacks have outpaced ransomware ones this year, fuelled by the global shift to hybrid working. Social engineering tactics involve using manipulation to gain access to cybersecurity weaknesses. RPS’ data found that fraudulent payments and social engineering fraud among small to medium-sized enterprises made up more than 50% of claims between January and August 2022.
4. Increasing cyber regulations
Amid changes in the threat landscape, bans on ransomware payments and other cyber-related laws could crop up across the US. But such measures could have immense bearing on public entities, which are among the least prepared for cyberattacks. The public sector, including education, also faces fewer options for risk transfer after the pull-out of several carriers from the space due to skyrocketing claims (see TOP 15 U.S. Cyber Insurance Companies).
Cyberattacks are becoming more sophisticated, but so are insurers
Risk Placement Services (RPS) says that insurance carriers have adapted to underwriting cyber risks even as threat actors raise or change their tactics. Combined with improved cybersecurity practices within organizations, this has led to rate stabilization in the marketplace.
It’s a positive sign shining light into a tumultuous market, which in 2023 will continue to face capacity challenges driven by increased demand, two-plus years of significant premium increases, more judicious limits deployment, and the exit of some players from the market.
Carriers have basically raised the bar for entry for cyber insurance, increasing the information security requirements for organizations to qualify. Requiring multi-factor authentications (MFA) for remote access to networks is the big thing that the insurance industry got in lockstep with over the last few years.
The need for an outside perspective
The strength of cyber insurers lies in providing excellent incident response (IR) and offering support when clients need it the most. This is the nature of their relationship – but it is not an exclusive one, since they usually don’t work alone.
When attacks strike, insurers call on IR experts to verify whether the client legitimately had all the protective measures in place they said they did when applying for coverage.
This outside perspective is invaluable to them in the aftermath of an attack – now, amidst soaring demand for coverage, insurers should look to enlist similar expert help to demystify cyber risk, even before the worst comes to pass. Managed security service providers (MSSPs) can do this for them, and in 2023, their role will become more pronounced.
Helping businesses qualify for insurance coverage
MSSPs can support insurers first and foremost by helping businesses qualify for cyber insurance more easily. MSSPs understand what insurers are looking for when evaluating candidates and they can work with them to proactively plug any cyber security weak spots (see 10 Basic Tips to Avoid a Potential Victim of Ransomware).
They can ask the right questions, carry out assessments or penetration testing, as well as guide businesses to reach the required level of cyber resilience faster.
Crucially, they can manage a continuous testing and improvement programme affordably.
By contrast, a standard business impact assessment can set a business back many thousands of pounds, putting them out of pocket before they can get any true value for their money. MSSPs prove their worth by running comprehensive assessments over organisations’ people, processes and technology controls, leaving no stone unturned.
Helping insurers assess cyber health and risk
Beyond preparing businesses for cyber insurance, MSSPs can also help insurers in a more direct way. By acting as a ‘black box’ within businesses, they can enable the notion of ‘cyber health’ to be viewed on a more empirical basis than before.
MSSPs can score organisations’ cyber resilience based on the effectiveness of their security and data protection processes, the behaviour of their employees and the robustness of their technology infrastructures.
For example, on a scale from one to 100, scores of 75 or over may be considered best practice, though in tightly-regulated or high-risk industries, the benchmarks would differ.
Such a cyber resilience score then gives insurers a clear metric to assess candidates and clients by. With all the data and scores at their disposal, insurers are able to quantify their own risk, too, and make better-informed decisions as they navigate the increased demand for their services.
Resolve the cyber insurance dilemma in 2023
Cyber insurance may seem like uncharted territory, as threats are hard to anticipate and risk remains elevated. Such issues will persist moving into 2023, but MSSPs can offer the resources required to give insurers greater peace of mind, bring more clarity and speed into operations, and help businesses qualify for the coverage of their choice faster.
As risk becomes easier to quantify, insurers may feel more confident to offer lower premiums over time, which may attract more businesses to seek coverage over the longer term.
Businesses will similarly feel the benefits of MSSPs’ involvement in the process of seeking cyber insurance, as they will have a reason to work harder to improve their overall cyber resilience, and do so against clear benchmarks. As the practice proliferates, it’s not only individual businesses, but also the wider industry which is set to reap the rewards in 2023 and beyond.
AUTHORS: Pete Bowers – COO at NormCyber, Steve Robinson – Area President & National Cyber Practice Leader for Risk Placement Services