Management, compliance & auditing

Is cyber insurance failing due to rising payouts and incidents?

October 11, 2021 by Patrick Mallory

When Steven Haase developed the first what is now known as cybersecurity insurance in April of 1997, even then, he saw just how big the product would be one day.

“I’m looking at it. They have auto insurance, workers’ comp, property insurance… but they have all this data, and all this exposure,” noted Haase of his forward-looking product, “There wasn’t really a good methodology for loss control, loss prevention.”

And now today, over 20 years later, what Haase then referred to as “Internet Security Liability Policy” is known as cyber insurance. 

So just how well is this relatively new insurance product doing as it enters its more formative years? 

If you ask the United Kingdom’s Royal United Services Institute (RUSI) researchers, cyber insurance fails to live up to its expectations. But is that true, or is this impression of liability insurance just the symptom of a much bigger problem?

Is cyber insurance living up to its potential?

If you ask the researchers at RUSI, the answer is a resounding yes.

But once you begin to pull back the layers of their findings, you will quickly notice that there is no fundamental problem with the concept of cyber insurance. Rather, it is how insurance providers and customers use cyber insurance as a part of their risk mitigation controls and how they are not learning from the data right in front of them.

First, the authors believe that the cyber insurance industry is “struggling to collect and share reliable cyber risk data that can inform underwriting and risk modeling.” This prevents them from creating realistic risk profiles of their customers, create policies that effectively manage the potential risk, and ultimately disincentivize customers from making the foundational changes they need to improve their cyber defenses. 

And second, the RUSI notes that cyber insurance providers are struggling to understand the nature of cyber risk itself. In other words, instead of a business putting in the necessary controls to mitigate their risk, they rely on the cyber insurance policy to pay cybercriminals directly to get their data back, creating more of an incentive to continue the profitable attacks.

As a result of these two challenges, as 2020 saw global cybercrime cost businesses more than $1 trillion, the cost of cyber insurance increased by 32 percent, and providers have begun to leave the market.

How is cyber insurance expected to evolve in the future?

So, following a period with record liability and financial loss, what do the experts think the future of cyber insurance will look like? While the predictions vary, they generally fall around several categories and themes.

First, according to researchers at The Howden Group, until organizations that buy cyber insurance and the providers themselves better understand the incentives and risk profile that companies respond to, “ransomware is now the predominant cyber threat confronting businesses.” This is because organizations continue to rely on cyber insurance as a primary risk mitigation strategy, just as cybercriminals continue to reap the benefits of cyber insurance’s payout.

Similarly, the researchers at RUSI agree with those at The Howden Group that there will likely be a market adjustment coming. This will take the form of cyber insurance coverage being more directly linked to putting security controls in place and incentives for those businesses that take their defenses further.

The authors of the RUSI paper even go as far as to suggest that the cyber insurance market should “collectively agree on a set of minimum security requirements as part of risk assessments” for the businesses that they choose to cover. Given the noted rise in demand for cyber insurance, which coincides with a similar decrease in overall capacity for brokers to provide insurance capacity, cyber insurance providers do have the leverage they need to meet the coverage requirements to make such structural changes.

Finally, to bolster the risk management frameworks that cyber insurance providers use to identify their coverage levels, the research papers also point toward the potential for partnerships with other public and private organizations to collect more data about the nature of the cyber threat and patterns. For example, cyber insurance carriers could, as the RUSI authors suggest, “explore partnerships with managed security service providers, cloud service providers and threat intelligence providers to gain access to internal sources of data.”

When combined, these changes could, over time, hopefully, lead to an industry-wide increase in the baseline security standards along with a simultaneous decrease in the potential liability and the profitability of ransomware attacks to the criminals that execute them.

How can organizations better leverage cyber insurance to manage risk

Understandably, the timeline for establishing new regulatory frameworks, liability insurance requirements and the implementation of new cybersecurity standards that will adjust the market away from cybercriminals and stabilize the cyber insurance industry is still undetermined.

So what can organizations do today to better leverage cyber insurance to mitigate their risk?

1. Understand the proper role of cyber insurance

Talk to any cybersecurity professional and you will likely hear them say that it is more a matter of “when,” not “if,” a specific organization will fall into the sights of a cybercriminal. 

Therefore, what will make the difference in whether that cyber threat is realized or not as well as the extent of the impact will be the strength and depth of the security controls that the organization has in place, not the amount or availability of cyber insurance.

As noted in The Howden Group study, organizations with poor cyber hygiene continue to purchase cyber insurance to help reduce their financial liability in the wake of a cyber incident, even if that means facing “more penal” terms and rates. This comes as cyber insurance providers prioritize companies able to “demonstrate robust and tested security measures.”

This underscores the point that businesses should think of the role of cyber insurance as not a security control or direct risk mitigation strategy in and of itself, but as a fallback that they can rely on, just like their other forms of insurance.

2. Understand the types of cyber insurance

Secondly, organizations should identify the type of cyber insurance that is right for them. 

While there is a wide range of available options, cyber insurance policies generally fall into two main types: first-party coverage and third-party liability coverage.  

First-party coverage is designed to provide liability coverage against the direct costs a business faces associated with responding to a cyberattack. These can include:

  • Forensic investigation of the event
  • Crisis management
  • Device restoration or management
  • Business downtime
  • Legal advice
  • Notification to affected parties, e.g., customers

Third-party liability coverage, on the other hand, is designed to cover the costs associated with claims, lawsuits and regulatory liabilities in the wake of the cyber incident. These can include:

  • Lawsuits by infected parties
  • Fines by regulatory bodies
  • Legal fees
  • Electronic media content liability, e.g., cost of copyright infringements

In other words, organizations should make sure that they have the right types of coverage for the different types of costs that they could potentially face. Organizations need to also accurately account for the controls that they already have (or don’t have) in place that could increase or decrease their overall likelihood of having to exercise their insurance.

3. Understand what cyber insurance does not cover

Finally, building on the other two points, organizations should also understand what cyber insurance does not cover upfront. 

Even if your organization has cyber insurance in place that can help in the case of a ransomware attack to regain access to your customer and corporate data, there are many other indirect and direct costs, as well as negative effects not covered. 

Most notably, cyber insurance cannot account for the massive negative impact on customers’ trust in your brand to keep their data secure and private. Similarly, while legal and regulatory costs are covered, cyber insurance cannot put a stop to the potential publicity and downstream tarnishing of your brand and the financial costs that it could inflict.

Of course, there are other aspects that cyber insurance does not cover, but ultimately organizations need to put their purchase and use of cyber insurance into context.

Is cyber insurance right for you?

Unfortunately, the size and scale of ransomware attacks that have seemingly become the norm in today’s business headlines don’t show signs of easing.

However, businesses that rely on cyber insurance to help mitigate their cyber risk should find hope that researchers and security professionals are beginning to analyze how cyber insurance is affecting the overall security of today’s global economies and what changes could be implemented to improve its delivery. 

In the meantime, organizations should see cyber insurance as it is: a part of what should be a larger, more robust set of security controls and risk mitigation strategies that can offer an extra layer of financial protection instead of their only defense.

That way, as the cyber insurance market right-sizes itself and finds its proper role in the cyber security and liability market, businesses can protect their brands and customers and stem the tide of the dramatic rise in profitable cybercrime.



Posted: October 11, 2021
Patrick Mallory
View Profile

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program. Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.