Cybercrime and cover: Are insurers able to keep up?

As incidents of cyber-attack look set to increase in 2022, with 2021 showing skyrocketing rates of hacking, insurance companies are on the front line. Mot only are they providing cover for those damaged by the breaches, but they are also taking the hits in terms of claim payouts, especially in the form of ransomware hacks that not only target individual companies but those that support a network of services.

We spoke to Andrew Rose, Resident CISO, EMEA, of Proofpoint, to find out what more can be done to prevent events in the next 12 months. 

Q: What changes in cybersecurity risk assessment have occurred over the last 18 months, as a result of digital transformation?

Over the past 18 months, cyber-attacks have increased in number and notoriety, thus increasing the demand for insurance policies. But with every successful claim, the current model of cyber insurance becomes less viable. 

Unlike the automotive and travel industries, which have historically quantified risk with masses of historical data, the cyber industry is new, dynamic, and tricky to limit. Many insured risks are based on the likelihood of a random event, not a threat that is purposeful and malicious, with the increasing capability and scope of cybercrime.

As the world becomes more interconnected and reliant on software, insurers now have the rare opportunity to redefine their industry, by managing risk down by insisting on cybersecurity best practices as a condition of insurance.

Q: Are insurers coping with the demands for new and better cyber cover?

The demand for cyber insurance policies has accelerated and it’s unlikely to wane anytime soon. With a steady drumbeat of high-profile cyberattacks, the majority with potentially severe financial and reputational consequences, more organisations are turning to insurers to help them cope with the fallout of such events. So much so that the global cyber insurance market, worth $5.95bn in 2019, is estimated to reach $32.5bn by 2027. 

This increase in demand for cyber insurance policies has created a unique problem for the industry. While US cyber premiums grew by 22% in 2020, so too did the direct loss costs and the defense and cost containment (DCC) ratio – a figure that refers to the share of an insurance company's income that is paid out to claimants. 

When the DCC ratio hits 80%, insurance companies start to lose money. Last year it reached 73%, up from 47% the year before. What’s more, with 64% of organisations feeling at risk of a material cyber attack in the next 12 months, the 7% buffer in the DCC ratio is unlikely to hold for much longer. Clearly, something has to give - and fast. 

Q: What trends are happening in this space and will become more important in 2022?

Insurance firms are starting to rethink their policies and business models to take growing cyber risk into account. Most commonly, this means limiting the scope of cover. AXA was one of the first major insurers to take this step, withdrawing cover for ransomware attacks in France. Perhaps in retaliation to the interruption of a lucrative revenue stream, cybercriminals targeted the company with a ransomware attack days later. 
To avoid these two draconian paths, insurers have started to stipulate stricter conditions of cover or offer discounts to those with certain protections in place. Similar to the car insurance policy discounts offered to drivers who have agreed to install GPS black boxes, for example.

Stipulating such conditions is far from a new concept. One famous instance of such tactics dates back to the early 1900s. In response to a sharp increase in steam boiler explosions, the Hartford Steam and Boiler Inspection and Insurance Company (HSB) mandated the use of a special piping configuration for anyone wishing to take out a boiler insurance policy. Boiler explosions, and resulting claims, fell significantly as a result.
Q: Name one area of insurtech in need of attention in terms of cybersecurity and explain why and what should be done.

Companies are becoming increasingly reliant on technology,  commonly coordinating multiple third parties to supply services that are combined into a customer value proposition with the brand’s name on it.  It is challenging to manage the complexity and security risks of just one system, never mind multiple intertwined systems from different suppliers.  Security leaders need greater visibility into the supply chain that enables their business and into the levels of security each applies.  Only by getting greater levels of insight and understanding can they truly start to understand the systemic risks that their service may face

Q: Is innovation reducing risk in terms of cybercrime?

Digital transformation is all about rapid innovation and leveraging data to make fast decisions.  We all know that risk management tends to be driven by hindsight, however, the speed of innovation could mean that some terrible problems are encountered before lessons are learned.  It’s important for cyber security to become a fundamental cornerstone of any business's values statements, to try and get ahead of the risks and prevent potentially catastrophic loss of service, brand, and customer trust.

About Andrew Rose: Rose joined the UK technology company Proofpoint to support the pursuit of 'people-centric security, which he believes is the most crucial aspect of cyber security for firms today.