By Michael Hill
UK Editor, CSO |
Cyber insurance, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is a policy with an insurance carrier to mitigate risk exposure by offsetting costs involved with damages and recovery after a cyber-related security breach or similar event.
Cyber insurance policies are becoming more diverse as the market matures, and the finer details regarding what one policy may cover can be somewhat different to another, depending on several factors. Nonetheless, Lori Bailey, chief insurance officer at commercial insurance provider Corvus, tells CSO that there are general commonalities across most cyber insurance policies:
Richard Hodson, director and insurance broker at UKGlobal Broking Group, adds that policies also typically cover communications and public relations following incidents. “We are now seeing more and more policies offering post breach funds as well that includes training to staff to prevent repeat occurrences and full system diagnostics.”
Not all policies are created equal, and these coverages would be included in a comprehensive, standalone cyber policy but not necessarily in cyber coverage that’s added to a package policy, Bailey adds. What’s more, not all forms of cyber risk are covered by insurance. “For example, the financial damage caused by war and/or terrorism or failure of internal infrastructure wouldn’t be covered, and neither would the reputational costs that can be incurred following an attack.” Likewise, a virus that was not specifically designed or created to target the affected company may well be excluded, too, says Hodson.
The cyber insurance market is going through a state of flux as cybersecurity trends trigger shifts. Organizations of all shapes and sizes have been investing in cyber insurance policies to add protection. Meanwhile, evolving cyberthreats and risks have continued to plague organizations and test their resiliency. As a result, cyber insurance providers are becoming more versed in and responsive to specific cybersecurity.
Leading the trends affecting demand for and cost of coverage, policy terms and conditions, requirements, and limits is ransomware. Actors are employing craftier and more sophisticated methods to extort (and multi-extort) businesses for potentially huge sums of money.
The increase in ransomware has led to more organizations considering investments in cyber insurance as many have seen the cost of ransomware cause huge financial disruptions at other businesses, Bailey says. “Aside from the direct costs of a ransom, recovering from these attacks is costly. In 2021, breach response costs increased from 29% to 52% of overall claim costs.”
As demand has risen, supply has struggled to catch up, Bailey adds. “Insurers are raising rates and standards for risks they are willing to cover. In terms of the coverage itself, some insurers have pulled back on how much they’ll cover for a ransomware attack or reduced the overall limit they are offering for businesses of a certain size.”
Even if insurers haven’t significantly altered coverage, they will likely have instituted subjectivities on their policies that require compliance with certain key security measures as a condition of the policy, Bailey says.
Research highlighting a decline in ransomware attack and payment claims with organizations prioritizing prevention and recovery goes some way to suggest that cyber insurers may be inclined to look more favorably on businesses seeking cover. However, global insurer Beazley recently issued data showing that prices for cyber insurance continue to rise despite a downward trajectory of claims, while premium rates for renewals increased 23% year-on-year in the third quarter of 2021.
“What’s more, the coronavirus pandemic increased the vulnerability of many organizations to cyber risk, as thousands of systems moved to cloud-based platforms to enable a remote workforce,” says Proofpoint’s resident CISO Andrew Rose. “During this time, cyber insurance companies urged businesses to re-evaluate their insurance policies, as the evolution of their tool sets and working practices, and the threats that apply to them, may not be represented in their existing cover, leaving unexpected gaps and shortfalls which could be catastrophic.”
For technology and compliance lawyer Jonathan Armstrong, the most significant driver of change in cyber insurance is demand for financial protection from litigation against organizations in the wake of cyber incidents. “We have seen that an attack or breach can be followed in the next day or so by lawyers claiming that they are investigating litigation against the company that has been hit.”
This issue has been under the spotlight recently in the Lloyd v Google case in the UK. Richard Lloyd alleged that Google collected data from around 4 million iPhone users between 2011 and 2012 regarding their browsing habits without their knowledge or consent for commercial purposes, such as targeted advertising. He looked to bring representative action on behalf of all affected individuals against Google for compensation, which Google opposed.
The UK Supreme Court sought to establish whether such a claim for a breach of data protection legislation can succeed without distinctive personal damage and if claimants can bring group action on behalf of unidentified individuals, including people who may not even be aware that they were affected.
On November 10, 2021, the UK Supreme Court ruled in favor of Google on both counts, meaning the action against them cannot proceed in its current form. This will be a relief to UK data controllers who were concerned that a decision in favor of Lloyd would open the floodgates for costly and time-consuming claims of little or no merit.
“In short, this judgment is a restoration of the status quo in relation to data claims,” says Will Richmond-Coggan, data protection litigator and director at law firm Freeths. “I expect that we will see fewer claims being pursued, and those that are will be ones where demonstrable harm has been caused, so we should expect that those will be easier to quantify and settle at an earlier stage. Even the unmeritorious high-volume claims of recent years have required a lot of time and cost to be expended in fending them off, so the exclusion of those claims will certainly improve the risk profile of low impact breaches, and this should influence the pricing of risk across the cyber insurance market.”
Regardless of the outcome though, Armstrong predicts that litigation will remain an impactful trend in cyber insurance. “If anything, we may see claims be threatened even more quickly as law firms and funders try and recruit claimants for ‘opt-in’ actions.”
Once a company has understood the state of the current cyber insurance market and the scope of coverage, it can then explore whether a policy will be of benefit. “Insurance is essential for many aspects of corporate life, and cybersecurity is rapidly becoming one of those,” says Rose. “Each firm must do the mathematics themselves, to balance the cost of the insurance, against the cost of the event, and the opportunity cost of the money spent on annual premiums. Identify what needs to be protected the most. Applying limits to the cover can reduce risk and help balance the business case for this increasingly essential cover.”
Indeed, organizations need to consider how much they would lose if their systems were to completely shut down from an attack, says Bailey. “Plus, the average cost of a ransom through Q3 of 2021 remained steady around $142,000, and that figure grows considerably when you include the costs of third-party help with recovery. Organizations should know if they could realistically pay this and how that might affect the stability of their business.”
Cyber insurance can help give organizations more peace of mind knowing that there’s an extra security layer, and that they’re monitoring regularly for risks, something that is becoming especially significant for smaller businesses, she says. “Whereas a few years ago we may not have felt it necessary for a small business to have a comprehensive, standalone cyber policy, attackers are increasingly targeting these smaller businesses, which tend to have weaker defenses.”
It’s also important that organizations view a cyber insurance policy as a partnership opportunity to improve overall security risk strategies, Rose and Bailey agree. “It can be so much more than just risk transfer,” Bailey says.
“Insurance firms could be at the forefront of a new wave of ‘baseline standards’ which could be much more dynamic and responsive to the threat landscape than any international standard or industry regulator,” Rose adds.
If an organization applies for a cyber insurance policy, some key factors can prove integral to success. This comes down to being able to display that a business can meet the security control requirements that insurers now look for when considering a potential policyholder to ascertain their risk status. Insurers typically assess security controls by asking applicants to complete detailed questionnaires.
Sound cyber hygiene is key here, says Bailey. “This includes a robust backup strategy, multi-factor authentication at all critical access points, and strong patch management. We also continue to see the power of scanning technologies and proactively shoring up vulnerabilities.” Larger, more complex organizations will likely require heavier analysis from underwriters due to the intricacy of their network security and decentralization of their infrastructure, she adds.
Richard agrees, saying that demonstrating that your organization has a staff training awareness program, never transfers money on receipt of an email/phone call until full verification has taken place and has paid for anti-virus and endpoint protection are also important. For guidance and support, he advises businesses to speak to an insurance broker that is experienced in cyber and can explain in simple terms what it is you need and what you should be looking to do. “There is already too much jargon in insurance, it does not need to be made more complicated by adding confusing tech terms to it.”
Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security.
Copyright © 2021 IDG Communications, Inc.
Copyright © 2021 IDG Communications, Inc.
By Michael Hill