Navigating the cybersecurity insurance minefield: Why insuring businesses is becoming more complex2 March 2023
- As cybersecurity risks continue to grow in importance, offering cyber insurance has become increasingly challenging for insurers.
- It’s not all bad news. Both the corporate and the (re)insurance markets are looking for innovative solutions to increase capacity and appetite regarding cyber risk.
- Cyber risk insurance is no substitute for good cybersecurity practices, and businesses should still take steps to protect themselves against cyber attacks.
A recent survey among banking industry chief risk officers (CRO) highlighted that their top risk priority for the next 12 months is cybersecurity risk. Zurich Insurance Group and MarshMcLennan confirmed this sentiment in their most recent Global Risks Report that they published and presented at the World Economic Forum. They put ‘Widespread cybercrime and cyber insecurity’ as their number eight risk worldwide (both short and long-term).
The cyber risk insurance landscape: increase in importance, decrease in appetite
This comes as no surprise, as cybersecurity risks are becoming increasingly important due to both the frequency and severity of cyber-attacks continuing to rise. According to IBM Security, the average cost of a data breach for a company is $4,24 million. Additionally, the frequency of cyber attacks is also rising, with the number of reported breaches increasing by 15% from 2020 to 2021.
Most common types of attacks
The most common types of attacks are:
- Data Breach: unauthorized access and retrieval of sensitive information.
- (Distributed) Denial of Service (Dos / DDoS): attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
- Mass / Targeted Ransomware: a type of malicious software designed to block access to a computer system until a sum of money is paid.
Furthermore, cybersecurity is not only a concern for large corporations. Small and medium-sized businesses are particularly vulnerable to cyber attacks, as they often lack the resources to adequately protect themselves. It is important to note that businesses can be under attack without detecting it: in 2021, it took an average of 212 days to identify for a business that there had been a breach and an average of 75 days to contain this breach, for a total lifecycle of 287 days.
Cyber risk from an underwriting perspective
In a recent article with the Financial Times, Mario Greco, chief executive of insurer giant Zurich, has warned that cyber attacks will soon become “uninsurable.” This is due to the increased frequency of the attacks and the damage they are causing. This presents a significant operational risk for individuals and businesses, as insurance is often (one of) the only means by which they can protect themselves against such risks.
We highlight some of the main reasons that cyber insurance has become increasingly difficult to offer for insurers:
- Lack of historical data on cyber risks: Unlike more traditional forms of insurance, there is no long-term track record of claims related to cyber incidents. This makes it difficult for insurers to accurately assess and price the risk. This can result in either high premiums or inadequate (or even no) coverage.
- The complexity of risks: The constantly evolving nature of technology means that new threats and vulnerabilities are constantly emerging, making it difficult for insurers to stay ahead of the curve. Additionally, the complexity of cyber risks makes it challenging for insurers to understand and assess the potential impact of a cyber-attack or data breach.
It’s not all bad news. Both the corporate and the (re)insurance markets have started looking for innovative solutions to increase capacity and appetite with regard to cyber risk.
Stijn De Munck, Project Consultant - Financial Institutions
Low underwriting appetite leads to consequential operational risks
Due to the low-risk appetite, companies themselves face a handful of issues to properly insure their exposure to cyber risk events:
Coverage gaps: Some cyber risk policies may not cover all types of cyber incidents, such as those related to reputational damage or supply chain disruption. This can result in coverage gaps that leave businesses exposed to financial losses.
Policy exclusions: Cyber risk insurance policies can be complex and may have exclusions for certain types of losses, such as those related to pre-existing vulnerabilities or failure to comply with security best practices. This can make it difficult for businesses to understand exactly what they are covered for and what not.
- Employee misconduct, such as insider threats, can be excluded from coverage, this means that if a company suffers a loss due to the actions of its employees, it may not be covered by the policy.
- Another possible exclusion is coverage for losses resulting from war or acts of terrorism.
- Policies may also exclude coverage for punitive damages, which are damages awarded to punish a party for particularly harmful conduct. The policy may not cover the cost of repairing a company's reputation or brand following a data breach or cyber attack.
- Additionally, some policies may not cover losses resulting from the actions of third-party vendors, such as those that provide cloud services.
- Finally, some policies may not cover physical damage to equipment or property resulting from a cyber attack.
Limited options: The cyber risk insurance market is still relatively new, and businesses may have limited options to choose from. This can make it difficult for businesses to find a policy that meets their needs.
To put it briefly, companies should be aware of these exclusions in their cyber insurance policies, take steps to minimize and mitigate the risk of losses that may not be covered, and have a comprehensive incident response plan in place.
Additionally, it should be noted that cyber risk insurance is no substitute for good cybersecurity practices, and businesses should still take steps to protect themselves against cyber attacks. Companies should not become complacent in their security measures because they have insurance.
Before and after the attack: How pre-loss services and post-breach responses can help mitigate cybersecurity risks
Insurance companies play an important societal role, they are meant to be a stabilizing force or a cushion for segments of society - creating the ability for people and companies to take risks. Insurance companies here have the chance to act as partners and advisors in risk management and generate additional revenue streams by offering pre-loss and post-loss cybersecurity services.
Beyond Insurance: Proactive and reactive cybersecurity measures
Pre-loss services could be offered as a part of the cyber insurance policy. These may include phishing training for employees, sandboxing exercises where you need to identify ransomware, incident response planning, risk assessments that identify potential vulnerabilities and threats and many more. Partnerships with third parties like credit rating companies could also be a great option (e.g. S&P Global providing risk assessment tools).
Additionally, post-breach responses for cyber risk insurance aim to help companies recover from a cyber attack and minimize the damage caused. Insurance companies may provide forensic experts to investigate the cause of the breach and determine the extent of the damage. They may also provide guidance and support for legal and regulatory compliance.
Insurance companies could also offer crisis management support to help companies manage the immediate and long-term effects of a breach, such as reputational damage. They may also offer credit monitoring and identity theft protection services for affected individuals. Insurance companies may also provide assistance with restoring systems, data and operations after a cyber attack. They may also provide coverage for financial losses and liabilities that the company incurs as a result of the breach.
It is important to note that cyber insurance is not a substitute for good cybersecurity practices. It is essential to have a comprehensive approach that combines insurance coverage with concrete risk management and cybersecurity best practices.
Jonas Willems, Project Consultant - Financial Institutions
Light at the end of the cyber insurance tunnel
However, it’s not all bad news. Recent headlines have shown that both the corporate and the (re)insurance market have been responsive and have started looking for innovative solutions to increase capacity and appetite with regard to cyber risk:
- A handful of leading European multinationals have joined forces to create a new mutual insurance company, MIRIS. Its founding fathers include BASF, Airbus, Michelin and Solvay. MIRIS will allocate up to 25 million euros in capacity to each member during the first two years of its existence.
- Insurer Beazley launched the first catastrophe (CAT) bond for cyber threats. The $45mn private bond will pay out to Beazley if total claims from a cyber attack on its clients exceed $300mn. CAT bonds are a type of insurance-linked security (ILS), which is a bond linked to pre-specified insurance-related risks - here, when a certain excess limit is reached. Investors get a monthly bond pay-out, but the (re)insurer gets to use the funds if a catastrophe (event) occurs. This is done by (re)insurers to transfer a portion of their risk to the financial markets.
- The third largest reinsurer worldwide, Hannover Re, recently partnered with Stone Ridge for a proportional reinsurance solution to transfer their cyber risk.
The extra capacity is welcomed, especially by those companies that are putting in the effort to map their cyber risks and putting mitigative measures in place, as it should increase the risk appetite of (re)insurers resulting in easier renewals.
How to prepare yourself?
As previously mentioned, it is important to note that cyber insurance is not a substitute for good cybersecurity practices. It is essential to have a comprehensive approach that combines insurance coverage with concrete risk management and cybersecurity best practices. An incident response planning is likely to provide the best protection against cyber incidents:
Have a solid Business Continuity Plan for cybersecurity:
- Identify critical assets and functions.
- Encrypt sensitive data in transit and in storage to protect it in case of theft.
- Test your plan and response to ensure plan effectiveness.
- Train other business stakeholders in their responsibilities during a cyberattack.
Train employees on cybersecurity best practices
Don't limit the risk mapping to your organization. It is equally important to assess the entire supply chain and to note what cyber risks the third parties you work with (e.g. customers and suppliers) face.
- How bank CROs are responding to volatility and shifting risk profiles | EY - Global
- The Global Risks Report 2023 | Zurich Insurance
- IBM Security - Cost of a data breach
- Forbes - In 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year.
- S&P Global Ratings
- Days to identify and contain a data breach
- Cyber attacks set to become ‘uninsurable’, says Zurich chief | Financial Times (ft.com)
- Cyber Risk Assessment from S&P Global Ratings | S&P Global Ratings (spglobal.com)
- Miris insurance - Mutual Insurance and Reinsurance for Information Systems (miris-insurance.com)
- Insurer Beazley launches first catastrophe bond for cyber threats Financial Times (ft.com)
- Hannover Re - Hannover Re partners with Stone Ridge in first cyber risks transfer to the capital markets through proportional reinsurance (hannover-re.com)