CybersecurityInsurTechSecurity

Cyber Insurance – The Catalyst for Better Cybersecurity Across the Globe


By Nick Ryan,  Director, Enterprise Technology Security & Risk, Baker Tilly US

This last decade has been a learning exercise between cyber insurance and companies looking to transfer risk. Initially, when cyber insurance was available, the clarity of what was covered versus not covered was quite ambiguous. This ambiguity has been transformed into stringent, clear-cut coverage policies that have become a catalyst for better cybersecurity across the globe.

How did we get here?

IBM surmised the average cost of a security incident to be $3.86 million – no small figure! Trend Micro recently found in a study that nearly 26% of corporate executives had a lack of willingness to try and understand cybersecurity. Pair those statements together, and you can understand the allure of cyber insurance. Transferring the substantial cost of a cybersecurity incident, specifically ransomware, to an insurance provider can be less of an investment than the spending necessary to improve an organization’s security posture and controls.

When ransomware cases had first spiked several years ago, insurance carriers increased premiums exponentially, but it was soon realized that the premiums weren’t enough to cover the payouts due to the increase of impacted customers year-over-year.  

Other methods of hemorrhaging the risk to the insurers that have been seen include halving the amount of cyber coverage (Cohn, 2021) and, in some cases, requiring a substantial deductible for the organization should a claim be filed. For example, if the organization was covered for $5 million, the insured organization would be on the hook for the first $1 million. Clearly, underwriters are expecting more from their customers.

This fundamental shift of insurers looking to mitigate the risk of payouts for cyber incidents is creating a catalyst for better cybersecurity practices. Companies who are looking for substantial coverage now need to put some skin in the game: prove your environment is secure.

What does this look like? Underwriters require lengthy surveys to be completed to have a better understanding of the security posture of the insured company. These surveys can be between 100 questions and up to 1,000 questions requiring specific evidence to be produced of policies, procedures, and the efficacy of controls. Additionally, services such as SecurityScorecard or BitSight are being leveraged by carriers to run reports on public-facing security practices of the insured companies. And it doesn’t stop there…

In the future, insurance carriers will require agents to be installed within your corporate network that will periodically check that your environment functions how you’ve reported it does. Many security practitioners have hypothesized there could be hands-on audits performed by qualified third parties on behalf of the cyber insurance carriers to balance the risk in favor of the insurance companies.

What is the solution?

The solution is to mitigate cybersecurity risk to an acceptable level for the organization, which will likely align closer to the requirements of the cyber insurance carriers. Simply put: invest heavily into the organization’s security program. Appointing a business-savvy Chief Information Security Officer (CISO) and giving them the resources to adequately protect the organization is a great starting point.

The benefit of a mature security program is not simply lowering cyber insurance premiums with greater coverage; it empowers the business forward. The marketplace has increasingly shown that organizations prefer to do business with secure companies. This is because supply chain and third-party risk has increased exponentially, and to mitigate that risk, companies want to see attestations such as a SOC2 Type 2 report or certifications like the ISO 27001 that both attest to quality cybersecurity practices. Organizations with a SOC2 report or an ISO 27001 certification are primed for more opportunities in the market.

Additionally, the average company has 13 different IT security or privacy regulations and spends $3.5 million annually on compliance activities (Telos, 2020). While compliance does not equal improved security, it certainly can be a beneficial output of a mature cybersecurity program. A recent study by the Ponemon Institute highlighted that the cost of non-compliance was 2.7 times the cost of compliance (Globalscape, 2017).

As the cyberattacks continue to manifest against countless organizations, the return on investment for cybersecurity is quite evident, and the requirements from cyber insurance carriers continue to illustrate this realization for many businesses. By investing in your organization’s cybersecurity program, more opportunities will present themselves in the marketplace, streamline compliance efforts, and increase the cyber insurance coverage while premiums will decrease.