Insurers, clients look for right fit in cybersecurity coverage

Di-GenericCybersec_11172017
Employees read a ransomware demand for the payment of $300 worth of bitcoin on company computers infected by the 'Petya' software virus inside a retail store in Kiev, Ukraine, on June 28, 2017. Photographer: Vincent Mundy/Bloomberg
Vincent Mundy/Bloomberg

October is Cybersecurity Awareness Month, and as cyber threats to businesses keep increasing, the insurance and cybersecurity industries are working to keep up.

Less than half of 400 small business owners surveyed by Nationwide feel ready to prevent a cyberattack, and many of them greatly underestimate the time and costs needed to recover from such an attack. Nationwide's survey, conducted in July and August, also reached out to 401 mid-size business owners and 430 insurance agents. In addition, less than 30% of the small business owners surveyed said they had cybersecurity insurance.

Another recent survey, by Travelers, of 1,200 business decision makers, found that 57% think a cyber attack is inevitable. While 75% of respondents said cyber security insurance is critical, just 59% said their company had this coverage.

The CEO of Cowbell Cyber, a cybersecurity insurance solutions provider, has said he believes the market for cybersecurity insurance will reach $100 billion by the end of this decade. (Cowbell launched Adaptive Cyber Insurance and a specialty insurance company at Insurtech Connect on September 21).

Michelle Chia Zurich North America.jpg
Michelle Chia, head of the professional liability and cyber underwriting practice at Zurich North America

Michelle Chia, head of the professional liability and cyber underwriting practice at Zurich North America, agrees that cyber risk coverage "in general is an emerging space." Evolving technology is driving greater cyber threats, but in 2014 the U.S. National Institute of Standards and Technology (NIST) first set a cybersecurity framework as a basis for protecting against cyber risks. The framework was updated in 2017 and 2018, and sets out five steps or "pillars" for responding to cyber threats: identify, detect, protect, respond and recover. 

"These specific methods by which those pillars are followed have evolved over time," Chia says of the NIST framework. She began her current role in 2018, and joined Zurich in 2009 when it first entered the cyber insurance market. 

More companies are expressing interest in cyber insurance and more are actually buying coverage, according to Chia. As the demand is rising, "the supply is not necessarily growing as quickly," she says. Until insurers catch up in what they offer, "we are going to continue to see some specific challenges for the buyers of cyber insurance. It depends on the organization's ability to invest in ways to protect, mitigate and manage their cyber risk and cyber exposure," she adds. "Some organizations are just not in that same place, which means that they are particularly vulnerable if they are not necessarily at the same level of cyber resilience as peers in the marketplace."

The U.S. Bipartisan Infrastructure Law signed in November 2021 includes funding to defend against cyber attacks. Under the law, $1 billion in funding is about to be rolled out through the Department of Homeland Security's Cyber Security Advisor (CSA) to protect against cyber attacks. Public-private partnerships already addressed cyber attacks on municipalities and utilities. These partnerships could go further, according to Chia, stressing the importance of "Main Street USA."

"We started to see it with that CSA activity," she says. "The resilience piece is really critical if organizations are unable to access resources or don't have the wherewithal to be cyber resilient in the first place."

Still, there have been barriers to the insurance industry making more cyber security coverage available, according to Adam Gladsden, head of cyber solutions at Swiss Re, which offers Cyber Guardian, its own in-house cyber risk management engine. 

Adam-Gladsden-Swiss Re.JPG
Adam Gladsden, head of cyber solutions at Swiss Re

"In the face of a hard market and rising premiums, things seem to be slowly coming down. It looks like loss ratios are coming down a little bit from their peak in 2021 due to the lessening of ransomware claims," he says. "You're still seeing tight supply, tighter coverages and more requirements from the insurers to the policyholders."

Collaboration between the cybersecurity and insurance industries is improving, Gladsden says. "What you're not seeing a lot of though, is the translation or the mapping of security data to insurance underwriting to really get a better handle on it. There's a data gold rush right now to try and figure out how to use data effectively within cyber risk.

"It's trying to find the right data to solve very specific use cases," he adds. "There's still a struggle within that. There's really good opportunities for the insurance industry to embrace insurtech as partners but also to start bringing technology in house."

Meanwhile, insurers writing policies for cyber risk are requiring more information from policyholders, according to Gladsden. "Attestation has increased and it's not just providing the information that you have multi-factor authentication (MFA) or a backup and recovery plan, but asking for more requirements to show proof or evidence of that," he says. "The qualification elements have increased and they've made it more difficult."

In the Travelers survey, adoption of MFA as a defense is lagging, to begin with. About 52% of respondents said their firms used MFA for remote access. 

Smaller organizations without these resources may be falling into an "insurability gap," although Swiss Re is looking at ways carriers can better understand their exposure and price coverage more effectively, Gladsden adds.

The insurance industry should watch for external factors and intelligence about cyber threats, beyond vulnerability scans, which are "commoditized," he says. This would better inform carriers on the likelihood of cyber attacks, and also give AI systems a basis to further analyze that likelihood as well as the impact of a cyber exposure. 

Overall, policyholders or potential policyholders lack understanding of the damage cyber attacks can do, as statistics from Nationwide's research show. Of small business owners surveyed, 40% said it would take less than $1,000 to recover from a cyber attack, but Nationwide points out that its claims data shows recovery costs average $15,000 to $20,000. In addition, 60% of those small business owners said it takes less than three months to recover from a cyber attack, but actual average recovery time is about nine months.

For reprint and licensing requests for this article, click here.
Cyber security Customer experience Digital Transformation Data privacy Cyber attacks Cybersecurity and data privacy due diligence Ransomware Insurance
MORE FROM DIGITAL INSURANCE