Cyber risks: Beware of the insurability gap

Cyber coverage represents a significant growth opportunity for many insurance providers — brokers, insurers and reinsurers alike.

Software misconfiguration presents a significant increase in cyber risk that should be accounted for in risk assessment for cyber policies. (Photo: Shutterstock)

Adoption of cyber coverage grew from 34% to 47% in 2018, with more than half the potential insureds worldwide not covered, according to the 2019 Global Cyber Risk Perception Survey from Marsh and Microsoft.

Unlocking this opportunity rests on industry changes that enable frictionless adoption by the highest number of companies.

However, misalignment remains between the cyber coverage offered and the variety of financial losses that businesses might face when a cyber incident occurs.

Large businesses in particular have the opportunity to get customized cyber policies that cover their unique needs. At the other end of the market, very small businesses can find adequate coverage as part of a packaged business insurance.

The majority of businesses make up the rest of the market. They face a gap in insurability for the following reasons:

Risk assessment

This goes to the core of all the issues and the main reason for all the other gaps in the insurability. Insurance companies are using an outside-in approach and provide partial visibility into the risk.

Insurance is all about risk transfer. If you cannot identify, describe and quantify the risk, then nothing else matters. For example, as the use of cloud infrastructure becomes mainstream for collaboration tools, such as email and file sharing, the misconfiguration of these services has become common.

The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) issued a security warning in May 2019 about Office 365 common misconfigurations, such as multi-factor authentication not being enabled for administrative accounts by default. Such misconfiguration presents a significant increase in cyber risk that should be accounted for in risk assessment for cyber policies.

Coverage limits

With risks not fully assessed and potential losses not quantified thoroughly, insurers and re-insurers will hesitate to commit to any meaningful coverage for risks that they don’t understand. An unfortunate consequence is that most policyholders won’t even know they have insufficient limits in their coverage.

For example, fast-growth companies that process regulated or protected records such as Patient Healthcare Information (PHI) and Personally Identifiable Information (PII) might experience a significant increase in the number of records they process over a short period of time. Their cyber policy, and related limits specifically, might get out of date really quickly for data breach coverage.

Coverage types

Due to the rapid digitalization of many processes, modern businesses are expanding their cloud, mobile and social footprint almost exponentially. It is incredibly easy for a company to double the volume of data stored in the cloud, but it is equally difficult to track the level of risk associated with the increase in data collected. It is even more challenging to keep pace with risks associated with new technology initiatives — mobile, cloud, IoT or other.

Adoption enablement

Only one-third of SMEs have cyber insurance today. Brokers and agents are ill-equipped to present and explain the benefits of cyber coverage to policyholders who are unaware or have incomplete visibility into the cyber risks they face. Brokers are not able to have data-driven conversations with their clients.

Gap in insurance core processes.

Cyber risk changes daily with new threats, evolving technology footprint sand more. But cyber is only underwritten once a year! Even if the initial policy somewhat matches the cyber risk to be covered, it is highly likely that 12 months later it will no longer be adequate. Just like the personal-auto is underwritten twice a year. The commercial market for cyber insurance must go through an upgrade of processes that supports frequent updates and revisions of coverage.

From automatically collecting data usable to compile a detailed, easy-to-understand cyber risk profile of the policyholder, to flagging gaps in coverage as they surface and risks evolve, most of the above gaps are addressable with technology available today. There is an opportunity to refine how cyber risks are assessed today and how cyber coverage is provided to ensure 100% and continuous alignment between risk and coverage.

Rajeev Gupta is CPO & Co-founder at Cowbell Cyber. These opinions are his own. To reach this writer, send email to cowbell@luminapr.com.

Gupta was the GM for the Application Protection BU at Zimperium, a leader in Mobile Security. He comes with 20 years of hands-on experience in software architecture and design of large-scale secure enterprise applications. Prior, at CA Technologies, he was the Head of Product for the Application Delivery business unit, where he mentored several customer teams and led efficient software development strategies for Fortune 500 clients.

See also: