The past decade has seen cybersecurity barge its way into the mainstream. A meteoric rise in attack rates during COVID-19, major incidents such as the Colonial Pipeline attack, and an increasingly tense geopolitical landscape have all contributed to cybersecurity’s current position at the top of global news feeds.
As cybercrime infects every facet of our daily lives, and technological advancements do little to stop the spread, many security professionals are turning to traditional solutions for a very modern problem.
Enter cyber insurance.
We insure almost everything – our homes, our cars, even our lives. At first glance, it seems odd that most businesses don’t insure against something as potentially devastating as cybercrime. Recent research from Hiscox even found that a fifth of businesses across the US and Europe faced insolvency as a direct result of a cyber attack. Insurance would surely ease anxieties surrounding business continuity in the wake of an incident – wouldn’t it?
Unfortunately, transferring traditional insurance models to the cyber-sphere isn’t an easy task. The factors determining the likelihood of a cyberattack are both innumerable and largely unsubstantiated, especially when compared to the decades-old metrics that determine premiums for insuring a house, a car, or a life. As a result, it’s difficult to gauge how at risk an organisation is.
Cybersecurity professionals remain divided as to the future of cyber insurance. Many see it as an essential fail-safe for small businesses, many more its obstacles as insurmountable. Whatever your view, it is undeniable that the industry has some issues that need to be addressed.
The story so far
At the turn of the millennium, Lloyds of London wrote the first modern cyber insurance policy. It didn’t take off. A conservative estimate from 2002 predicted that by 2005, cyber insurance would boast a global market worth $2.5 billion. This estimate turned out to be five times larger than the market in 2008. Astoundingly, the cyber insurance market shrank relative to the Internet economy.
While its disappointing early days seem to be behind it – the market was valued at US$7.36 billion in 2020, expected to rise to US$27.83 billion by 2026 – cyber insurance still struggles to find its place in an increasingly crowded cybersphere. As of 2020, only 13% of SMEs had purchased cyber insurance. Worse still, research from GlobalData found that 29% of UK SMEs cancelled their policy in 2021.
Among security professionals, cyberattacks are no longer viewed as a risk, but as an inevitability. With this in mind, the persistently underwhelming statistics regarding cyber insurance adoption make little sense. What is it, exactly, that is standing in the way of the industry’s success?
Perhaps the most pressing issue in the cyber insurance industry is cost. Premiums have skyrocketed, with direct-written premiums collected by the largest US insurance carriers in 2021 growing by 92% year-on-year. For an industry that targets smaller businesses, with smaller budgets, soaring premiums are a real barrier to success.
The fact is, premiums are as high as they are because attacks are so common. We’ve established that cyber attacks are an inevitability, meaning that insuring against them is largely unsustainable unless premiums are sky-high. This, in turn, limits uptake.
Further problems arise when we assume that cyber insurance is comparable to traditional insurance lines. Conventional forms of insurance, such as home or property, have vast archives of data to draw from, and decades of experience that have helped develop an effective, sustainable business model. Cyber insurance, an industry in its infancy, does not have anywhere near this level of insight.
Think of the factors that determine the cost of home insurance. The crime rate of an area, the quality of security measures, the value of the property, and so on. These are all relatively easy to quantify, and largely static. This doesn’t ring true for cyber insurance. The questionnaires determining cost gain little real insight into a business’s security posture. This is especially true with small businesses, as in-depth security reviews aren’t cost effective for providers. Insurance professionals recognise this, with one even stating: “Obviously we ask lots of questions and we come up with an underwriting rationale, but I think if we’re absolutely honest with ourselves, we only scratch the surface as to that technical assessment.”
Insufficient standardisation contributes to the difficulties with calculating cyber insurance premiums. Minimum security measures and best practices are largely undefined, and vary between providers. Not only does this make risk factors harder to quantify, and premiums harder to calculate, it encourages customers to choose policies with the least stringent requirements. If this continues, it’s not much of a stretch to view cyber insurance as detrimental to the cybersecurity landscape at large.
However, for all of its woes, cyber insurance is far from a damp squib. The industry is still very young, and there’s a lot of time for its kinks to be worked out.
Cyber insurance has the potential to revolutionise the cybersecurity landscape. Not only could it save SMEs from bankruptcy, but it could even bolster the security posture of the wider economy
As we have established, insufficient standardisation acts as an obstacle to the success of cyber insurance. However, if addressed, standardisation could be the industry’s greatest asset. Providers should come to a consensus on best practices and minimum security measures as part of risk assessments. This provides insurers a baseline from which they can measure risk factors, and businesses some basic steps they can take to improve their security posture.
Cultivating a collaborative culture remediates many of the problems cyber insurance faces. Data sharing is essential for closing the knowledge gap between cyber and traditional forms of insurance. Through data sharing, insurance providers are able to expand their repository of threat intelligence, incident, and claims data to build a sturdier foundation for underwriting and modelling cyber risk.
Free, pre-policy vulnerability assessments would provide insurers with an unprecedented level of insight into an organisation’s security posture, remediating this problem. From the consumer side, a free vulnerability assessment adds more value to insurance policies and provides actionable information as to how an organisation can bring down the cost of insurance – thus encouraging uptake.
Despite its problems, cyber insurance seems to be here to stay. It’s important to remember that the industry is in its infancy, especially when compared to traditional insurance lines – with the right approach, it’s not unfeasible that cyber insurance could make a major impact on the cyber-landscape.
Watch this space.
Alan Radford is Global Identity and Access Management Strategist at One Identity