By Michael Hill
UK Editor, CSO |
With cyberattacks rising at an alarming rate around the world, cyber insurance has become an increasingly popular layer of protection for businesses across all sectors. However, despite its clear appeal as a means of supporting and augmenting cyber risk management, insurance might not be the right fit for all companies in every circumstance. In fact, there are compelling reasons why some might be advised to avoid, delay, or at least seriously reconsider buying or renewing a policy —increasing costs, stringent requirements, coverage limitations, and general complexities are but a few.
In December 2022, Zurich CEO Mario Greco stated that cyberattacks are becoming “uninsurable,” telling the Financial Times that governments need to “set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those in some jurisdictions for earthquakes or terror attacks.” This remark should be taken with a pinch of salt, as neither Greco nor Zurich specialize in cyber risk, but it does exemplify the increasing uncertainty surrounding cyber insurance and its viability for some businesses.
“Sometimes when industry topics really take off and grab a lot of attention, they can end up being widely spoken about without being widely understood; this is the case with cyber insurance,” says Manoj Bhatt, head of cybersecurity and networks at Telstra Purple and an advisory board member of ClubCISO. “While threat vectors increase and develop, cyber insurance offerings are also subject to a lot of change. This means that, from a business standpoint as well as a security one, it’s important to take the time to fully weigh up the value that a particular cyber insurance policy will bring to your organization, and how quickly the coverage may age.”
Here are 7 reasons why you may want to avoid or delay investing in cyber insurance.
Two things organizations might want to consider right off the bat when contemplating an insurance policy are the cost to and benefit for the business, SecAlliance Director of Intelligence Mick Reynolds tells CSO. “When looking at cost, the recent spate of ransomware attacks globally has seen massive increases in premiums for firms wishing to include coverage of such events. Renewal quotes have, in some cases, increased from around £100,000 ($120,000) to over £1.5 million ($1.8 million). Such massive increases in premiums, for no perceived increase in coverage, are starting now to be challenged by board risk committees as to the overall value they provide, with some now deciding that accepting exposure to major cyber events such as ransomware is preferable to the cost of the associated policy.”
As for benefits to the business, insurance is primarily taken out to cover losses incurred during a major cyber event, and 99% of the time these losses are quantifiable and relate predominantly to response and recovery costs, Reynolds says. “Given that a high percentage of cyber events can be remediated for less cost than the current high premiums being charged for cyber insurance, it is understandable that firms are now questioning the value of such investments. Whilst ransomware attacks are still occurring frequently, operational resilience functions are increasing the ability of firms to survive such an event relatively unscathed.”
This increasing cybersecurity maturity means that coverage for these types of events is only necessary to cover the risk of indirect costs such as regulatory fines, loss of market position, and customer reparations, Reynolds adds. While these indirect costs can have a massive impact on a firm’s liquidity should they not be covered by cyber insurance, given the low likelihood of manifesting, they will likely be considered wildcard events that do not necessarily justify high premiums, Reynolds says. “In an era where businesses are being forced to make cuts in their budgets, providing coverage at huge cost for perceived low-frequency events is hard to justify.”
There are also occasions where policy excess will outstrip the cost of making the claim and therefore it may be easier to consider dealing with the attack outside of the insurance process, adds Bhatt.
Ransomware attacks are one of the biggest cyber threats companies face given their prevalence, increasing sophistication, and potential to cause widespread damage. The increased risks posed by ransomware attacks in recent years had made cyber insurance even more appealing. However, most insurers no longer cover all the potential losses from ransomware attacks, Jon Miller, co-founder of Halcyon, says. This means investing in cyber insurance specifically for ransomware protection could be a costly mistake.
“With so many variables in a ransomware attack, insurance providers find it difficult to quantify the real risk of ransomware to accurately set premiums. For cyber insurance policies that do offer ransomware coverage, most will no longer cover the ransom payment (they can vary too wildly, so it is too hard to define actuarially). Only after a ransomware attack hits an organization do they find that the policy will only cover a fraction of the remediation and recovery costs.”
Exclusions relating to state-backed attacks are also clouding the cyber insurance waters and could make businesses question the viability of policies. Last year, insurance marketplace Lloyd’s of London announced cyber insurance exclusions to coverage for “catastrophic” state-backed attacks from 2023. In a market bulletin published on August 16, 2022, Lloyd’s stated that whilst it “remains strongly supportive of the writing of cyberattack cover” it recognizes that “cyber-related business continues to be an evolving risk.” Therefore, the company will require all its insurer groups to apply a suitable clause excluding liability for losses arising from any state-backed cyberattack in accordance with several requirements.
One of the challenges for organizations is to establish attack attribution to a nation-state, says Jonathan Armstrong, a lawyer and partner at compliance firm Cordery. “Whilst with specialist help you can often say that there are indicators of nation-state involvement, we know it’s hard to be certain. It’s these difficulties which are likely to lead to litigation, as the insurers may think there is nation-state involvement, but the insured might think this is not the case.”
In an analysis of the Lloyds of London decision to exclude nation-state attacks from coverage in August 2022, Red Goat cybersecurity consultant Lisa Forte points out that insurers may unilaterally decide what are and are not nation-state attacks. “It has been claimed in the sea of analysis on this decision that the attack won’t necessarily need official attribution to be excluded from the policy coverage,” Forte writes. “So, the insurer could claim that the attack is excluded because it is ‘reasonable’ to attribute it to a nation-state. Not the clarity we perhaps wanted!”
Some companies may want to avoid paying for cyber insurance because they already benefit from certain types of coverage that protect them from a cyber risk perspective, says Philip D. Harris, research director, risk, advisory, management, and privacy at IDC. “Some large organizations and even some smaller local governments are able to draw from an already established pool of funds set aside for these types of events,” he tells CSO. “Large organizations with large amounts of cash on hand can set aside these funds in the event of major events the organization has to deal with. Likewise, smaller local governments that are unable to afford cyber insurance [outright] may have taken it upon themselves to put together a consortium of smaller local governments that each fund a pool of dollars that are used in the event of major cyber events.”
Harris also warns companies against throwing money at a cyber insurance policy if their decision to invest is based solely on the completion of a cyber insurer’s questionnaire to determine their security posture. “The cyber insurers that require customers to fill out their cybersecurity questionnaire are ultimately only getting a limited, point-in-time view of the insureds security posture,” he says. “Companies that have not had a professional cybersecurity services vendor complete a detailed assessment to have a complete picture of deficiencies, plans to remediate, and an ongoing roadmap for improvement are doing themselves a disservice by depending upon a somewhat generalized security questionnaire.”
He believes that insurers should just stick to insurance and let qualified cybersecurity service vendors handle the assessment of the insured’s cybersecurity posture. “Armed with this detailed assessment, the insurer can then take a serious look at the customer and potentially offer better premiums that make sense.”
For a cyber insurance policy to be in force and valid, an organization needs to have an extensive accounting of its security program, Miller says. “If the organization is out of compliance when it comes time to submit a claim — for example, if it did not apply patches in a timely manner or if it misconfigured security applications — it will quickly find that its policy coverage is useless.” Pete Bowers, COO of NormCyber, agrees. “Organizations must put in place a comprehensive program — covering people, process, and technology controls — to shore up their overall cyber defenses. Until they do this, cyber insurance, as the sole mechanism to transfer and mitigate the risk, is not the right choice.”
A final deciding factor in choosing not to invest in cyber insurance is simply that the money could be put to better use by improving an organization’s overall security posture and cyber resilience. “Zero coverage may be daunting, but the removal of the perceived safety net that insurance provides may be exactly what organizations need – a wake-up call to make their business more secure,” Sean Moran, bid manager at JUMPSEC, writes in a blog post. “Not by checking compliance boxes to satisfy insurers, or relying on minimum standard annual testing, but by implementing controls that will make their organization more resilient to attack.”
Organizations opting against cyber insurance for 2023 should reinvest in their holistic cyber defense capabilities, ensuring that the potential impact of a breach can be minimized, he added. This includes testing backups, effective identity, access management, and network segmentation, a well-established recovery plan, assessing which business components are most likely to be targeted by an attacker, and targeted prevention, detection, and response controls, Moran adds.
Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.
We will be happy to hear your thoughts