Risk Management

The Cyber Insurance Labyrinth

Businesses and their boards are increasingly doubting the validity of cyber insurance and for good reason. The cyber insurance marketplace has become increasingly confusing, exclusionary, and expensive.

The first cyber insurance policy was written in 1997 by AIG but it didn’t become a mainstream must-have until the late-2010s with the market growing by 155% between 2017 and 2021. Indeed, experts assess that the current $11.9 billion cyber insurance market will grow to $33.3 billion by 2027. Alongside this growth have come a number of major events that have shaken up the market and led to the labyrinth-like landscape we have today.

One of the major events that was a part of last year’s shift is a court ruling over an insurance dispute following the massive 2017 NotPetya cyberattack. NotPetya was a Russian supply chain attack on a small accounting firm in Kyiv, Ukraine, that spread across the globe, eventually costing over $10 billion. A company impacted by the attack, Merck, was locked in a legal battle with its insurance company until last year when the court sided with Merck in its $1.4 billion claim. 

This and similar issues caused by NotPetya and the widespread ransomware attack WannaCry (also in 2017) changed the way that insurers engaged with the market. Since then, exclusions and workarounds for the insurance companies have been introduced to alleviate some of the risk posed by massive, global-scale cyberattacks. 

Recently, British insurance giant Lloyd’s of London’s expanded definition of the typical “war exclusion” went into effect, shielding Lloyd’s from any liability for “state-backed cyberattacks.” This move seems like a natural extension of war exclusions built into nearly every insurance policy (cyber and otherwise), but when attribution is a highly commercialized and incredibly complicated process (unlike in the physical world), this change introduces a slew of uncertainty over what is and is not covered by a policy. Often, decisions on attribution are made unilaterally by the insurance companies which claim that it could be “reasonably” assumed that the attacker was a nation-state. This lack of clarity and transparency makes understanding a policy difficult and potentially impossible. 

In addition, sublimits on ransomware events have been lowered with even multi-million dollar cyber policies having ransomware sub limits of as low as $25,000. According to a recent study by IBM, the average cost of a ransomware event on a company  is $4.62 million, not including the actual ransom payment which is just shy of $1 million according to Palo Alto Networks, though the highest ransom payment reported to date was paid by JBS Foods in 2021 at a whopping $11 million. This massive discrepancy could leave businesses in ruin following an attack even when they do have cyber insurance.

Aside from the confusing nature of what is or is not covered in a policy, the cost of cyber insurance provides another reason to consider its worth. The year-over-year increase in premium costs in the cyber insurance market from 2020 to 2021 was 94.7%, a trend that continued into 2023 with an additional 50% increase in cost to businesses. 

With this as the backdrop for business decision making, it is no wonder that many companies are considering moving toward self-insuring and investing in security solutions instead. For the Googles and Metas of the world, this is an option, but what do smaller companies do in the face of a complicated market and growing threat landscape?

The insurance market has felt this shift in attitudes about cyber insurance and, in an effort to both retain customers and protect itself from undue risk, has begun exploring different ways of doing business. Insurers are moving away from stock questionnaires as the sole determinant of if a company is insurable and toward relying on security professionals (internal or external) to determine a candidate’s security posture. 

Some “active insurance companies” base their actuarial model on internal security assessments. These insurers work with clients to understand their threat environment and security stature and reduce their risk through a number of ways, including insurance. One cyber insurance company is taking this proactive method in a different way with its new partnership with an IT security management provider. Under this partnership, companies using the security company’s platform will be fast tracked for approval and receive discounts on premiums. Practitioners within the field believe this trend of “leaving the security assessments to the security professionals” will continue.

Options like this will help insurers save money and reduce their exposure by ensuring their customers have a baseline of security products and policies. In turn, this will help to stabilize the market and clean up the low hanging fruit that is so often exploited by criminal groups. 

In addition to moves being made by private sector insurers, both the White House and the Department of the Treasury are exploring a federal cyber insurance backstop, primarily to help small- to medium-sized businesses. While sources close to the matter do not believe this idea will go anywhere any time soon for a variety of reasons– largely logistical– federal attention and pressure on the matter is likely to have an impact on private sector insurance companies. However, as with most things in the policy world, there may be a window of opportunity opened by the next Colonial Pipeline or JBS Foods -level emergency. 

In all, the current upheaval of the cyber insurance market is likely a sign of growing pains in a nascent line of business. Premium hikes continue but are slowing, insurance companies are better understanding the world of cybersecurity, and the power of the federal government is applying pressure to the situation. Things are looking up.

As it continues to settle, companies should focus on building up their programs on the front end and ensure their organizations are resilient to attack while working with their insurance companies to create a policy that works for them. Once insurance brokers and providers are engaged, there will need to be a significant undertaking in completing information requests. In many cases this has an unexpectedly high level of effort similar to an audit. Cybersecurity leaders consistently struggle to accurately respond in time. Once the information is provided, there could be only weeks left to address gaps. 

The good news is Consortium Networks knows what these information requests entail and how to prepare programs ahead of the ‘whirlwind.’Companies can use tools like Metrics that Matter® and an advisory engagement to prepare. Metrics that Matter® is built to assess NIST Cybersecurity Framework functions from people, process and technology perspectives which Cyber Insurance providers will seek. Contact us to learn more.