Summary: Cyber insurance is becoming increasingly vital for organizations to enhance their cybersecurity posture, despite only a quarter of companies currently having a stand-alone policy. The evolving landscape of cyber threats, including AI-related risks, necessitates a reevaluation of coverage options and the procurement process for cyber insurance.
Threat Actor: Various | cyber criminals
Victim: Organizations | businesses and organizations
Key Point :
- Cyber insurance can improve an organization’s overall cyber posture through rigorous underwriting processes.
- Concerns over cost, coverage limits, and complexity deter many organizations from obtaining stand-alone cyber insurance policies.
- AI is reshaping the insurance landscape, prompting a need for new coverage types beyond traditional corporate networks.
- Cyber insurance procurement is becoming easier, with improved cyber hygiene across industries allowing even smaller enterprises to obtain coverage.
- Ransomware remains a significant challenge for cyber insurance, affecting policy costs and availability due to business disruption risks.
One of the most effective ways to improve cybersecurity throughout an organization is to purchase cyber insurance.
It won’t eliminate the possibility of a data breach, but because there are strict rules to gain approval during the underwriting purposes, an organization’s overall cyber posture automatically improves, according to research from Forrester.
Despite the positive impact from cyber insurance, the Forrester study found just one-quarter of companies have a stand-alone cyber insurance policy.
There are plenty of reasons why organizations continue to shy away from stand-alone cyber insurance. It could be that other insurance policies held by the company include some cyber coverage. But concerns around cost and coverage limits have also scared away potential buyers.
Adding to the coverage gaps is the complexity of gaining coverage, with separate coverage for first and third party policies.
“First party is an insurance policy that covers you for your loss. The third-party policy pays you to defend yourself against a third party and pays a third party if there is a judgment against you,” said Peter Hedberg, VP of cyber underwriting at Corvus Insurance, to an audience at the RSA Conference in San Francisco in May.
The first cyber policies provided predominantly third-party coverage focusing on covering online media and computer errors, but in the 2000s, the exposures evolved to include data breaches, explained Emma Werth, RVP Underwriting at Cowbell Cyber, in an email interview. The need for first-party coverages emerged with the increased exposure to viruses, ransomware, and cybercrime.
“Now, we’re seeing further evolution as we face the new exposure of AI,” said Werth.
New technologies shift coverage
AI is front and center in the race to recognize new technologies and connected devices at risk of cyberattacks. Organizations are trying to figure out how AI is being used and how to differentiate an attack caused directly by AI rather than as part of another attack or a rogue employee.
It is a global change for everything, and even insurance companies are struggling to figure out how policies will cover AI.
“AI is going to affect every type of insurance because it is going to affect risk,” said Violet Sullivan, AVP solutions team leader at Crum & Forster, during the RSAC panel.
But cyber insurance is shifting its coverage outside of the corporate network and into a more personal realm.
“We have cyber [insurance] for autos now to protect against data breaches if an auto’s information system is compromised,” said Monique Ferraro, Cyber Counsel with HSB, during the RSAC panel.
Personal insurance is also becoming more commonplace as more homes and businesses are using smart devices. Cryptocurrency insurance protects wallets and exchanges, and there is more attention for privacy protection.
The price of coverage
Cyber insurance procurement continues to be a lengthy process, but it is getting easier for companies to obtain.
“Overall, we are seeing stronger cyber hygiene across the industry,” said Werth.
Even small and medium-sized enterprises with fewer controls are able to obtain insurance since measures like multifactor authentication, password managers or passwordless technologies and data backups have become standard for most businesses.
It is also becoming more common for cyber insurance providers to partner with companies to help them strengthen their cyber posture during their policy lifecycle to become more cyber resilient.
Overall, prices of cyber insurance policies are either flat from year to year or decreasing. But there are exceptions to this.
“Industry classes that have experienced headline events, e.g. healthcare technology; hospital systems, continue to see pressure on premiums and deductibles,” said Ryan Griffin, partner and head of U.S. cyber at McGill and Partners, in an email interview.
Ransomware is going to continue to be a sticking point in cyber insurance coverage and expense. It was only a year or two ago that getting coverage for ransomware was nearly impossible; however, the current trend is that payments for ransoms have dropped.
The real problem is the costs of business disruption that comes with a ransomware attack, and that impacts costs and availability.
The right insurance policy should align with the organization’s security policy, just as it would be for any other security vendor agreement.
“Cyber insurance is one of the many tools in your toolbox. It’s one of the ways of mitigating risk,” said Sullivan.
Source: https://www.cybersecuritydive.com/news/cyber-insurance-coverage-evolution/721171