Cyber insurance: An effective use of your scant security budget?

Good cyber hygiene and a strong risk management culture is the obvious approach to take if you want to try to avoid being one of those “company X just got hacked” news stories we increasingly see. But even if you are one of the fortunate organisations taking all the right proactive steps – and do forgive my pessimism – I am convinced that most if not all security leaders will be talking about when – and not if – their organisation will face an incident for some time to come.

With that in mind, many organisations are turning to cyber insurance to transfer some of their risk and gain rapid access to specialist support should the worst happen. Is this an effective use of your scant budget? Or a case of pulling the duvet over your head because you heard a noise downstairs (because, of course, you are very safe under that duvet!)?

The cyber insurance market was worth approximately $7bn in 2020. This is expected to triple to more than $20bn by 2025. Despite the projected growth, the market still lacks maturity, and underwriters have found themselves exposed to loss through a lack of knowledge.

Determining the likelihood of an organisation suffering an attack and its likely impact is riddled with uncertainty and speculation, unlike the more mature methods of determining a car driver’s likelihood of having an accident, for example. Cyber crime has risen to dizzying levels, with 66% of surveyed organisations suffering a ransomware attack in 2021 – a 78% increase over the course of a year. Geopolitical destabilisation, a pandemic and a cost of living crises are just some of the reasons for the increase. Should an organisation have to make a claim on their policy, the average claim settlement has been observed to be around $5m, according to analysis conducted in 2020, resulting in some early policies becoming loss-leading for their underwriters.

This has led to volatility of both premium cost and coverage offered. Last year’s premiums saw a 92% year-on-year increase in the US alone, according to the Wall Street Journal (which in part explains the expected growth in the market as mentioned above). Tighter eligibility and coverage conditions abound among underwriters looking to manage potential losses.

Organisations unable to demonstrate the most basic levels of control now find themselves shunned or facing premiums that are simply too high. The questionnaires and pre-assessments that are part of the policy application have become more granular than ever before, with one ISF member describing the process as an “outright audit”. 

While insurers are building significant caches of data describing the market, we are yet to see any large-scale cost reductions or product optimisations being passed on to the consumer. Insurers are additionally leveraging automated discovery tools that provide a “scorecard” describing an organisation’s security posture – the same tools that are used to manage supply chain risk. Many suppliers work hard to ensure their scorecards are in order. You should bear in mind that this early precis of your organisation could influence your premium, too. It may pay to ensure this precis is continually accurate, both in terms of score and context.

The level of cover provided can vary from policy to policy. Broadly, cover is provided for first-party losses, costs directly incurred by the policyholder and third-party losses, to manage costs upon another party because of the incident itself. This brings us to the topic of small print.

There have been some growing pains when it comes to the interpretation of policy wording, particularly regarding limitations and defined coverage exceptions. One of the most notable examples of this is Merck & Co vs Ace American Insurance, a dispute over the use of an “act of war” limitation to repudiate an insurance claim following the NotPetya incident of 2017, which was attributed to Russian military intelligence as part of their ongoing conflict with Ukraine.

A lengthy legal dispute ended in Merck’s favour, with the court ruling that war exclusions – which have long existed in more traditional insurance products – were meant to apply only to armed conflict. A similar case brought by Mondelez International is still ongoing in the US courts. A set of model clauses from Lloyd’s Market Association have been issued to provide clarity for future policies, and we can expect to see examples of further legal challenges and hopefully further standardisation of clauses in the future.

Over the past few years, policies have begun to include complimentary services to help organisations proactively manage their cyber risk, which enriches the value of holding a policy beyond loss protection. Services can include, for example, support with incident response planning, benchmark reporting and maturity assessments, and consultancy services.

While drawing down on these services is at the discretion of the policyholder, insurers are demonstrating a desire to engage with policyholders at a deeper and more proactive level, the idea being that a progressive relationship that supports the notion of prevention rather than cure will prove to be more beneficial to both policyholder and underwriter in the longer term. This makes sense, but it will take time to build the foundations of mutual trust and transparency for this approach to flourish.

I have said it before and I’ll say it again: prevention is always better than cure when it comes to cyber. The complimentary services being added to cyber insurance products do make the total proposition increasingly attractive, and it is promising to see the market is starting to standardise terms and offer a more diverse range of products to suit varying business needs – but it all still comes at a considerable cost.

There needs to be concrete expectation management when supporting any decision to invest in a cyber insurance policy or not. There is no replacement for proactive management of cyber security risk, and if you do decide to invest, cyber insurance should certainly be your last resort: not your first and only answer to how to manage extinction level threats to your business.