Cyber insurance has become increasingly difficult – and expensive – to obtain for organizations in the public and private sectors. Insurers asked potential customers to answer lengthy questionnaires, no guarantee of coverage once they were done, and more expensive plans.
Insurance Broker and Risk Management Services Firm Marsh reports that the price of cyber insurance in the United States rose an average of 96% year over year during the third quarter of 2021. Kirsten Bay, CEO of cyber insurance provider Cysurance, said during the an RSA panel last week that coverage “will never be quoted ‘cheap’ ever again.
But there may be ways to make coverage more accessible, and Bay and other panelists looked at the challenges and opportunities that lie ahead.
DEMONSTRATE GOOD CYBER PRACTICES?
Insurance companies are challenged by the fact that cyber threats are changing rapidly and the elements of a strong cybersecurity posture are likely to continue to change, said Kyle Bryant, global director of underwriting for cyber insurance and solution provider cybersecurity Resilience. This makes it difficult for insurers to fully understand the long-term risk of covering a customer.
“These are all things that happen in real time as threats change on their own, and so a risk that looks great right now may not be what looks great tomorrow,” Bryant said. said.
Nick Schneider, president and CEO of cybersecurity firm Arctic Wolf, said insurance companies looking to better understand risk are asking applicants to answer an increasing number of questions.
“We had a few customers at a recent launch here who gave us some anecdotes…and where their initial policy was five questions and policy, renewal is 300 questions and maybe one policy,” Schneider said. .
However, questionnaires may not be the only way for insurance companies to obtain information. Bryant said the cyber insurance landscape could evolve to see applicants start sharing data with insurance to demonstrate they are following good cyber hygiene practices. He compared this to car insurance policyholders who monitor their driving to get lower rates for safe driving practices.
“We have the ability to monitor employees to understand how quickly companies are patching their business, how quickly they are updating their systems, that information is out there, but right now it’s basically sitting in a lot of cybersecurity silos , many MSPs [managed service providers] and many other technologies,” Bryant said.
Bryant and Schneider also suggested that insurance companies partner with cybersecurity firms that can help them better understand cyber risks.
WHAT INSURANCE IS LOOKING FOR
Panelists emphasized that they want customers to treat cyber insurance as a backup medium to turn to when recovering from a cyber attack, rather than making it the entirety of their recovery plan. defense and resilience.
“If you have home insurance, you don’t forget about alarms,” Schneider said.
Insurance companies seek to ensure that potential customers follow certain best practices that will reduce their exposure to risk. These practices can vary, but Bay said most insurers will reject customers who lack multi-factor authentication or fail to fix.
Some insurance companies are considering striking a balance and offering certain levels of cyber coverage provided customers maintain good cyber hygiene practices, Bay said. Customers who fail to maintain good behaviors would see their insurance pay less on covered claims.
“There are new policy forums now that are talking about these things like, if you haven’t corrected within 45 days, you start to have your boundaries degraded,” Bay said. “They’re trying to put some skin in the game.”
IS EVERYONE INSURABLE?
Bay also said insurance companies should rethink the options for offering cyber insurance.
“I strongly believe that we need to somehow separate traditional cyber liability to the point where it can almost become a catastrophic loss policy, and then we can have lower limits, more flexible but standardized programs,” Bay said.
In the homeowner space, catastrophe insurance plans protect commercial and resident policyholders in the event of rare but costly incidents typically not included in standard home insurance, e.g. Investopedia. These can be natural disasters and terrorist attacks.
MSPs often face daunting prospects of being covered, but insurance companies may be more willing to cover them for disasters only, Bay said.
“[MSPs] are almost uninsurable at this point due to supply chain risk,” Bay said. “A lot of these organizations are already doing the right thing, but that still makes it a very high risk.”
GovTech previously reported that attacks that compromise MSP services can quickly spread through their customer bases: Ransomware the attack on computer software provider Kaseya affected approximately 2,000 public and private sector customers worldwide, for example.
Bay suggested that insurance companies might find it more acceptable to treat MSPs as a high-risk group that can only benefit from catastrophe insurance and “not from lower-tier, cheaper or at-risk insurance. lower deductible”.