Is cybersecurity insurance your silver bullet?
The Covid era has seen a significant rise in cybercrime, as criminals have sought to capitalize on the chaos and uncertainty caused by the pandemic. This is significant, as it comes off the back of growing vulnerability to cybercrime, with data from insurance company Hiscox revealing that insured cyber losses amounted to $1.8 billion in 2019, which was itself a rise of 50% compared to 2018.
Given the almost inevitability of cyberattacks, a growing number of organizations are turning to cyber insurance, with estimates that protections are in place worth over $1 billion. The expected growth in the sector is showing signs of petering out, however, as the Covid pandemic stretches finances and draws resources away from cybersecurity. There is also concern that the spate of attacks is making insurers wary about providing cover due to the high likelihood of payouts. This is especially so if organizations forgo the difficult work of protecting themselves and simply take insurance out to cover any (inevitable) losses they incur.
Removal of the safety net
If the cyber insurance sector withers on the vine it removes a potentially crucial risk management tool for companies, and especially for those who are most vulnerable to a cyber attack. For those who have yet to utilize cyber insurance in any way, however, there are also challenges to overcome.
For instance, determining how much coverage is required is a challenge for both company and the insurer alike. This is often due to a lack of real data about the risk posed by cyberattacks to the business, especially if they have yet to suffer a serious attack and therefore lack historical data to take to the insurer.
Indeed, the early days of the cyber insurance industry have, for all their growth, not really provided a reliable baseline regarding the amount of coverage an average company should buy.
Early estimates suggest that around 20% of the $5 billion global cyber insurance industry is taken up by companies with at least $200 million in protection.
This relatively small number of highly important companies represents a significant problem for the sector, as it would only take a few of them to encounter insured losses to cause a huge financial problem. This problem only becomes greater as the size of premiums grows, with those companies with around $500 million in protection even riskier for the insurance sector.
While it may be tempting to think that companies with such a risk profile are going to be investing heavily in cybersecurity, recent research suggests that 25% of the Fortune 500 have suffered from a cyber breach in the past decade. What’s more, this rises to 70% for the top 10 companies in the index, 65% for the top 20, and 50% for the top 100. Large firms undoubtedly have ample resources to devote to cybersecurity but they also provide a juicy target for hackers.
“Size of operations and depth of cybersecurity do not deter hackers from exploring and exploiting vulnerabilities, as they are aware that the prize of success will be bigger,” writes cybersecurity expert Ajay Singh in his recent book Cyber Strong.
Managing the risk
All of this means that there may soon be a surplus of demand for cyber insurance and a surfeit of supply, especially for companies with significant cyber risk. For companies looking to manage the risk posed by cybersecurity, therefore, it’s important to take a short- and long-term view of the situation.
There’s a tendency for cyber insurance to be bought as it’s easier and quicker than engaging in robust cybersecurity.
That’s the wrong approach, and insurance should be used to help recover from cyber-attacks rather than neglecting trying to prevent them in the first place. By engaging in robust cybersecurity firms will not only put up better barriers to attack but also gain a more detailed and nuanced understanding of just what are the financial implications of an attack on their business.
For instance, this kind of process will help firms understand the most valuable bits of data or infrastructure, and what any breaches to these would be worth to the firm. This kind of insight helps both insurers and insurees alike because it provides a better insight into the risk posed by hackers. This will also allow you to secure insurance only for your most valuable assets rather than targeting your entire infrastructure.
It’s clear that the nature of cyber risk is still only partially understood, and still problematic to hedge. The continually changing threat landscape makes this only more difficult, as the attacks of tomorrow are unlikely to resemble the attacks of today. The insurance industry may develop the agility to adapt to this shifting landscape and provide firms with adequate protection against the threats they face, but it seems more realistic that firms will have to carry most of the risk themselves and invest in the protection they need to ensure the ongoing cyberthreat doesn’t cripple their business.