Insurable or not insurable? The new questions surrounding cyber risk insurance
Article by WTW regional cyber leader in Asia, Jennifer Tiang.
In previous years, the questions around cyber risk insurance were centred around 'should we or shouldn't we purchase'?
Many boards and risk managers, not entirely sure of the value of a cyber risk insurance policy, viewed cyber risk insurance with a cautious and cynical eye and the justification that 'we've' never needed it before.'
Perhaps the misconception of 'we don't handle high volumes of personal sensitive information' was a convenient argument for boards to dismiss this new class of insurance out of hand.
Another justification was a high reliance on the organisation's IT teams: 'our IT teams have our cyber risk under control. There's no way we could get hacked. We are completely secure.'
In 2020, when the world got upended by a global pandemic and work routines, operational structures and life in general as we knew it underwent complete upheaval.
IT teams globally were thrust into the mission-critical roles of ensuring (i) availability of systems and (ii) security of environments in a remote working model.
The pandemic coincided with reports of unprecedented increases in reported cybercrime, namely, ransomware. This stark rise in cyber threats and resulting real loss events has profoundly impacted how organisations frame cyber threats and risks and the true cost of a cyber event on their business.
In turn, the cyber risk insurance industry has reported significant losses due to surges in claims in their cyber portfolios across all geographies and industry segments.
Significantly for organisations across Asia – the need for cyber risk insurance was brought sharply into focus.
What has this growth in demand and shrinkage in supply done for the cyber insurance market?
Rate increases range from 50% to 200%. This is the result of several rounds of lengthy negotiations, thorough remarketing activities and scrutinising potential coverage changes to effect premium savings.
One surprising finding has been that when remarketing an account, the alternative pricing has often been quoted with terms more expensive than the incumbent insurer's pricing.
The alternative carrier will request a vast set of alternative underwriting information, with each carrier formulating their cyber risk underwriting due diligence at chief underwriting level.
These are disseminated throughout their regional and local offices with strict oversight and often little room for deviation. As such, a company seeking an alternative cyber insurance quotation is subjected to an entirely new round of scrutiny and cybersecurity 'audit'. Naturally, IT teams and CIO officers inevitably face 'question fatigue'.
One may have thought these mounting hurdles in procuring cyber risk insurance combined with increasing premium levels would dampen demand for cyber risk insurance. However, the opposite has been found to be the case.
The growing realisation of the extensive cost outlay of a cyber event is now sitting uncomfortably for boards, risk managers and finance departments.
Costs scale quickly and multifacetedly – across various workstreams – including digital forensics, public relations, legal, and business interruption. The response costs alone can accumulate to several million dollars for a single event.
Organisations are now dealing with 'active assailants' in the cyber risk landscape, and thus the hallmarks of cyber claims are now both by severity and frequency. Many current cyber claims exceed the USD1 million-dollar mark in losses.
While premiums may be higher than several years ago, it seems that the cost of not carrying cyber insurance is far more costly for most organisations.
The increasing question facing organisations now, therefore, isn't 'should we or shouldn't we purchase?' but 'can we get it?'.
Organisations must demonstrate adequate baseline cybersecurity controls before insurers will even offer a quotation. Many insurers will simply decline to provide a quote where baseline requirements are not met in the current market.
So, where should we invest? IT security or cyber insurance?
This should not be an either/or question. CrowdStrike, a cybersecurity technology firm, notes aptly: "Cyber insurance is not a substitute for cybersecurity"
A well thought out cyber risk strategy involves the right balance between organisational investment in its people, discipline in its processes and investment and deployment in the right technologies to monitor threats and mitigate cyber-attacks.
Once these lines of defence are in place, insurance rounds out the picture as the final layer of defence. Cyber risk insurance is the financial backstop after implementing reasonable investments and best efforts to mitigate against attack.
While no two organisations are identical in terms of their network setup and IT environment, insurers have adopted broad baseline security measures they look for to deem an organisation 'insurable'.
Just like how a property insurer would not insure a building without locks and sprinklers, cyber insurers would not insure companies that didn't meet certain baseline IT security controls.
What are these baseline controls?
Cyber insurer areas of focus
- Implementation of multi-factor authentication across your IT estate/environment.
- Deployment of endpoint detection and response solution for all endpoints.
- Backup Management – a multi-tiered strategy that supports effective data security and restoration.
- Encryption of data-at-rest and data-in-transit, supported by a data classification strategy.
- Approach to network defence includes firewalls, web traffic monitoring, and email filtering.
- Effective and repeatable patch, change management processes or policies in place.
- Strong approach to workforce cyber awareness and training, including phishing simulation.
- Implementation of incident response, business continuity and disaster recovery plans – tested in the last 12 months.
- Network segmentation (including data, IT and OT environments etc.) by business and geography.
- Implementation of a formal privileged access management solution.
- All local admin privileges disabled for standard IT users.