Cyber ​​insurance – Spreading risk and reducing it


People naturally tend not to take risks. While some people live for the adrenaline rush of betting the farm on what seems like good luck, most people are hesitant to take even less risk. This is not a new story: insurance evolved around 4,000 years ago, when Babylonian lenders and shipowners devised ways to spread the risk of a ship laden with valuable goods being lost at sea and to reward those who have assumed it.

Modern insurance is based on actuarial science and, increasingly, on big data. Insurance companies have large pools of data on life expectancy and the factors that affect it, as well as data on car accidents such as the percentage of cars likely to have accidents each day, the damages and injuries that these accidents will cause and the costs. recovery and repair. Insurance companies use all of this data to calculate premiums that allow them to come out on top, despite the fact that all life insurance policyholders eventually die and many collapse at very predictable rates.

There are, however, scenarios that make life extremely risky, even for insurers, despite their risk expertise. Structural changes can make their data inaccurate. Climate change, for example, is currently wreaking havoc on insurers, as droughts contribute to larger and more intense fires, and warming ocean waters lead to increasingly powerful hurricanes.

Developing new types of insurance for professions so new that reliable statistics simply do not exist is another risky scenario, and one that insurers took on when they started offering cyber insurance. A more fundamental, ongoing and intrinsically linked problem, however, is that since there is no fixed definition of what a covered cyber attack is, insurers cannot properly assess what the potential liabilities are – what the industry calls the ‘maximum possible losses’.

For example, in a discussion on cyber insurance on Chase Cunningham’s Dr. Zero Trust Podcast, Gerry Kennedy, CEO of Observatory Strategic Management, cited an incident in which criminals hacked coded car keys, then opened the cars, started them and drove them away. Car insurance covers this as an incidence of theft when it is actually a cyberattack. It is also a unfunded covered loss since this type of incident was not taken into account when calculating the cost of auto insurance liability.

The Cyber ​​Insurance Problem

Few US insurers take out cyber insurance due to the lack of reliable data on the level of exposure. Without stable data – and without knowing How? ‘Or’ What to assess risk – setting reasonable premiums and terms is guesswork at best. As Gerry Kennedy noted, “Nobody ever defined it. It’s about naming the perils, at which the industry has failed miserably. They did not inventory any of the losses. Regulators also lack expertise in cyberattack risk.

This is not insignificant, because in reality, cyber risk is both systemic, insofar as it can impact large areas of modern life, and highly unpredictable.

While ransomware has been around for a long time – the first documented ransomware was the AIDS Trojan delivered via floppy disk in 1989 – it’s only recently become a multi-million dollar threat to big business. In 2020, the direct loss ratio for cyberinsurers – the amount insurers pay on claims relative to premiums earned – skyrocketed from 47 cents on the dollar to 73 cents on the dollar. Cyber ​​insurance has become a much less profitable line of business overnight. And, of course, ransomware isn’t the only type of cyberattack companies expect cyber insurance to cover.

The inability to accurately identify risks or accurately forecast the sharp increase in cost and frequency of cyberattacks when setting premiums has led some insurers to look for ways to avoid cyberinsurance payouts for ransomware and other attacks. Many of the arguments they use are clearly fallacious and easily recognized as efforts to find ways to reduce losses. For example, during a ransomware attack, an insurer tried to claim that he was not responsible because the data was not actually damaged since it was physically still there, on the client’s server, although than inaccessible.

Insurance companies are responding to soaring ransomware-related losses in several ways: massive premium increases (up to 200%), limiting coverage, and in some cases removing coverage altogether.

For cyber insurance to be a viable offering for insurers, as well as a valuable risk reduction strategy for organizations, insurers must take steps to streamline the way policies are written – which should have been made from day one: specifying coverage, bringing in experts who understand the cybersecurity field, incentivizing applicants to implement better cybersecurity controls, or making it a prerequisite for obtaining a coverage, and add right of inspection clauses to add bite.

Cybersecurity features insurers want to see

A recent a podcast segment on cyber insurance highlighted eight security capabilities that insurers look for when deciding whether to issue a policy against cyberattacks and what premiums to charge:

  1. Multi-factor authentication (MFA). MFA isn’t foolproof, but it can stop about 99% of all attacks.
  2. Least privileged access. Least privilege access is vitally important to reduce both the attack surface (possible access points) and the blast radius (amount of damage that can be caused by a successful breach).
  3. Network segmentation and data encryption. Network segmentation, or microsegmentation, works with least privileged access to minimize east-west traffic between servers in a network, helping to minimize damage in the event of a breach.
  4. User training and incident response time. User education clearly does not stop all attacks, but it certainly can help and should be part of cybersecurity defenses. have good intrusion prevention and detection systems are important to spot breaches quickly and minimize damage.
  5. Offline backups. During a ransomware attack, anything connected to your network, whether on your servers or in the cloud, could be encrypted. The only way to be sure to have a backup available when you need it is to have an offline backup.
  6. Endpoint Protection and response. Especially with so many people working from home, it’s not enough to secure your servers – you also need to make sure endpoints are secure.
  7. Patch and end-of-life management. Jerry Kennedy recommends that policies include “newly reported” provisions that would require customers to take appropriate action to mitigate risk within X days of a new vulnerability being announced or a new patch being released.
  8. Attack surface testing. Insurers want to make sure you know where you are vulnerable and take the appropriate protective measures.


Now that we’ve seen the perspective of insurers, what about organizations considering cyber insurance? Is it a worthwhile investment or a waste of resources that could be better invested in additional protection?

The answer, of course, is “it depends”.

It’s important to check the fine print and make sure the policy actually protects your organization against the most common and potentially damaging risks, such as ransomware.

Just as auto insurance won’t protect you against accidents, cyber insurance won’t stop cyber attacks. It can help cut expenses and soften the blow to the bottom line, but just like car insurance can’t prevent you from being seriously injured in a car accident, cyber insurance can’t save your business from a cyberattack.

What auto and cyber insurers can do, however, is to condition the hedge on the actions that will be protect you, no matter what threats come your way. Just as automatic policies can condition coverage on the installation of an alarm or anti-theft device, cyberinsurers can condition policies on the use of multi-factor authentication, for example, or Zero Network Access. Trust (ZTNA) for remote worker connections, rather than VPNs. or RDP. And like backup sensors that protect your car from invisible objects, insurers should demand solutions like RBI, which protect against known and unknown threats.

Organizations that have strong cybersecurity controls in place should choose an insurer that values ​​their proactive attitude and rewards it with favorable terms. It is a belt-and-braces approach that offers the best of both worlds: reduced risk for the insurer and the insured company, and a lower cover premium in the event that a threat manages to slip through.

The post office Cyber ​​insurance – Spreading risk and reducing it appeared first on Erico’s Blog.

*** This is a syndicated blog from the Security Bloggers Network of Erico’s Blog written by Stewart Edelman. Read the original post at:


Comments are closed.