--The standards, while they couldn't provide total protection, by any means, could greatly reduce policyholders' risks of cyber attacks.
--The standards need to be imposed on an industrywide basis because any insurer that imposed the standards on its own would risk losing business to less strict competitors.
--There would also need to be provisions for checking, in a scalable way, to make sure that insureds are following basic cyber hygiene.
While all types of insurance present a host of variables only partially enumerable in actuarial calculations, cyber insurance presents many unique, abstract challenges. It is almost impossible to accurately predict the connectedness of systems: whether the attack frequency will rise or fall, which verticals will be most targeted by hackers and, without deep security audits, which specific organizations are adhering to rigorous cybersecurity practices.
For example, while the rates of serious global cyberattacks including ransomware have been increasing (overall) for many years, 2022 saw a decline in overall ransomware attacks. For some experts, this may have been predictable: War efforts will often divert hacker attention away from financially motivated attacks to those that support patriotic and militaristic motives (and a drop in the crypto market also reduced the profitability of attacks). But this threat reduction caught many by surprise. Regardless of reason, the result on the cyber insurance market was tangible: Reduced claim frequency and severity increased margins and lowered the perceived risk exposure in the short term, and higher margins and lower risk exposure (combined with new entrants to the market) started to softened terms and conditions once again.
As some cyber insurers have vied for premium dollars, many of the recently introduced controls used to reduce underlying risk, including requiring minimum cybersecurity controls of their insureds, have fallen by the wayside. When we no longer have a means of controlling risk—such as requiring risk management controls—expanding capacity is no longer tethered to real-world data, making it far less attractive to carriers. This uncertainty has been underscored by the incoming data of 2023, which has shown that ransomware (as only one attack modality), is once again surging despite little else changing in the overall geopolitical environment, demonstrating yet again the importance of gaining risk visibility wherever possible.
What is needed, we argue, is a set of universal, standardized cybersecurity requirements for insured organizations, adopted across the cyber insurance market. By requiring insureds to meet basic, essential cybersecurity controls, we can, to some degree, mitigate the risks and make them more predictable.
Many cyber insurers would like to impose standards to reduce risk; but doing so on their own can hurt them while more risk-tolerant competitors are willing to waive limiting terms and conditions to attract insureds. This endless cycle, however, is contributing to a lower overall standard of cyber rigor in organizations and higher risk for the insurance industry. It is impractical to expect more than a few bold insurers to take a stand on this issue; thus, we believe that reinsurers are in a better position to leverage their influence toward this goal. This would be comparable to the type of collaborative action we saw in the industry when striving for a more unified war exclusion. By requiring insurers to require a universal set of minimum security standards, reinsurers could not only capture more certainty around loss performance and exposure, they could also level the playing field for cyber insurers, making minimum standards a norm vs. a competitive differentiator they wield to the detriment of risk predictability. The result would be improving enterprise cybersecurity stature and reducing risk for the insurance industry overall, setting the stage for further sustainable growth.
For example, today, business interruption represents nearly 60% of cyber-related losses; the best way to reduce these losses is to ensure organizations are strategically securing their infrastructures as a condition of their cyber insurance policies.
See also: Cybersecurity Trends in 2023
What Kinds of Cyber Standards Should Be Required?
As cybersecurity experts, we understand that no set of controls guarantees companies won’t be breached. However, there are basic hygiene controls that no organization should be without. We argue that the insurance industry should work together to not only define a minimum set of cybersecurity standards, but also bring in cybersecurity experts to determine how those controls should be deployed and checked in a scalable way to ensure they are effective. Some controls that should be considered include:
- Multi-factor authentication (MFA) deployed universally, wherever it is supported
- Endpoint detection and response (EDR) tools coupled with next-generation anti-virus software
- Segregated, redundant and immutable backups
- Patching and vulnerability management processes for critical updates
- Security awareness training for employees
- Privileged access management
Yet, it isn’t enough to merely require that organizations check the box on these items. It’s essential that details be clearly spelled out regarding how they are implemented. For example, backups are not effective if their security features are not properly configured, if they are included as a member of the active directory domain or if they are not immutable (if they can be deleted or moved outside of the very rigorous, two-key-turn and retention policies set by the company and system). We suggest that reinsurers create a panel of experts to consider which controls be mandated and the specific details of how these controls should be executed to ensure they are effective for both organizational health and for mitigating risk.
Risk Is a Fact in Security and Insurance—But There’s More We Can Do
In cybersecurity, we live with the reality that breaches can happen even to the most cyber-dedicated organization. That doesn’t make their security efforts futile—without these safeguards, organizations would be open to virtually daily intrusions. While we must live with risk uncertainty in cyber insurance, setting universal, minimum cybersecurity standards for organizations would provide far greater risk reduction and visibility.