Understanding Cyber Insurance

9822920885?profile=RESIZE_400xInsurance 101: Income (premiums) must exceed outgoings (claims) by around 30% (operating costs + profit).  If claims increase, so must premiums for the insurance model to remain viable.  And for the insurance companies to remain solvent and in business.

Cyber Insurance 102:  The cost of cybercrime is rising dramatically and has been doing so consistently for many years. Continually increasing premiums to counter continuously increasing claims is ultimately unsustainable.  Soon, the cost of insurance will make it too expensive to be an effective form of risk management for business.  The insurance industry must therefore find an alternative method of balancing its books if it is to survive.

There is a solution: Decreasing costs (claims) improves the profit/loss ratio much faster than increasing sales (premiums).  This is the area now being considered by the insurance industry.  Premium costs can be reduced by increasing exclusions in the insurance policy, but that decreases the value of insurance as a risk management tool, and there is a finite limit to its use.  If the customers’ security posture can be improved sufficiently to reduce claims, then the cost of insurance can also decrease (or at least be maintained at current levels).

According to Moody’s research (19 October 2021), “The proliferation of ransomware attacks has driven up losses for cyber insurance policies, and losses will likely increase in 2021 for insurers.  Although insurers had been gradually raising cyber insurance pricing, rate increases began to accelerate in 2021 in response to ransomware trends, with double-digit rating increases across the board for coverage.  Insurers have also reduced policy limits, increased deductibles and tightened terms and conditions, including sub-limits or coinsurance, to lower exposure to ransomware.”

Ransomware is the current bête noire for both industry and insurers. But it is not the only threat.  Business Email Compromise or BEC can also cause large and unpredictable losses and many researchers believe BEC will expand in 2022 as deepfake technology improves.   Deepfake technology is an evolving form of artificial intelligence that’s adept at making you believe certain media is real when in fact it’s a compilation of doctored images and audio designed to fool you.  A surge in what’s known as “fake news” shows how deepfake videos can trick audiences into believing made-up stories.[1]

In most insurance markets, the insurers have hundreds of years of data on losses and their causes in marine, motor, home, and life insurance.  The data, as actuarial tables, provide accurate evidence on which to base premiums for individual cases.  But there are no such actuarial tables for cyber; and it is unlikely that they can be compiled as the threats are dynamic, not linear.

“I don’t think the insurance industry can create cyber security actuarial tables,” commented Chris Reese, head of insurance at Cowbell.    Cowbell Cyber Inc. provides a security software solution.  The Company maps insurable threats and risk exposures using artificial intelligence to determine the probability of threats and impact on coverage types for the enterprise.  “The risk is unpredictable. The threat actors are smart and keep looking for new ways to exploit victims.  Yes, we’re getting better, and we have more data, but the loss experience from three years ago is not relevant today. Will the insurance industry get actuarial tables like it has for the motor industry? I don’t see that happening.”

With no history to help, the insurance industry cannot be proactive in setting accurate premiums.  It is forced to be reactive and it is reacting to increased claims by setting higher premiums and insurance conditions.  In short, it is becoming more expensive to get insurance, more difficult to renew insurance, and sometimes not possible.  But despite the increasing cost and shrinking coverage of cyber insurance, the market is expanding rapidly.  In May 2021, the US Government Accountability Office issued data from global insurance broker Marsh indicating the take-up rate for clients purchasing cyber insurance rose to 47% in 2020 from 26% in 2016, based on all industries.

The primary reason is the continued growth and success of cybercrime.  It has been estimated that cybercrime already costs the global economy trillions of dollars, and is expected to continue to grow in the years ahead.  For the insurance industry to cover increasing claims for a larger market, it will need to do more than repeatedly increase premiums and the only viable solution is to reduce claims by improving the cyber security of its clients.  The question is not whether it will do this, but how it will do it.

The payment card industry operates a security standard Payment Card Industry Data Standard (PCIDSS).  It is an information security standard for organizations that handle branded credit cards from the major card schemes.  The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.  The standard was created to increase controls around cardholder data to reduce credit card fraud.to which all companies must conform before they are allowed to accept payment by bank cards.  One route to improving the insured’s security could be to develop a similar security standard and require conformance.   Compliance to these standards is also audited, non-compliance results in credit card acceptance/processing to be terminated.

There is currently no legal requirement for businesses to carry cyber insurance, but it is not inconceivable that it might happen in the future.  The route could be through governments wishing to protect their voters (the consumers) through some form of third-party liability protection backed by insurance.

Insurance required by law would benefit from a worthiness certificate.  That certificate would effectively allow customers to demand, and insurers provide, lower premiums through proven high security.  We see this posted in the same sections of a website where privacy and terms of use are posted.

Sumedh Thakar, president & CEO at Qualys, thinks something like this could evolve naturally, but stresses that it is too soon to know how it might happen or what it might involve.  “Most of the interest in this route seems to be coming from the customer.  If I do this and implement that, should I not get a reduction in my premiums?  There hasn’t been a lot of work done at the industry level, but I think I can see the basic principle working.  You can get cheaper home insurance if you can demonstrate you are protecting the home.”

A potential weakness in a PCI-type standard is that it only requires conformance on the audit day the company concerned could be out of conformance, and therefore at increased risk of breach, for every other day of the year.

Cowbell’s Reese doesn’t see this as a serious issue.  “PCI isn’t required for just one day of the year,” she stated.  “The requirement for conformance is for all 365 days.  If there is a network security breach and it is due, or potentially due, to a lack of security on behalf of the retailer, then the brand (for PCI, the payment card industry) can withhold the cash.  That’s a pretty big stick.”  Her argument is the threat to declining a claim if it is shown that a breach occurred due to lack of insurance standard conformance would be enough to ensure that companies maintain continuous compliance.

The question remains, could an insurance security standard reduce insured’s claims sufficient to allow the insurance industry to keep premiums at current or lower levels? “PCI has certainly raised the cyber security bar for a lot of companies,” comments Eric Skinner, head of the market strategy and corporate development at Trend Micro.  “But it hasn’t magically solved the problem.  You can pass a PCI audit, and still get breached.  The question for the payment card industry is, does it make a breach sufficiently less likely to be worth it?”

Only time will tell if the insurance industry is able to develop, maintain and require conformance to a solid security standard that works.

An alternative approach for the insurance industry would be to require different controls for individual clients.  This would be more flexible than a single all-encompassing standard since it could vary between different industry verticals depending on the perception of risk.  It could also be amended at renewal time or annually as specified in the insurance contract.  A possible concern here is that insurance could become intrusive on their customers’ security posture.  “That’s a valid concern,” said Skinner, “because some of it is already happening the process of cyber insurance influencing cybersecurity has already begun in a somewhat rudimentary fashion.”  He refers to the ubiquitous questionnaire, in this case asking the customer for a statement on its security posture.  “Like annual compliance audits,” continued Skinner, “these questionnaires are a snapshot in time and they ask questions that may or may not result in reduced risk because the insurance industry is still learning about security.”  These questionnaires are having an influence on cybersecurity postures “Examples could be, ‘do you have EDR deployed?’  We’re hearing from some insurance brokers that if customers say ‘no’ to this, they run a very high risk of being declined or not renewed.”  The problem is that security is not enhanced by deploying controls, but by implementing them correctly, using them adequately, and ensuring they are up to date.  None of this can be gauged by a questionnaire.  “I’m not sure if such questions are currently delivering the benefits the insurance companies expect.”

The logical extension to enquiring about security postures would be to start insisting on certain controls.  This would be a large step too far.  To be effective, it would require the insurance company to have the visibility of a CISO, the business understanding of the board, and the purse strings of the CFO within every insured company.  This would be far too expensive for the insurer and far too intrusive for the customer.  It is, quite simply, a non-runner.

A third approach would be for the insurance industry to base their premiums on recommendations from third-party security scanning companies such as Red Sky Alliance with their daily cyber threat notification service RedXray and others.  This could provide a form of continuous posture monitoring; something missing from both the audited security insurance standard and the questionnaire-based approaches.  It can be less intrusive and therefore more acceptable to the customer.  The insurance company can simply say, our scans say you are weak in these areas; strengthen them and you will qualify for lower premiums.

The weakness is that most scans only see an external view of the customers’ infrastructure.  This is still valid because it is the same view as seen by the hackers, and strengthening all visible weaknesses makes it difficult for hackers to find an entry point.

An evolutionary step up from external monitoring is internal continuous monitoring of the entire infrastructure.  This is currently offered by Cowbell, a company that uses an AI engine to scan for posture weaknesses inside the network.  The information it returns can be used to strengthen cyber security, but can also allow insurers to make a more intelligent assessment on the premiums necessary to ensure individual customers.

In one sense, Cowbell operates as an insurance broker’s assistant.  It provides brokers with the information necessary for them to negotiate the best possible premium from among the potential insurers.

Cyber insurance is still a work in progress, which means that many current customers are effectively guinea pigs.  The current model of continuously increasing premiums and exclusions to counterbalance rising claims is unsustainable.  But the insurers know this and are actively seeking a realistic solution.  They will eventually succeed. Every party to the process wants the same result: increased security with lower loss to cybercrime.

Vishaal Hariprasad, CEO at Resilience, believes the solution will come with a new relationship between the insured, cyber security, and the insurer.  He came into insurance in 2016, having previously been a threat intelligence architect at Palo Alto Networks.  He was, and is, a cyber operations officer at the US Air Force Reserve, and is also (IMA) Director of Operations, 90th COS, 67th Cyberspace Wing.  “In 2016, you could buy a million-dollar cyber insurance policy and they would ask you, do you have an IT person, and did you guys buy a firewall?  They never asked if the firewall turned on because the insurance industry didn’t care back then.”  This is what must change.  “Insurers need to know, is your firewall turned on?  Is it consistently patched?  Are you continuously bringing in the right data feeds?  And are you monitoring them?”  What is needed is a new cooperative relationship between the insurer and the insured.

The insurance industry needs to work with the standards bodies, the control organizations, and especially with the information sharing groups.  Insurance should be able to leverage that level of information-sharing and standards-gathering and implement them into their policies.  And implement them into the holistic risk transfer package, not just insurance, but the loss control and risk engineering services that help that to happen.

In effect, the insurance company, through relationships with threat information sharing bodies, needs to become a cyber security advisor to its customers.  Since both the insured and insurer seek the same end better cyber security this could be done in a mutually acceptable rather than officiously intrusive manner.

The keywords in Hariprasad’s view of successful cyber insurance are engagement and continuous monitoring: cooperative engagement between the insured and an insurer that fully understands the threat landscape, and continuous monitoring of cyber controls that mitigate threats.  “A lot of folks still think in that old mindset of you set it up once and you forget about it, and just worry about the renewal in a year or two. And I think that’s the danger,” he said.

Cyber insurance and cyber security must learn to work in harmony and not be considered as alternatives to each other.  Insurers must become trusted advisors to the board of the insured and boards must learn to work with the insurer to improve their security hygiene, to improve their cyber security, and to earn the lowest possible premiums.

What can you do today?  Please visit https://www.wapacklabs.com/redxray and receive daily cyber threat notifications of targeted threats that have breached your network yet.  Then, take the second step and take this cyber threat file and place it into your SEIM and blacklist them.  If you want to monitor your supply chain members, you can do this with a dashboard and see their cyber health on demand.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/3702558539639477516

 

[1] https://www.securityweek.com/wild-west-nascent-cyber-insurance-industry

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!