The growing threat of cyber disruption has hit the headlines on numerous occasions in recent weeks. In October, an investigation by Hiscox uncovered a disturbing pattern of escalating cyber attacks on businesses, marking the fourth consecutive year of growth in such incidents.
The comprehensive study, known as the “Hiscox Cyber Readiness Report,” drew insights from over 5,000 organisations globally, spanning various sizes and industries.
The world’s largest insurance marketplace, Lloyd’s also recently unveiled a startling assessment of the global economy’s vulnerability to a potential cyber attack, estimating a staggering US$3.5 trillion in losses over a five-year period.
In response to the escalating threats, insurance companies are upping their cyber game by launching new products and partnering with cyber protection specialists so that they are able to provide customers with the most up to date products and services.
However, the increasing number of incidents on a global scale is evidence that cybercrime is keeping up with – and in some cases surpassing – the solutions the experts are providing.
Ransomware will harden the cyber insurance market
According to Shawn Ram, Head of Insurance at the cutting-edge cyber insurance solution company, Coalition, the recent findings by both Hiscox and Lloyd’s, are not unexpected, and are in line with Coalition’s own data report, the 2023 Cyber Claims Report: Mid-year Update.
Ram points out that data showed a 12% increase in cyber claims over the first six months of the year, driven by notable spikes in ransomware and funds transfer fraud. He says: “In our opinion, we’ll start to see the cyber insurance market harden since ransomware returned this year. Insurance often lags a bit behind, especially reinsurance, so we likely haven’t felt the full impact of ransomware’s return just yet.”
One of the biggest problems associated with a cyber breach is the cost it incurs, even if an insurance policy is in place. In many cases, customers may think they are protected against a breach but then discover in the aftermath of an event, that their policy can’t recoup the losses.
For example, not all ransomware coverage is created equal – terms differ significantly from one insurer to another. At their most basic, policies should provide coverage for extortion demands/payments and reasonable associated fees, resulting in lost income, asset restoration and potentially reward reimbursement.
Ram says that if an attacker does break through, cyber insurers can help prevent escalation and longtail impact through in-house incident response teams that help clients conduct digital forensics to remediate vulnerabilities and correct security flaws so that hackers cannot exploit them again. Cyber insurance companies can also help prevent clients from paying insurmountable amounts by clawing back funds.
This strategy has proven remarkably successful for Coalition’s customers as the company recovered an unprecedented US$23 million in stolen funds in the first half of 2023 — all of which went directly back to policyholders. “Notably, Coalition’s total FTF recovery amount was nearly three times greater than 2H 2022. The average recovery amount was $612,000 per claim.”
Insured and insurer collaboration
An honest collaboration between customer and insurer is critical in the journey towards a secure solution too. “Cyber insurance companies can help their customers prevent breaches from the get-go by enforcing basic cyber hygiene like removing RDP from the internet, implementing managed detection and response technology, and enforcing multi-factor authentication,” Ram explains.
Insurance companies are also in a prime position to hone their risk mitigation offerings because they have intimate knowledge when it comes to their customer’s processes. “Insurance companies must consider how they are collecting and, more importantly, using data. Insurers can actually use the millions of data points they collect on their insureds to anticipate and prevent digital risk or make them more resilient.
“Even more powerful: use this data to help clients modify harmful behaviour. For example, Coalition notifies clients through our risk management platform, Control, to remediate vulnerabilities or remove exposed technologies from the internet.”
Phil Mason, CEO, CyberCX, a leading cybersecurity company in the UK, agrees and says transparency between customer and insurer has never been more essential. “As the [Hiscox] report states, cyber criminals are using an ever evolving range of techniques which businesses also must evolve to defend. Companies that do not continue to update their cyber defences may well not be meeting the terms of cyber insurance, and so it is critical they work with their insurance providers to ensure they’re both putting best practice into place and meeting the needs of their premium.”
“Cyber insurance companies should help develop better training and awareness programmes incorporating the results from the claims they are observing” says Monica Tigleanu, Cyber Strategy Director at BMS Group. “This education should focus on how technology works, why particular cyber security controls are useful, and delineating the responsibilities of users in employing these technologies. A great example is the misuse of new technologies such as web3, where human errors are often the catalyst of cyber crimes/breaches.”
She continues: “Education is needed for founders, owners, boards and anyone responsible in governing a business – this goes back to basics about how technology operates and knowing the right questions to ask cybersecurity professionals. By equipping decision-makers with the knowledge to manage cyber risk, we take a significant step towards a comprehensive solution.”
Tigleanu, who was also Senior Underwriter for Munich Re’s cyber division, says that small to medium sized enterprises stand to gain the most from a stringent cyber strategy. “SMEs and mid-market companies stand to benefit the most from cyber insurance for both prevention services and post-breach services provided by the insurance market. These organisations often lack robust cybersecurity measures and resources compared to larger enterprises.
“Attacks are still happening because cyber hygiene is not perfect, and significant investments are required in terms of mitigation measures, especially in terms of recovery controls, such as conducting restoration drills, maintaining well-developed and practised business continuity plans, and scenario based exercises to help companies enact an appropriate response to avoid paying criminals ransoms.”
Accurately assessing cyber risk is key
The level of coverage corresponds directly to the level of risk, so insurers must be scrupulous when assessing a customer’s potential capacity for a cyber breach. Equally, customers can be incentivised to further reduce their own risk status if the cost of premiums are reduced.
Richard Breavington, a Partner and Head of Cyber & Tech Insurance, RPC, explains: “Underwriters have for some time been placing a greater focus on assessing the security that prospective insureds have in place before offering appropriate cover, and pricing that cover.
“This is creating a healthy motivation for prospective insureds to ensure that their resilience to cyber incidents is increased. Entities that are trying to obtain cyber insurance are prompted to consider the security measures with a view to being an attractive insured and getting the best cyber insurance cover they can.”
However, he points out that there can be challenges regarding how insurers review the level of security that prospective insureds have in place and objectively assess the resilience of their digital infrastructure. “Insurers, brokers and other intermediaries are considering technology that can be used in this process. There are various approaches to this in the market, but what is clear is that there is potential advantage to be had by both insurance carriers and insurance brokers in developing that process to be as efficient, consistent and clear as possible.”
Mason concurs, and says cyber insurance policies act as a great starting point for preventing breaches since they will often require proactive security measures and comprehensive risk management are put in place to both safeguard against cyber threats effectively and validate the policy. However: “It is important insurance firms are fully transparent with their customers on this, and use it as a point of collaboration to help businesses put effective cyber defences in place.”
Cyber insurance trends driving change
In every industry, a shift in demand results in providers addressing the gap. But when it comes to the cyber insurance space, modes of attack, and the technologies to solve them, are in a constant state of transition. In terms of threat actors, ransomware is very much back in vogue, and small to medium sized enterprises are the target of the hour.
Mason explains: “A major trend is the general increase in ransomware attacks. While the volume of these specific attacks ebb and flow over the years, a clear trend is SMBs are being targeted more and more, since their defences are often less sophisticated and therefore easier to penetrate.”
He continues: “While large enterprises may take out insurance which comes into force after so many million (thus taking the initial hit themselves), SMBs may require insurance which covers them sooner. Insurance firms must continue to consider the different types and sizes of business and provide a range of products to meet these varied needs.”
However, AI – the ultimate trending technology, has proven to be a remarkably effective tool against the rising tide of ransomware attacks and other breaches, because it enables a fast and accurate assessment of company risk. Coalition has been using it in various capacities since its inception, with a high degree of success.
Ram explains: “There was once a time when segmentation and pricing were almost entirely determined by industry and revenue. Now, with the power of generative AI, this underwriting process is faster and more accurate, allowing insurers to sift through potential policyholder questionnaires more efficiently and quote more accurately.
“In the future, cyber insurers will be able to account for all the relevant factors, such as how an organisation uses technology. The ability to more accurately segment these risks will be a massive competitive edge for underwriters.”
Davis Hake, Co-Founder and VP of Communication and Policy for Resilience, says: “While there are many trends driving further progress for modern cyber insurance providers, one of the most novel and underutilised is the shift to “financially proven” AI. Not just using AI to increase efficiencies and processes, but creating AI models that are used to underwrite actual insurance policies, with cyber insurance providers directly integrating AI models into capital decisions made by humans, as we do at Resilience.”
Hake says using AI for standardising risk analysis enhances cyber underwriters’ efficiency and elevates underwriting accuracy. This has the benefit of streamlining the cyber underwriting process, enabling swift screening and information extraction from applications. “This shift from manual to AI-assisted cyber insurance underwriting provides significantly enhanced underwriting accuracy and has helped support a loss ratio one third the industry average.
“The same models that are used for underwriting are also turned around to provide proactive cyber risk management guidance to clients. By understanding what factors contribute to claims risk, clients are able to prioritise cyber risk factors that are most closely correlated with financial damage to their organisations.”
He continues: “This perspective is different than normal risk management frameworks that adopt a checkbox
prioritisation, as it focuses on limiting financial damage by understanding the value to your business returned out of your security controls. This financial-based prioritisation is core to a cyber resilience philosophy that protects the business’s ability to continue serving customers, even during a serious
incident.”
And the ‘people’ element of the equation, he asserts, is still a critical part of the process. “By involving humans in data collection, AI models can better understand cyber risks from a nuanced perspective, often unattainable by machines alone. More than this, these models should be made available to customers to help them understand their cyber risk from a financial perspective – a novel way of thinking for the insurance industry.”
Legal challenges in an increasingly complex regulatory space
The insurance industry is heavily regulated in general, but the cyber sector is relatively new, and compliance rules are still being established. Furthermore, as the digital ecosystem becomes increasingly complex, new and emerging legal ramifications must be considered.
Edward Spencer, Senior Counsel at the international law firm, Taylor Wessing’s cyber team, says a scrupulous approach to the regulatory framework is now mission critical in the fight against cyber attacks: “Companies that operate in the EU will need to make sure they are compliant with the latest regulations – including the EU NIS2 Directive and the proposed Cyber Resilience Act, the former specifies the reporting obligations of companies, and the latter will apply to all products with digital elements.
“For companies that are not covered by new legislation, it would still be beneficial to use the checklists of technical and organisational measures whilst considering their cyber resilience and preparing an incident response plan.”
He believes that to prevent issues when seeking to claim on any cyber insurance policy, it is crucial to fully understand the scope of the company’s insurance coverage, any relevant exclusions, and policy terms so that they align with the working practices of the business and feed into the incident response plan.
“Company directors may also want to include cyber insurance as an annual topic to ensure they are properly discharging their directors’ duties, particularly as there is increasing risk and impact of cyber attack on businesses.”
Spencer also points out that a good policy is not an excuse to skip on good cyber protocols. “Insurance doesn’t prevent incidents from happening; it only covers some costs incurred as a result, so businesses should not become complacent. Insurance is just one aspect of cybersecurity, and following policy terms precisely is vital to avoid issues later on.”
Building a resilient cyber insurance future
There is much to be done in the cyber insurance space to address growing demands and create solutions that are suitable for all types of businesses. Coverage needs to address every new development, while risk assessment requires more technical innovation. And companies themselves need to take accountability for their security shortcomings through initiatives that see staff better trained and able to spot the phishing attacks and breaches as they happen. Legally speaking, it’s also complicated.
Spencer explains: “The legal outlook for the future may see a rise in disputes related to coverage, as obtaining cyber-specific insurance becomes increasingly complex, with lengthy questionnaires for policy placement. Insurers are likely to scrutinise claims more carefully before payment, potentially leading to more denials of cover or policy avoidance due to material non-disclosures and an increase in disputes.
Moreover, certain clauses in dispute resolution policies may favour the insurer, creating hurdles and expenses for insured parties seeking to contest denied claims.
Innovation will reap rewards for insurers and customers
“Cyber insurance is inherently innovative; it applies a concept originally built for tangible risk to something seemingly intangible, which makes it naturally more complex and unpredictable,” says Ram. “The future of cyber insurance involves integrating new technologies, like AI, and continuing to leverage data to improve outcomes. Those who will be successful, will have used security data to better understand the threat landscape and their clients’ risks and improve their loss ratios.”
Technology will be a key factor, agrees Mason, who concludes: “Those who will be successful will have used security data to better understand the threat landscape and their clients’ risks and improve their loss ratios.”
Breavington also says that ensuring the availability of the right products hinges on the proper integration of cyber insurance into an overarching strategy. This integration should guarantee the implementation of suitable security measures and resilience against cyber threats, all within a cost structure aligned with the business’s needs.
He adds: “We expect attitudes to shift from seeing cyber insurance on the one hand and security measures on the other hand, to seeing those two elements becoming more aligned, with each directly affecting the other.”
Author: Joanna England
Joanna England is an award-winning journalist and the Editor-in-Chief for Insurtech Insights. She has worked for 25 years in both the consumer and business space, and also spent 15 years in the Middle East, on national newspapers as well as leading events and lifestyle publications. Prior to Insurtech Insights, Joanna was the Editor-in-Chief for Fintech Magazine and Insurtech Digital. She was also listed by MPVR as one of the Top 30 journalist in Fintech and Insurtech in 2023.