The cyber insurance industry, battered by a seemingly unending onslaught of claims, is reaching a breaking point. According to the FBI’s latest Internet Crime Report, cyber-related complaints have increased by more than 180% over the last five years, resulting in $18.7 billion in losses. Last year, some carriers ended up paying out more in claims than they received from premiums. As a result, the industry is now demanding that customers reduce their exposure or face steep price increases or quite possibly cancellations.
In an effort to shore up the industry, some insurance providers are taking a more hands-on approach in an effort to reduce their client’s risk. At the forefront is an attempt to mitigate human error, the crux of the problem. According to a 2021 Data Breach Investigations Report from Verizon, accidental clicks or other mistakes make up 85% of successful hacks. This has led insurers in search of cybersecurity training programs that have been independently verified to actually change human behavior.
No longer optional
Survival of the cyber insurance industry is paramount. According to the National Cyber Security Alliance, 60% of small to medium-sized businesses (SMBs) fold within six months of a cyberattack. Yet, while SMBs cannot afford to go without cyber insurance, many soon won’t be able to afford the insurance itself.
Business owners and CEOs are feeling the seriousness of the situation when their renewal letters arrive. Premiums – which increased by as much as 300% in 2021, according to a report by Risk Placement Services – are expected to escalate at an even more dramatic pace. At the same time, insurers are adding exclusions and limiting coverage, and some are even exiting the market.
“For some underwriters, the risk in offering cybersecurity coverage is simply too great at this point,” said Mark Weir, who has spent over 30 years in the insurance industry and is now managing director of LCM Solutions, a Canadian consulting firm. “In spite of the fact that taking risks is their business, insurance is an industry that doesn’t like uncertainty.”
In the early days of cyber insurance, the one thing guaranteed was hefty profits. Insurance companies were eager to get into the market because demand was high and the perceived risk was low.
“Initially, companies were offering cyber insurance thinking they would never actually have a claim,” explains Jeremy Harris, CEO of Mindshare IT, a managed service provider offering both IT and cybersecurity services. “Now they find themselves in a sticky situation and are looking for solutions.”
In the past, almost all incidents were covered regardless of fault. Today, if a company fails to properly train employees or demonstrates poor security hygiene and gets hacked, its claim may be denied, and future access to coverage could be in jeopardy.
See also: Cyber Insurance Market Hardens
Dramatic rise in attacks
The cyber insurance industry may have become a victim of its own success. As insurers began to offer more coverage, businesses may not have felt the need to be as vigilant in their defenses. Often, they would quickly pay ransomware, assuming they would be reimbursed. As a result, cybercriminals had incentives to target companies with cyber insurance policies in place.
Now, with escalating attacks and shrinking coverage, insurers are trying to actuate companies to be more vigorous in reducing risk, including pushing for more stringent employee education on cybersecurity issues.
Many experts feel training is crucial to slow successful phishing breaches, which account for an overwhelming majority of attacks. Phishing, along with vishing (over the phone), smishing (via text) and pharming (visiting fraudulent websites), often leads to the deployment of malicious software, such as ransomware.
A growing number of new regulations now require a number of industries to add education to their security programs, but some top executives question whether these generic training programs work as advertised.
“Our view is training that does not impact risky behaviors is a waste of time and money for our clients,” says Kirsten Bay, CEO of Cysurance, which writes policies to protect against privacy breaches, identity theft, system damage and other cybercrimes.
Bay says Cysurance was looking for a training platform that took into account how different personality types perceive and respond to risks, such as an email with a link or attachment. The platform would then target those specific people with consistent, continuing training materials that would evoke a change in actions.
“For us, the goal is to find proven ways to detect and prevent harm, which then lowers the risk of both a security event for our clients and also a future claim,” Bay explains.
“I think what you're seeing with the better security training companies out there is that they really focus on the individual’s personality and train them accordingly,” Harris says. “Those that have metrics proving a reduction in potential breaches are rising to the top.”
Personalized behavioral training
Some personalized training programs have demonstrated they greatly reduce the rate of phishing failures. For example, at cyberconIQ, we have found we can cut failures from a national average rate of 15% to 18%, to less than 2% after just 30 days. We use a 40-question assessment, akin to a Myers-Briggs personality test, to assess the susceptibility of each employee. Then, we use machine learning to develop a customized approach for each, to correct key motivating factors that drive underlying online behavior and measurably lower their vulnerability to fraud.
“What we look for is to develop a ‘culture of compliance,” Weir remarked. “However, what helps one person, may not be helpful to another. So, this idea of first evaluating the psychology of the individual and then educating that person based on their natural propensity is a game-changer. I think it is going to be what keeps the cyber insurance industry afloat.”
By partnering with a cyber training company that provides verified proof of reducing claims, insurance companies can greatly minimize their risks and therefore reduce the costs of their coverages.
“I give a lot of credit to those insurance companies who are smart enough to realize they have to help their clients mitigate risk,” Harris concludes. “It’s for the good of these small companies as well as the overall health of the cyber insurance industry.”