Why the hardening of the cyber insurance market is booming
Last year was, by some measure, the worst year on record for cyberattacks. On a global scale, research has found that the number of cyberattacks targeting businesses increased by 13% between 2020 and 2021, with manufacturing, professional services and retail hit the hardest. In fact, it’s been hard to escape news of ransomware attacks over the past year, and it’s therefore no surprise that malware attacks – including ransomware – increased by 18% during the same period.
More recently, the Russian invasion of Ukraine has been notable for both military and malware attacks. Bad actors have used destructive malware against organisations in Ukraine to destroy computer systems and render them inoperable. As the invasion continues, the threat of attacks on critical infrastructure such as healthcare, energy, water and food, and agriculture continues. No business is immune.
Despite the recent rise in the number of cyberattacks being reported, the UK National Crime Agency believes there is still significant under-reporting of incidences as businesses rarely have accurate information about what happened and when.
It’s also not necessarily the case that the number of bad actors is increasing, but also that the scale on which they’re operating has broadened exponentially. And not just the scale, but the manner in which cyberattacks are happening has also evolved – with a ‘hack to cash’ hierarchy firmly established, and few perpetrators being caught.
The growth of this malevolent business has led to a corresponding burgeoning of a benevolent counter industry, as cybersecurity experts have invested more and more time and money to stay ahead of the curve.
One key challenge for today’s security value chain is the fact that, unfortunately, cyber insurers and cybersecurity incident response teams (CSIRTs) are fighting over the same budget amongst customers. Thankfully the market has moved on from the situation five to 10 years ago when some, less mature, organisations would include security tools and services more generally in the same budget category.
This improvement has been driven by an increasingly proscriptive approach from cyber insurers as to the baseline security controls they expect to see in place before they are willing to provide coverage. However, the fact remains that cyber insurance and incident response functions ought to be perceived as stakeholders in a team that needs to work together. One is needed to assess, manage and prevent cybersecurity-related emergencies, as well as coordinate the incident response efforts after an event has taken place; the other is needed to seek financial compensation after the event has finished and the damage can be properly assessed.
Mind The Gap
As the cyber insurance market matures and hardens following a surge in losses and economic strains such as COVID-19, CSIRTs can potentially fill the gaps in cases where businesses are left exposed in their preparedness.
With many cyber insurers are starting to see their costs rise in line with the intensifying threat landscape, they are rightfully looking at means by which they can start to bring these costs back under control. Amongst other tactics, there are three key themes to this approach: to better quantify their customers’ levels of risk; to become more specific in terms of the security tools and services policy holders are expected to adopt in order to qualify for coverage; and to become more specific in terms of what does and does not fall under coverage of their policies. On this last point, the rising volume of cybercrimes instigated by foreign governments is a key example. If cybercrime is determined to be state sanctioned, then cyber insurers are increasingly determining that it should be treated as an ‘act of war’ and thus not covered by insurance.
The huge rise in prices for cyber insurance is a wake-up call to all sections of the industry to work together better. As equal stakeholders in the cyber insurance ecosystem, both cyber insurers and CSIRTs are dependent on each other and should be working to achieve a mutually beneficial balance. Cybersecurity is and should be at the forefront of priorities for all chief executives, regardless of whether they have separate cyber insurance policies to mitigate their losses.
The current hardening market then serves an important role to catalyse positive change in the ecosystem that will ultimately lead to more resiliency and sustainability for everyone.
About the author: Dominic Trott is the UK product manager for Orange Cyberdefense