Ways insurers can reduce the threat of cyber risks
Get six tips for reducing cyberthreats as risks in the sector continue to grow.
Cyber insurance was once seen as a bright spot for the insurance industry, with lower loss ratios and higher profitability than other major areas of commercial coverage. That has rapidly changed as loss ratios climb — up 50% in 2020 and well above that in 2021.
Ransomware is the main culprit for this rise and the threat is increasing. Attacks climbed more than 125% last year. These trends are causing some insurers to withdraw from the cyber market altogether.
There is a clear and growing cyber risk transfer chasm and it requires insurers and the industry’s attention. The following initiatives could help strengthen the cyber risk insurance market and contribute to reigning in cyberthreats:
1. ‘Infosec’ loss prevention & mitigation.
While progress on incident actuarial data leaves much to be desired, information security (infosec) statistics around threat and vulnerability dimensions have improved.
Reports from leading vendors agree that the most popular attack vectors and sources of ransomware incidents are remote desktop protocol (RDP), email phishing and spam, and unpatched vulnerabilities.
If insurers can incentivize basic “blocking and tackling” at client companies, including business continuity practices such as restorable backup technologies, we can significantly decrease risk exposures.
2. Risk management coordination.
Incentivizing good security hygiene is a start, but it must be intertwined with meaningful security metrics so that recommended controls keep pace with dynamic cyber risk.
Rather than rely solely on factors like compliance or case law developing over time, embracing a risk management coordination role can enable insurers to take the fight to ransomware.
A start would be to have underwriters, brokers and infosec professionals coordinate security risk metrics with controls and outcomes. The coordination of metrics and outcomes between underwriters, brokers and the infosec community can better align risk optics, lower information asymmetries and scale victimology beyond the current ad hoc dynamics.
How risk management coordination can be taken up by insurers can be thought of as a spectrum. At a basic level, simply requiring policyholders to assist in providing or verifying fundamentals and technographics would bring about more accurate cyber risk assessment. On the other end of the spectrum, incentivizing insureds to share internal security telematics could add the missing link in cyber risk assessment and measurement.
3. Ransomware disclosure regulation.
Since federal regulation, litigation and state laws requiring reporting and disclosure of data breaches served as the foundational basis upon which data breach underwriting and coverage is anchored, it bears asking: Do we need a similar enforcing function in order to adapt to ransomware risk?
Regulatory fines, reporting requirements and breach costs have made data breach losses tangible, thereby capturing the attention of the industry. It is an open question as to whether existing disclosure requirements will be sufficient for robust underwriting of ransomware risk. Government is uniquely situated to be a forcing function for awareness of the breadth of the problem.
4. Controls failure reporting.
Standard components of digital forensics and incident response reporting include information about attack vectors and control failures: how attackers were able to access company networks and what technical or administrative safeguards were deficient. While the certainty of these attributions varies, insurers have by and large left these ransomware claims details on the cutting room floor, foregoing valuable lessons learned and perpetuating a piecemeal approach to underwriting. When it comes to cyber risk, attacker tactics, techniques, and practices definitely follow patterns of least resistance. Knowing their playbooks can go a long way to reducing exposures.
Concerningly, there is a trend with insurers (mostly in the small- and medium-sized enterprises market) of cutting costs by collecting less information during the underwriting process and eliminating data fields in the notification of loss. This trend works counter to developing more mature cyber loss models to align risk with price premiums. Adaptation within the cyber risk landscape requires committing as much available data to the actuarial record as possible. Insurers documenting and sharing controls failure data would mark a significant step toward being able to quantify the end-to-end relationships between threats, security compliance and incident outcomes.
5. Data-driven predictive models.
Because ransomware is a dynamic threat whose prevalence is unknown, and because it operates within interconnected target landscapes, knowledge of yesterday’s attacks is insufficient to inform us about tomorrow’s outcomes. Any foresight is therefore highly valuable for effective ransomware risk segmentation, assessment, pricing and defense. Foresight in cyber insurance can come by way of predictive models which incorporate both historical data and expert knowledge. Such predictive models can in turn drive more robust and reliable risk selection, pricing, and risk-informed underwriting guidelines.
6. Extortion payment policy reform.
Cryptocurrency is the fuel that drives the growth of ransomware. But for cryptocurrency, the pressure introduced by ransomware incidents and claims would be unremarkable. An open question is whether current regulations and policy appropriately guard against facilitating ransomware, or if more robust prohibitions are needed.
Government interventions around ransomware and extortion payments stand to reason. Options range from an outright prohibition of ransomware pay-outs to aiming to improve attribution and enforcement against bad actors. The insurance industry should consider how best to support or even lead these types of interventions.
The damaging impact that cyberattacks and ransomware have wreaked on companies and insurers demands something other than conventional responses such as increasing premiums and lowering limits to meet acceptable loss ratios.
Only innovation and evolution at the individual company, industry, and governmental levels will ensure the resiliency of the cyber risk insurance market, and ultimately contribute toward reigning in ransomware risk.
Erin Kenneally, a former portfolio manager with the cyber security division at the U.S. Department of Homeland Security, is now the director of cyber risk strategy at Guidewire, a leading technology provider to the P&C insurance industry.
Opinions expressed here are the author’s own.
Related: