Cyber insurance was the brainchild of Steve Haase, an insurance broker for Hamiliton Dorsey Alston Co. When first introduced in 1997, the coverage was called Internet Security Liability (ISL). Early policies were designed to mitigate the risks faced by e-commerce vendors and were underwritten by AIG. While cyber insurance can trace its roots back a quarter of a century, it is, in many ways, still in its infancy.
Cyber-insurance policies, unlike health, life, auto, and most traditional lines of insurance, are not governed by regulators or legislation. There are no requirements on what must be covered, what can be excluded, or what rates can be charged. Without governance, insurance companies are working on their own to standardize coverage, normalize policy terms, and manage their exposure. This is achieved, in large measure, by requiring cybersecurity controls and practices for companies carrying cyber-insurance.
Risk profiles for traditional lines of insurance such as health, auto, or property and casualty insurance, are relatively static. Furthermore, insurance companies have large collections of actuarial data and are able to reliably predict risk based on fairly static conditions.
Cyber threats, on the other hand, are constantly changing. Bad actors are continually developing new tactics, techniques, and exploits. At the same time, companies’ computing infrastructure is continuously evolving, and each change brings the potential for new risks. To ensure security in this ever-changing environment, continuous monitoring of internal networks is required. Continuous monitoring provides insurance companies with actuarial data and ensures mandates are followed.
Risk management by insurance companies
Insurance companies have long used terms and conditions as tools to manage and mitigate risk within their portfolios. Terms and conditions are requirements that policyholders must follow in order to qualify for coverage and to maintain their policies.
For example, policyholders are required to disclose all drivers within the household. Insurance companies have also lobbied to create laws that codify these terms and conditions as mandates, such as seatbelt and airbag laws. Mandates have also been used in property insurance. Smoke detectors are now mandated in all homes and commercial buildings. Most new commercial properties are also required to have sprinkler systems installed. These practices reduce the likelihood of an accident that could lead to costly claims. They also reduce the potential severity in the event of an accident, thereby minimizing financial and physical loss.
Mandates have proven effective in traditional lines of insurance. By imposing terms on policyholders, insurance companies influence behavior to reduce risk, allowing them to maintain a healthier portfolio. This also benefits policyholders and insurance carriers by lowering the risk of a loss and minimizing the impact should an adverse event occur. Policyholders also benefit as lower risk equals lower premiums.
The number and scale of cyber-attacks is growing, as is the financial impact of those attacks. According to IBM’s Cost of a Data Breach Report, the cost of a data breach for healthcare organizations reached $10M per incident in 2022. Healthcare is not alone, as cyberattacks impact every major industry.
With the growing number and scale of attacks, cyber insurance carriers face heavy loss ratios and, by most estimates, are losing money. To combat these losses, insurance companies are making changes. Premiums are increasing, policies have lower coverage limits, additional exclusions, and policyholders face high rates of denied claims.
Cyber-insurance companies are also adding new requirements that policyholders must follow. They initially set only three requirements for policyholders to follow and are now requiring companies to attest to a nine-point cybersecurity plan.
These requirements are designed to minimize exposure for cyber-insurance companies by providing higher levels of security for organizations purchasing cyber-insurance. Despite the intent of the requirements, they are not working.
Challenges with cyber insurance mandates
Cybersecurity mandates provide a set of requirements to be followed to get and maintain cyber-insurance coverage. There are two main issues with cyber-insurance mandates today. The first is that no one is checking to verify that mandates are being followed. Cyber insurance is a fast-growing market and today most insurance providers are focused on growing market share. Requiring companies to verify mandates are being followed creates a barrier to signing up new customers, especially when competitors do not require verification.
Second, IT environments are rapidly changing. New devices, users, and applications are constantly added. Devices may be moved. Systems are upgraded and configurations change. Any of these changes could introduce vulnerabilities or result in a company no longer being compliant with mandates.
When the cyber insurance companies stop chasing market share, we will see focus shift to achieving profitability. When that happens, they will begin to verify that mandates are being followed. The future is clear, cyber insurance brokers and carriers will require proof of compliance to cyber insurance mandates.
Automation with continuous monitoring is the solution to cyber-insurance risk management. An effective solution requires continuous monitoring of a company’s computing infrastructure to create a dynamic model of cyber-risks. A collaborative approach in which this dynamic cyber-risk model is shared between the policyholder and insurance company is needed. This would allow collaboration to access specific risks, implement relevant security measures, and regularly update security strategies to address evolving and emerging threats.
Not one size fits all
Insurance companies have a long history of successfully applying mandates to traditional lines of insurance. These mandates work because they are followed. Building inspectors verify that smoke detectors are installed. Airbags are now standard on all new vehicles. Seat belt laws are largely followed.
Cyber-insurance mandates, while helping to raise security standards for some organizations, have not yet had the same impact in reducing risk. The main reason these mandates are failing is they are not consistently followed. And they are not followed because no one is checking to verify they are being followed. Applying these cybersecurity practices across an organization’s infrastructure requires constant monitoring to ensure they are in place.
Without continuous monitoring to accurately assess compliance to cyber-insurance requirements, organizations remain at risk. Continuous monitoring accurately assesses compliance to cyber-insurance requirements. Automated tools also provide cyber-insurance carriers with real data to monitor their exposure. Without it, organizations remain at risk.