Young woman with a red umbrella on the background of the sea showing cyber insurance and risk quantification

Cyber Insurance Is a Perfect Storm: Risk Quantification Can Rescue It

As people, businesses and government rely more on digital connectivity, cybersecurity is becoming mission critical for all organizations and individuals to function seamlessly. However, the only secure financial recourse to recover business losses after cyberattacks is through cyber insurance. Unsurprisingly, cyber insurance is fast becoming one of the basic risk management parameters needed in every business plan. Cyber insurance is growing exponentially as the number of global cyber threat events and data breaches increase. In fact, the cyber insurance market is projected to continue to grow from $7.8 billion in 2020 to $20.4 billion by 2025, with an annual growth rate of 21.2 percent.

The dynamic nature of digital risk has made risk management difficult. As a result, businesses transfer a large portion of their cyber risks to third party organizations without an objective method to evaluate their financial exposure and residual risk. Likewise, cyber insurers have struggled to assess and quantify the risk they are underwriting. This leads to a snowball effect of rising premium costs and deductibles, reduced coverage, and unsustainable direct loss ratios.

The only way the cyber insurance industry will be able to support the market’s growing demand is through trust and transparency built upon quantifying digital risk through sound data science principles.

What is happening in the insurance sector today?

Today, cybercriminals run franchises to conduct reconnaissance of their target organization and ensure their demands are covered by cyber insurance. To reduce losses, the average price for cyber policies has increased by 5 percent from 2019 to 2020, with many market participants recognizing premium increases above 100-200 percent post-2020. This is a result of an increase in the direct loss ratio for stand-alone cyber coverage from 47 percent in 2019 to 73 percent in 2020, which has been the highest level of coverage recorded since cyber data has been included in financial reporting. Aon PLC reports that even this hike will not cover the losses faced by the cyber insurance industry.

To cut losses, insurers are becoming more astute while underwriting. In 2021, seven prominent cyber insurers teamed up to pool their expertise to improve industry-wide cyber risk mitigation efforts. Akin to policy deductibles for home insurance, cyber insurance is incentivizing the adoption of proactive risk management strategies. There are instances of risk mitigation cost benefits to businesses that proactively mitigate vulnerabilities. Insurers are also specifically outlining security strategies an organization should have to minimize the risk of a cyber event and the cost to mitigate a cyber event.

The only challenge across all variables is the lack of a standardized metric to measure cyber risks for the business and insurance carrier. Each insurance carrier words their cyber policy differently with their unique approach for determining the premium. How can businesses accurately transfer their risks via cyber insurance given the everchanging cyber and threat landscape?

What is an ideal cybersecurity strategy for businesses?

All too frequently, cybersecurity tactics are a combination of reactive and point-in-time initiatives. When businesses hear about their peers being breached, they purchase new security services, increase investments in existing cyber insurance and expand coverage. While it is critical to adapt in the face of emerging threat, this approach keeps businesses one step behind — planning for cyber coverage and improved security to fix or mitigate past issues rather than preparing for cyber risks of the future. Organizations cannot drive forward while only looking at the rearview mirror.

Instead, organizations need to understand their enterprise-wide cybersecurity risk posture to maintain data-driven control. Enterprise cyber risk can provide insight into real-time threats, vulnerabilities, and business consequences. This is possible only by continuously mapping risks across people, processes, technology, and third parties against globally accepted frameworks and CVS/CVE standards. Business leaders and security teams need to deploy data backed cyber risk quantification platforms to measure, manage, and mitigate risk.

Similarly, insurers need to calculate the residual risk of businesses before underwriting. A quantified and proactive stance in cybersecurity gives them an upper hand while purchasing cyber insurance (What is the correct premium? What risks need to be insured versus mitigated? Who are the riskiest employees or vendors? What is the risk posture of their technology stack in a hybrid or cloud business model?)

How can security and risk management leaders build a business case for cyber insurance?

This is the decade when AI, cybersecurity, and cyber insurance will come together to provide end-to-end predictive security for businesses. Cyber risk quantification platforms can ingest the data produced across a business’ cyber-ecosystem, analyze data, and enable businesses to manage and mitigate alerts according to their pre-defined cyber risk appetite and tolerance. For instance, a business with a large IT budget may choose to invest in cyber insurance and transfer its residual risk rather than just patch vulnerabilities as they are detected.

From a cybersecurity standpoint, today’s mature business has numerous levels of defense, with the CEO, Board, and stakeholders as the risk owners. The CTO and CIO manage cybersecurity risks, whereas the CISO and CSO enable executives to own and manage risk. Cyber insurance is another investment, and the CISO has the burden of risk explanation to the different lines of defense.

The most significant challenge for most business owners isn’t how much money is spent on security; it’s the lack of visibility into how efficiently it’s spent. The ROI on cybersecurity activities must be translated into a language that the Board understands and can visualize. Suppose a CISO and a board member are in an elevator together. In that case, the CISO should explain the organization’s current cyber risk posture in that elevator ride alone, rather than with an hour-long presentation that leaves everyone feeling somewhat secure but not entirely confident, even when they have cyber insurance.

The common language everyone – internal stakeholders such as the CEO and Board, and external stakeholders including cyber insurers — understands is the financial impact a data breach can have on an organization. Instead of proving how a cybersecurity initiative helps reduce cyber risk, a CISO can use cyber risk quantification to explain how much of the dollar value risk is reduced. At the same time, an insurer will be well-informed of the risk they are undertaking, including the effect appropriate cybersecurity strategies will have on the financial impact of a data breach.

How will risk quantification help rescue organizations from the cyber insurance perfect storm?

Cyber insurance will not sustain the phenomenal rise in the cost of securing businesses against cybercrimes without truly understanding the risk they are undertaking. Businesses will be unable to stay within their cyber insurance budgets if they do not know their cybersecurity status in real time. Cyber risk quantification can standardize solutions for this challenge and rescue businesses from this perfect storm.