Cyber Insurance & Robust Cybersecurity Measures: An Analysis
As cyber-attacks become more frequent and detrimental, organisations are seeking reliable and cost-proportionate ways to manage the risk. For many, in addition to technical controls, this has traditionally meant leaning on an insurance provider to compensate them for business interruption and other financial losses.
The standalone coverage was often seen as a white knight for companies fending off the worst effects of ransomware, malware, social engineering, and a host of other cyber crimes.
Matthew Hilsenrad, Senior Director of Cybersecurity at Abacus Group, believes the state of cyber insurance is shifting: "A surge in the number and cost of ransomware attacks has pushed premiums up while coverage levels decline, making insurance plans much harder to obtain and find.
"Cyber insurers are also becoming more selective over who and what they cover, demanding businesses show high levels of cyber maturity before they are even considered. The barrier to entry has been raised, and providers are applying a higher degree of scrutiny to each application. Applicants may be denied coverage due to prior incidents or lax technical controls."
For financial firms, already under mounting regulatory scrutiny, these changes put risk management processes further under the spotlight.
"No longer can cyber insurance be relied on as a catch-all safety net in the event of an attack. Instead, businesses must mount a more holistic and proactive defence, ensuring they have a robust cybersecurity strategy and incident response plan in place before the question of an insurance payout even arises," says Matthew.
Understanding Changes to Cyber Insurance
Adapting to the ever-evolving cybersecurity landscape, the cyber insurance industry is now more fluid than ever before. Strategies that were effective just a few years ago no longer suffice, as insurance decisions are continually influenced by rapid technological advancements and shifting client behaviors.
"No financial organisation should be looking at cyber insurance as a set-in-stone protective measure against all cybersecurity events. As attacks rapidly evolve in frequency and complexity, insurers are becoming more aware of the nebulous nature of cyber threats. In today’s globalised and interconnected digital landscape, cybersecurity cannot be easily ring-fenced or measured, and old security playbooks are becoming increasingly obsolete," continues Matthew.
In a report from 2022, the U.S. Government Accounting Office (GAO) observed that the future availability and affordability of cyber insurance is unclear. The office documented instances where insurers had begun to restrict the scope of coverage provided to key critical infrastructure industries, potentially complicating the process for these industries to secure cyber insurance.
"The centuries-old insurance and reinsurance marketplace, Lloyds of London, made a clear statement of intent by recently excluding any attacks deemed to be ‘state-backed’ from its cyber insurance policies. This move, which raises questions of how attribution can truly be known for cyber-attacks, highlights how some security threats may quickly become “uninsurable” – at least in the traditional sense. This is akin to natural disasters for home insurance policies."
"Many carriers are also removing coverage for some of the most prevalent cybersecurity threats facing the finance sector, including social engineering and ransomware. With global ransomware damage costs forecast to exceed US$265bn by 2031 – and the proliferation of the ransomware-as-a-service (RaaS) model hitting financial organisations particularly hard – insurance companies are changing their underwriting models to keep pace with shifting cyber risk profiles. Accordingly, financial firms, and even governments need to get ahead of the curve and prioritise strategies and plans to strengthen their own cybersecurity and incident response capabilities."
From reactive to proactive cyber defence
Regardless of whether ransomware is covered under a policy, organisations should not be counting on a reactive cyber insurance payout to solve their security challenges.
"As cyber-attacks become more aggressive, targeted, and harmful to businesses, proactive cybersecurity measures are no longer a tangential ‘nice-to-have’ but a core expectation.
"This is reflected in ongoing regulatory changes across the finance industry – such as the proposed SEC cybersecurity rules in the US and the upcoming DORA regulation in the EU, each requiring financial services firms to strengthen their operational resilience and consistently implement and maintain in-depth security, governance, and oversight at every level of the organisation."
"Cyber insurance alone will no longer cut it. Instead, firms need to adapt to having cybersecurity as part of their ‘business as usual’. This involves implementing robust written cybersecurity policies and procedures that tightly align with ground-level risk management processes. Having the right documentation in place provides firms with a roadmap for day-to-day operations, allowing them to coordinate and evolve in line with both changing business contexts and the rapidly shifting cybersecurity landscape."
A comprehensive and forward-thinking crisis management strategy, backed by business continuity schemes, will help organisations stay resilient if the worst does happen, such as an incident or a breach, or social engineering leading to data, or fiscal loss.
"Regular testing and vulnerability scanning are also key components of a strong cybersecurity strategy. Rather than sitting back and waiting for an attack to happen, firms should be keeping a complete, real-time view of their changing attack surface, especially as remote and hybrid working continues to expand the security perimeter.
This visibility can only be achieved with ongoing scanning of both internal and external systems, along with high-quality network penetration testing," continues Matthew.
But robust cybersecurity is not just underpinned by technology – it’s also shaped by human decisions and behaviours. Therefore, continuous end-user education and training is vital to ensure that all employees can identify and appropriately respond to an ever-widening range of security threats. Supported by the right policies and controls – alongside regular social engineering testing to measure the effectiveness of the programme - a multi-layered approach to employee education will strengthen organisations’ first and last lines of defence.
Communicating the true value of cybersecurity
To fully embrace a more adaptive and holistic cybersecurity posture, there is an industry-wide need for better communication around cost versus risk.
"Too many firms continue to overlook the ROI of proactive cybersecurity investment, opting for the “just enough, but no more” insurance package. But as the true cost of a major cyber incident continues to rise and span far beyond loss of revenue, investing in a broader defence-in-depth cybersecurity strategy today will pay dividends later. Cyber professionals within financial services will need to effectively communicate with and educate their organisation on the practical, business-wide impacts of cybersecurity," says Matthew.
"In an ever-changing cyber threat landscape, financial firms must ensure that more proactive measures take centre stage. It pays to have a plan where cyber insurance can be a component of a much larger and deeper risk management strategy, encompassing technology, testing, written policies and procedures, and continuous employee education."
**************
Make sure you check out the latest industry news and insights at InsurTech Digital and also sign up to our global conference series - FinTech LIVE 2024
**************