Cyber insurance has great potentials in improving cybersecurity practices and protecting organizations against the impact of security incidents, but these potentials “have yet to fully materialize.” This is the key highlight of a recent report developed by the Royal United Services Institute for Defence and Security Studies (RUSI) and the University of Kent in the UK. The report provides a comprehensive list of recommendations for both governments and organizations.
Why cyber insurance?
The World Economic Forum has identified cyber-crime along with climate change and pandemics as “one of the most challenging risks facing societies in the next five years.” The advances in criminality ‘business models’ and the increasing sophistication of threat actors have turned cyber-crime into a complex, rapidly growing and severe threat to both government and business. According to the report, in 2020, losses from cyber-crime were estimated at over $945 billion worldwide, while the “average payment for a ransomware attack was reported to have risen from $84,116 in Q4 2019 to $220,298 in Q1 2021.”
Both critical national infrastructure (CNI) and economic security are threatened by ransomware and cyber-crime more generally. Cyber risk management has become an essential and crucial topic for governments and businesses.
This rise in criminality is taking place at a time of rapid changes in the business environment as organizations seek to digitalize, increase connectivity, and accommodate emerging remote working. The growing reliance of businesses and governments on cyber-enabled services and data highlights the need for protection against these threats. With both national infrastructure and economic security at risk, “one tool that has gained traction is cyber insurance.”
As with other types of insurance, cyber insurance is to play a role in reducing economic, environmental, technological, and political risks. Although the primary purpose of insurance is to transfer risk, a by-product is that it can also improve safety and security in some cases.
Cyber insurance can be an important lever for improving cybersecurity. The UK’s Department for Digital, Culture, Media, and Sports (DCMS) has reported that public and private sector organizations face informational, commercial, and technical barriers to effectively manage cyber risk. SMEs are especially underprepared when it comes to cyber risk. For example, a recent industry report found that 64% of surveyed businesses are “novices” when it comes to cyber readiness. The failure of many organizations to implement even the minimum requirements of cybersecurity and cyber hygiene has also been reiterated by the current growth of ransomware attacks, which exploit lax patch management processes and poorly authenticated remote access services.
Benefits of cyber insurance
The report has identified five positive effects of cyber insurance on cybersecurity and risk management.
1. Assessing risk profiles and security practices
By assessing a client’s risk profile, insurers can identify potential risks, poor cyber hygiene, and bad practices via an initial risk assessment. This process may encourage an organization to understand their exposure to risk, implement new controls, or remediate previously identified vulnerabilities.
2. Driving best practices
The cyber insurance industry is well placed to drive best practices, as insurance carriers are financially motivated to reduce claims and losses. This motivation could act as a ‘push factor’ from the insurance industry to raise standards and drive the adoption of best practices by their clients.
3. Linking risk profiles and security practices to financial incentives
The most powerful lever the insurance industry holds is the ability to link an organization’s risk profile or cybersecurity practices to financial incentives such as reduced premiums, better terms, and higher coverage. This should encourage the adoption of best practices by offering a clear financial incentive.
4. Increasing awareness of risk
As evidenced by the authors of the report, cyber insurance assists in raising awareness relating to poor cyber security so that it is seen as a credible threat to business. For example, cyber insurers have the knowledge and the experience to emphasize the potential financial impact of an incident and can help their clients to map strategies and processes to mitigate it.
5. Providing access to services
Many cyber insurers provide services to help organizations prevent breaches or to reduce the impact when they happen. Post-incidents services may help clients to reduce incident costs and get access to services and expertise during crises. Pre-incident services seek to proactively prevent incidents and mitigate risk and include staff training, vulnerability scanning, access to intelligence, and vCISO services.
Challenges of cyber insurance
Despite these benefits, the report notes that “the positive effects of cyber insurance on cybersecurity have yet to fully materialize. While there are some encouraging signs, cyber insurance is still struggling to move from theory into practice when it comes to incentivizing cybersecurity.”
Based on interviews and workshops with experts across the insurance and cybersecurity industries, government, and academia, the report identifies that the cyber insurance sector is ‘still in its infancy,” struggling to understand cyber risk as well as to collect and analyze reliable cyber risk data. Without this level of cyber risk maturity, there are significant questions around the insurability and mitigation of cyber risk. Among all these challenges, ransomware has become an existential threat for some insurers, raising questions and debate about the policies of paying the ransom.
The report identifies many reasons for this situation. First, the positive effects of cyber insurance are not evenly distributed. It appears that some cyber insurers are offering products and services with a better chance at impacting security, reflecting insurers’ varying levels of maturity and expertise. Offerings are also not functioning as well as they might for SMEs and large businesses.
Second, cyber insurance is more effective as a cyber resilience rather than a risk mitigation tool. This is emphasized by the fact that post-breach services are the central cyber insurance service. Although this is not questionable, as the main aim of cyber insurance is arguably to transfer residual risk and act as a last line of defense, it does raise some further concerns. The problem is that cyber insurance has yet to fully demonstrate that it can incentivize the proactive security practices that would make it more useful for managing cyber risk.
What is the way ahead?
At a time when the impact of cyber-attacks is becoming more severe, the report offers several recommendations which can help the cyber insurance industry reposition itself and deliver benefits to all organizations.
In accordance with these recommendations, the cyber insurance industry needs to collaborate more closely with cybersecurity agencies such as UK’s NCSC, NIST, and CISA on data sharing and setting minimum security standards. In addition, insurers need to move towards a more prescriptive risk management approach, whereby buyers are financially incentivized to adopt best practices. With the market undergoing changes amid growing losses, now is also the time for more coordinated action by government and regulators to help the industry reach its full potential as a tool for incentivizing better cybersecurity practices to include timely patching of vulnerabilities, adoption of multi-factor authentication, and network segmentation.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.