There is a major flaw in the way insurance carriers underwrite and administer cyber insurance policies. Insurance carriers require policyholders to self-disclose details on their computing infrastructure and systems, usually by completing a detailed questionnaire. They also require companies to follow a set of cybersecurity practices, in most cases this entails a nine-point cybersecurity plan.
The flaw is not in the information requested from policyholders, or in the cybersecurity plan, but in the limitations of self-attestation by policyholders. Self-attestation is the ability for an individual or corporation to vouch for the authenticity of a document without a third party. The individuals providing information are not deliberately misleading insurance companies. They are providing accurate information, to the best of their ability, at the time of the disclosure. However, that information may have changed by the time they submit the disclosure. The issue with this practice is neither party can truly vouch for the status of the company’s dynamic IT infrastructure and cybersecurity practices.
Cyber insurance underwriting
Cyber insurance carriers rely on two main sources of information for underwriting.
First, they require companies to submit a risk-assessment questionnaire. The questionnaire can be as long as 50 pages. Despite this, they often fail to capture the true state of cybersecurity for the organization’s computing infrastructure. At best, the questionnaires are tedious and difficult to fill out. In most cases, the individuals filling out the questionnaires simply don’t have a complete view of what is happening on their network. For example, an organization may assert that they have two factor authentication (2FA) enabled, but it may not be enabled for all applications. Additionally, networks are dynamic; a new application may be added later without 2FA enabled. The result is insurance policies written without a clear view of risk, leading to unexpected claims.
Second, they mandate companies follow a nine-point cybersecurity plan. This plan ensures basic cybersecurity policies and practices are being followed to minimize the risk of a cyber-attack.
These requirements are designed to minimize exposure for cyber insurance companies by providing higher levels of security for organizations purchasing cyber insurance. Despite the intent of the requirements, they are not working.
According to a report from Blackberry, over 20% of cyber insurance claims did not receive a payout, or only received a partial payout on a claim. Furthermore, rates of cyberattacks, and the impact of those attacks, are on the rise despite following these cyber protection programs. In 2022, 490 million ransomware attacks were detected by organizations worldwide and the average data breach cost was over $4 million.
Limitations of manual self-attestation
Both the questionnaire and the cybersecurity mandates make sense on paper but fail in practice.
The main problem is reliance on self-attestation by policyholders. It’s not that companies are intentionally deceitful when filling out questionnaires or committing to following cybersecurity mandates set by insurance companies.
IT environments are simply too complex and too dynamic for self-attestation, based on manual processes, to ever work. IT environments are rapidly changing. New devices, users, and applications are constantly added. Devices may be moved. Systems are upgraded and configurations change. Any of these changes could introduce vulnerabilities or result in a company no longer being compliant with mandates.
Additionally, cyber threats are constantly changing. Bad actors are continually developing new tactics, techniques, and exploits. At the same time, companies’ computing infrastructure is continuously evolving, and each change brings the potential for new risks.
This is also a challenge for insurance carriers. Risk profiles for traditional lines of insurance such as health, auto, or property and casualty insurance, are relatively static. Furthermore, insurance companies have large collections of actuarial data and are able to reliably predict risk based on fairly static conditions. Without accurate data, insurance companies are taking other measures to minimize exposure. They are increasing premiums, adding exclusions to policies, and lowering coverage limits.
According to the Blackberry report, 37% of cyber insurance policies do not include ransomware coverage. For those with ransomware coverage, only 19% of policies had limits over $600,000, the median ransomware demand in 2021. That leaves over 80% of policyholders with limits on ransomware claims that are lower than the median ransomware demand.
Automation with continuous monitoring is the solution to cyber insurance risk management. An effective solution requires continuous monitoring of a company’s computing infrastructure to create a dynamic model of cyber-risks.
An automated monitoring solution enables a dynamic cyber-risk model that can be shared between the policyholder and insurance company. This would enable underwriting based on current and complete information, removing guesswork from the process. It would also ensure companies maintain compliance with their cybersecurity plan, ensuring they implement relevant security measures, and regularly update security strategies to address evolving and emerging threats.
Cyber insurance is a critical tool for companies to mitigate the ongoing risk of cyber-attacks. Lenders are beginning to require cyber insurance before providing loans. Corporate boards are utilizing cyber insurance as part of their overall risk mitigation strategy.
Despite the growing adoption of cyber insurance, policyholders are finding that it does not always meet their needs. Policyholders are seeking a policy with clearly defined coverages and exemptions at a reasonable rate. They expect to be covered in the event of a loss; however, they find this is not always the case.
As long as insurance carriers are using unreliable, self-reported data from policyholders, this problem will persist. The industry must transition to using automated tools to ensure accurate data is collected for underwriting and to monitor implementation of cyber security procedures. Otherwise cyber insurance will remain a guessing game and both policyholders and insurance carriers will suffer. Policyholders won’t have peace of mind knowing they have the protection they need. Insurance carriers will struggle to manage exposure, effectively price policies, and successfully manage a profitable portfolio.
Without continuous monitoring to accurately assess compliance to cyber insurance requirements, organizations remain at risk. Continuous monitoring accurately assesses compliance to cyber insurance requirements. Automated tools also provide cyber insurance carriers with real data to monitor their exposure.