October is
Less than half of 400 small business owners
Another recent
The CEO of Cowbell Cyber, a cybersecurity insurance solutions provider, has said he believes
Michelle Chia, head of the professional liability and cyber underwriting practice at Zurich North America, agrees that cyber risk coverage "in general is an emerging space." Evolving technology is driving greater cyber threats, but in 2014 the U.S. National Institute of Standards and Technology (NIST) first set a cybersecurity framework as a basis for protecting against
"These specific methods by which those pillars are followed have evolved over time," Chia says of the NIST framework. She began her current role in 2018, and joined Zurich in 2009 when it first entered the cyber insurance market.
More companies are expressing interest in cyber insurance and more are actually buying coverage, according to Chia. As the
The U.S. Bipartisan Infrastructure Law signed in November 2021 includes funding to defend against cyber attacks. Under the law,
"We started to see it with that CSA activity," she says. "The resilience piece is really critical if organizations are unable to access resources or don't have the wherewithal to be cyber resilient in the first place."
Still, there have been barriers to the insurance industry making more cyber security coverage available, according to Adam Gladsden, head of cyber solutions at Swiss Re, which offers Cyber Guardian, its own in-house cyber risk management engine.
"In the face of a hard market and rising premiums, things seem to be slowly coming down. It looks like loss ratios are coming down a little bit from their peak in 2021 due to the lessening of ransomware claims," he says. "You're still seeing tight supply, tighter coverages and more requirements from the insurers to the policyholders."
Collaboration between the cybersecurity and insurance industries is improving, Gladsden says. "What you're not seeing a lot of though, is the translation or the mapping of security data to insurance underwriting to really get a better handle on it. There's a data gold rush right now to try and figure out how to use data effectively within cyber risk.
"It's trying to find the right data to solve very specific use cases," he adds. "There's still a struggle within that. There's really good opportunities for the insurance industry to embrace insurtech as partners but also to start bringing technology in house."
Meanwhile, insurers writing policies for cyber risk are requiring more information from policyholders, according to Gladsden. "Attestation has increased and it's not just providing the information that you have multi-factor authentication (MFA) or a backup and recovery plan, but asking for more requirements to show proof or evidence of that," he says. "The qualification elements have increased and they've made it more difficult."
In the Travelers survey, adoption of MFA as a defense is lagging, to begin with. About 52% of respondents said their firms used MFA for remote access.
Smaller organizations without these resources may be falling into an "insurability gap," although Swiss Re is looking at ways carriers can better understand their exposure and price coverage more effectively, Gladsden adds.
The insurance industry should watch for external factors and intelligence about cyber threats, beyond vulnerability scans, which are "commoditized," he says. This would better inform carriers on the likelihood of cyber attacks, and also give AI systems a basis to further analyze that likelihood as well as the impact of a cyber exposure.
Overall, policyholders or potential policyholders lack understanding of the damage cyber attacks can do, as statistics from Nationwide's research show. Of small business owners surveyed, 40% said it would take less than $1,000 to recover from a cyber attack, but Nationwide points out that its claims data shows recovery costs average $15,000 to $20,000. In addition, 60% of those small business owners said it takes less than three months to recover from a cyber attack, but actual average recovery time is about nine months.