Cyber Insurers on the Prospects for Attainable Coverage [Government Technology]
Jun. 16—Cyber insurance has become increasingly difficult — and pricey — for public- and private-sector organizations to obtain. Insurers have been requiring would-be customers to answer lengthy questionnaires, with no guarantee of coverage once they finish, and more expensive plans.
Insurance broker and risk manage services firm Marsh reports that the price of cyber insurance in the U.S. grew an average of 96 percent year over year during Q3 2021. Kirsten Bay, CEO of cyber insurance provider Cysurance, said during an RSA panel last week that coverage "is never going to be quote-unquote 'cheap' ever again."
But there may be ways to make coverage more attainable, and Bay and other panelists dove into the challenges and possibilities that lie ahead.
PROVING GOOD CYBER PRACTICES?
Insurance companies are confronting the fact that cyber threats evolve rapidly, and that the elements of a strong cybersecurity posture are likely to keep changing, said Kyle Bryant, international chief underwriting officer for cyber insurance and cybersecurity solutions provider Resilience. That's made it challenging for insurers to fully understand the long-term risk involved in covering a client.
"These are all things that are happening in real time as the threats change themselves, and so a risk that looks great right now may not be what looks great tomorrow," Bryant said.
Nick Schneider, president and CEO of cybersecurity company Arctic Wolf, said insurance firms that are looking to better understand risks are asking applicants to answer a ballooning number of questions.
"We had a few customers at a recent kickoff here that were giving us some anecdotes ... and where their original policy was five question and policy, the renewal is 300 question and maybe policy," Schneider said.
Questionnaires may not be the only way for insurance carriers to get information, however. Bryant said the cyber insurance landscape could evolve to see applicants start sharing data with insurance to demonstrate that they're keeping up with good cyber hygiene practices. He likened this to auto insurance policyholders who allow their driving to be monitored to get lower rates for safe driving practices.
"We have the ability to monitor employees to understand how fast companies patch their business, how fast they update their systems, that information is available, but at the moment it is, in essence, sitting in a lot of cybersecurity silos, a lot of MSPs [managed service providers] and a lot of other technologies," Bryant said.
Bryant and Schneider both suggested as well that insurance firms partner with cybersecurity firms that can help them better understand cyber risks.
WHAT INSURANCE FIRMS LOOK FOR
Panelists underscored that they want clients to treat cyber insurance as a backup support to turn to when recovering from cyber attacks — rather than making it their entire defense and resilience plan.
"If you have homeowners' insurance, you just don't forget about alarms," Schneider said.
Insurance companies are looking to see that would-be customers follow certain best practices that will reduce their risk exposure. Those practices may vary, but Bay said most insurers will reject clients who lack multifactor authentication or fail to patch.
Some insurance companies are discussing striking a balance and offering certain levels of cyber coverage on the condition that clients maintain good cyber hygiene practices, Bay said. Clients that fail to keep up good behaviors would see their insurance pay out less on covered claims.
"There are now new policy forums coming out that are talking about these things like, if you haven't patched within 45 days, you start having degradation of your limits," Bay said. "They're trying to put skin in the game."
IS EVERYONE INSURABLE?
Bay also said insurance firms should rethink options for how they offer cyber insurance.
"I am a big believer that we need to sort of separate traditional cyber liability to the point where it can almost become a catastrophic loss policy and then we can have lower limits, more flexible but standardized programs," Bay said.
In the homeowners' space, catastrophe insurance plans protect business and resident policyholders in case of rare-but-costly incidents typically not included in standard homeowners' insurance, per Investopedia. These might include natural disasters and terrorist attacks.
MSPs often face daunting prospects for getting covered, but insurance firms may be more willing to cover them for catastrophes only, Bay said.
"[MSPs] are almost uninsurable at this point because of supply chain risk," Bay said. "Many of these organizations are doing the right things already, but that makes them still a very high risk."
GovTech previously reported that attacks that compromise MSP's services can quickly spread through their client bases: The ransomware attack on IT software provider Kaseya affected an estimated 2,000 public- and private-sector clients worldwide, for example.
Bay suggested insurance companies might find it more palatable to treat MSPs as a high-risk group that only qualifies to receive catastrophe insurance and "not more lower-tier, less-expensive or lower-deductible insurance."