Can't take screenshot due to copyright policy.

Insurers: Winning the cyber insurance tug of war

Blog Nov 29, 2022

The State of The Cyber Market

With the ever-growing number of data breaches and cyberattacks, such as the latest Medibank incident, cybersecurity awareness has risen like never before.

In fact, McKinsey believes that at the current rate of growth, damage from cyberattacks will amount to about $10.5 trillion annually by 2025—a whopping 300 percent increase from 2015 levels. Reports like this have led C-suites around the world to move cybersecurity to the top of their boardroom agenda.

But unfortunately, this improved awareness hasn’t really translated into risk management through insurance.

According to a recent Munich Re survey, while companies that purchased cyber insurance increased by 21% from last year, many respondents still had no experience with cybersecurity solutions and insurance protection against digital threats and potential cyber incidents.

A major deciding factor that has resulted in this low cyber insurance uptake is cost. Up to 29% of the global C-suite feel that insurance premiums are now too high.

Some of the other reasons include lack of awareness (25%), poor understanding of the product (22%), and insufficient coverage or services perceived (18%).

Insurers having a hard time catching up!

Insurers have long been used to selling a product and then sitting back until the next renewal cycle. But as cybersecurity expert Nynke Brouwer explains, cyber insurance is a moving target that requires constant alertness, strict delineation, and paradoxically, a high degree of flexibility.

Currently, the insurance industry is yet to fully understand what cyber risk looks like and how to price it. Increasing severity and sophistication of cyber-attacks, insufficient historical data, as well as the rise of state-sponsored attacks, etc., only add to the complexity of quantifying and pricing these risks.

Considering these challenges, some insurers have altogether stopped providing cover against cyber threats. The ones that do offer protection have taken deliberate steps to defend against the increasing loss ratios with higher rates, coverage limitations, capacity constriction, and greater underwriting scrutiny, state reports.

However, these passive changes won’t solve today’s cyber insurance market challenges.

Moving forward: What steps can insurers take?

The insurance industry has an opportunity to prove its strength by filling in gaps left by the changing risk landscape and growing demand, especially when insurance plays a key role, providing not only risk transfer but incentivizing cyber risk mitigation.

So, here are three steps insurers can take to better address cyber risks, increase insurability, and improve resilience:

1. Focus on collaboration – You need an entire village to manage cyber risks.

Cyber insurers need to work together with governments, enterprises, regulators, law enforcement agents, and other key stakeholders to develop a shared understanding of cyber risks, determine the best course of action for minimizing risks, and devise technology-based solutions.

For instance, as Swiss Re points out, a public-private partnership (PPP) insurance scheme can be designed where the coverage of systemic risks is split between insurers and government(s)-backed funds in case of a breach.

2. Take a preventive approach – Prevention is always better than cure.

While firefighting has always been the norm in the insurance industry, it’s not a sustainable approach to managing cyber risks. The losses incurred from an attack and the ensuing business interruption at the time of incident response are alone enough to send claim costs soaring.

Preventing a cyberattack in the first place is the best way to keep costs down. But it’s not easy.

Insurers will need to leverage their risk management expertise to advise policyholders on handling cyber security vulnerabilities. They would also need to enforce good cyber hygiene with practices like MFA, EDR, etc., and improve underwriting scrutiny to catch these exposures early on.

Likewise, periodic pen tests, frequent cybersecurity assessments, as well as effective employee training can help insurers mitigate cyber risks.

This is where our cybersecurity solution, the all-in-one cybersecurity assessment platform – Cymetrics, brings value to insurers with its on-demand Exposure Assessment as a Service that can help organizations identify their vulnerabilities and exposures in 15 minutes.

For more in-depth assessments, Cymetrics also provides Vulnerability Assessment as a Service and Penetration Test as a Service. Click here to know more!

A detailed audit of an organization’s systems, security procedures, and risk factors further allows insurers to gain a deeper understanding of its cyber requirements and enables them to tailor a cover based on its exposure at an optimal cost.

3) Leverage the right data, processes, and talents – Ensure that cyber risks are properly identified and dealt with through a company-wide effort.

According to PwC, while 85% of insurers claim to have a loss estimation methodology in place, the majority use simplistic exposure and factor-based methods, which have been shown to underestimate the risk. It draws parallels between cyber threats and catastrophes, hinting that a successful cyber risk model will bring stakeholders together and use extreme scenarios to test the interconnectedness of exposures, as well as seek to understand how policies that are silent to cyber might respond.

But, at the same time, insurers also cannot undermine the importance of finding new sources of data, establishing a standardized cyber-policy taxonomy, and having a dedicated team of cybersecurity consultants and underwriters to evaluate risks efficiently.

A holistic approach aimed at targeting cyber risks from all angles while fostering a culture of cybersecurity—one that emphasizes education and awareness as much as it promotes the responsible use of technology, is therefore indispensable in the present-day cyber climate.