In today’s cyber security environment, organizations always strive for getting the best return on investment when shopping for cyber insurance. Companies desire low-cost policies without accurately assessing risk. Insurers want low risk and to cover as little as possible. How did we get here and where do we go?
Increased payouts or the cost of claims to carriers, reached an average of 72% in 2020, up from 47% in 2019, based on regulator-supplied data. Insurers have responded by raising premiums as much as 50% while making it more difficult to actually levy a claim.
Increased costs with an increase in attacks (38%, according to Check Point Research) has resulted in coverage so expensive that organizations are reportedly seriously considering not having insurance or self-insuring. Part of these organizations’ cost calculations includes the effort required to actually buy insurance – filling out 400 question forms and spending considerable time gathering data – is an unnecessary cost to many companies.
How can organizations lower cost and still decrease risk while simplifying the insurance-buying process? Some industry experts advocate for “increasing cyber resiliency”, but increased resiliency doesn’t necessarily make organizations more secure. Additionally, measuring cyber resiliency is imprecise and expensive to implement. A practical example of a successful insurance example is auto insurance giant GEICO’s “Drive Easy” app. The app monitors a user’s driving performance and offers better rates to safer drivers. A similarly applied concept could be implemented in the cyber insurance industry.
That concept, continuous risk monitoring, more so than cyber resilience, zero trust, or any other approach, will square this circle for the simple reason that “life happens”. Imperfectly configured devices are added to the cyber environment by people, who despite their best efforts, are naturally prone to mistakes. Adversaries are constantly increasing their attack frequency and adding new capabilities, which in turn means companies’ best defenses are to continuously measure, monitor, and quantify cyber risk in order to see how secure they are at all times.
In a world where cyber risk is continuously being monitored both parties – companies themselves and the underwriter – understanding the risks, developments, and dealing with them quickly and efficiently should be easier for companies to manage.
Still, this easier management is not expected to happen soon. Surprisingly most companies I spoke with indicated that although they are in favor of continuous risk monitoring, they are reluctant to share their data with the underwriters.
Virtually all companies have some risk areas in their people, processes, or technology. In these circumstances “reality gets a vote”. Underwriters must accept that not all companies have flawless cyber environments. Imperfection should not be used against a company if it’s being measured, monitored, and evaluated holistically.
From the organizations’ perspective, “reality gets a vote” too because if they want an insurer to accept potential risk, they must offer insurers an unvarnished view of their own operations. A company’s claim that it does vulnerability management well or that its patching cadence is good is only as valid as its ability to be measured. And if it is good then all the better, the organization should get a lower premium. If it isn’t, the organization should get the chance to fix it.
To square the circle, the best way to lower costs, lower risk, and make cyber insurance easier is to be transparent, which is the direction in which the industry appears to be heading. Underwriters are beginning to implement more technical assessments than subjective ones and some are seeking to add risk quantification.
What will be needed for that to be effective is some kind of incentive on the premium cost. Perhaps instead of a 50% increase, an increase would be 10% for companies that allow for continuous monitoring. Such an agreement must be worked out before continuous monitoring is adopted.
An interesting step that might actually get us closer to a square circle is to create a continuum that shows risk in context. For example if a risk scan shows a vulnerability in log4j, does that mean an organization is a high risk? Suppose an organization has compensating controls in place for that vulnerability, does that decrease the risk?
Ultimately and most importantly, organizations must quantify their cyber risk in financial terms so that they can better communicate and negotiate with the underwriters. Some are starting to step into the continuum by looking at compensating controls. Over time the industry will achieve this, but it will be a challenging journey unless there is a rapid change in the financial incentives to get there more quickly.