Jamie Akhtar, CEO and co-founder of CyberSmart.
Cyberattacks are more common, costly and consequential than ever. VMware Carbon Black found that up to 99% of U.K. companies have suffered data breaches in the past 12 months. Hiscox reported that a U.K. SME is successfully hacked every 19 seconds. Chainalysis found that organizations have paid out $1.3 billion to ransomware hackers since 2020.
In the wake of these statistics, cyber professionals are scrambling to stop the tide. Or, at least, slow it down.
Cyber insurance is an emerging life raft for stranded cybersecurity professionals. It’s easy to see why. We have insurance for pretty much everything else; why not for something as costly as cyberattacks?
Unfortunately, it’s not that simple. Cyber insurance has the potential to be a key weapon in the cybersecurity arsenal, but it has a few kinks to work out first.
A Short, Strange Trip
Cyber insurance hasn’t been around for long. Lloyds of London only wrote the first modern policy in 2000. Since then, the industry has struggled to establish itself. In 2002, it was estimated that the global market for cyber insurance would be worth $2.5 billion by 2005, but this amount was still five times higher than the size of the market in 2008.
However, it does look like the industry’s painful stage is behind it. Cyber insurance is experiencing a monumental comeback. In 2020, the market was valued at U.S. $7.36 billion and is expected to rise an astronomical U.S. $27.83 billion by 2026.
Yet, cyber insurance in the U.K. remains low. A survey from September 2020 reported that only 13% of U.K. SMEs have cyber insurance.
The insurance market is relatively more mature in the U.S. because companies have been required to report incidents since the early 2000s, and GDPR has only required this since 2018; however, only 25% of U.S. SMEs had cyber insurance in 2016.
Why Buy Cyber Insurance
As ransomware payments rise and cyberattacks seem inevitable, insurance covering the cost of an attack is valuable for any organization.
Uninsured SMEs hit with an attack face a gargantuan task. They need forensics, crisis response and recovery teams to address a breach. This comes with enormous cost, and mobilization speed is unlikely to be sufficient. Cyber insurance providers have teams on retainer prepared to deal with an attack at a moment’s notice—included in the cost of insurance.
It’s not just financial benefits that make cyber insurance a worthwhile investment.
Think in terms of home insurance. Brokers wouldn’t insure a house without locks. That would be throwing away money. The same goes for cyber insurance. Providers require a base level of security measures before agreeing to insure an organization. These requirements bring organizations up to speed on how to protect themselves.
Cyber insurance policies also drive best security practices industry-wide, standardizing and reducing the ambiguity surrounding security controls.
What’s Holding It Back
Cyber insurance isn’t perfect. The industry must face several challenges before it can realize its true potential.
Many problems arise when we assume that cyber insurance is compatible with other insurance lines. The cybersphere is incredibly dynamic and young compared to other forms of insurance, meaning there just isn’t enough data to effectively assess risk.
The increasing frequency of cyberattacks, combined with the difficulty of accurately assessing risk, has sent insurance costs into the stratosphere. True, it’s cheaper than mobilizing a battalion of independent security teams, but that doesn’t mean much to SMEs that haven’t been attacked. Getting organizations to pay what cyber insurance brokers ask for is a tough sell.
The industry also suffers from insufficient standardization. Minimum security measures and best practices aren’t well-defined and often fluctuate between providers. This is detrimental both for cyber insurance and the cybersphere, as it encourages buyers to choose the policy asking the least questions with the least security requirements.
And then there’s ransomware.
Some argue that cyber insurance incentivizes bad behavior on both sides. If businesses know that insurance will cover ransom costs in the event of an attack, why would they bother protecting against them? Why wouldn’t hackers target insured organizations they know will pay up?
Ransoms fund criminal groups and future campaigns, which is both morally and legally questionable. An organization paying a ransom with fiat money rather than cryptocurrency could even be charged with money laundering.
It should be noted that some cyber insurance brokers are backing away from paying ransoms, namely AXA.
The Future Of The industry
I’ve established the pros and cons of cyber insurance. Now we need to think about where the industry is headed. The future of cyber insurance is promising, but how does it get there?
As with so many problems, collaboration is key.
To ensure cyber insurance’s success, providers must decide among themselves what minimum requirements should be. This would prevent undercutting and provide organizations with clear cybersecurity guidelines. Unfortunately, providers are reluctant to adopt standardized security requirements as they could be viewed as anti-competitive.
However, remember that cyber insurance is still in its infancy. Traditional insurance lines have had decades to figure out best practices; it’s natural that cyber insurance takes some time to catch up.
Although some theoretical studies suggest that cyber insurance discourages other security measures, there’s little evidence to support this. In fact, a recent study suggests that this is rare.
While ransomware remains a thorn in the industry’s side, evidence suggests that insurers don’t encourage ransomware attacks. Paying ransoms is generally seen as a last resort when there are no other viable options. Fears that insurers will pay ransoms to save money seem to be unfounded.
Watch This Space
While there are major obstacles standing in the way of the industry’s success, none seem insurmountable. Cyber insurance is young, especially when compared to other forms of insurance. There’s time for the kinks to be worked out. If forecasts and growth in the U.S. are anything to go by, there is reason to be optimistic.
However, it’s important not to expect cyber insurance to answer all of our woes. It’s far more beneficial to view it as an affordable, accessible weapon in the ever-growing cybersecurity arsenal.