Reuven (Rubi) Aronashvili, founder and CEO at CYE.
When it comes to insurance, patterns are everything. Whether for your house, your car or your life, insurance policies are meticulously crafted based on predictability and likelihood—two words that have never been used to describe cybersecurity.
Cyber insurance is still very much “the new kid on the block.” Many calculate that the market began around 1997, while car insurance dates back to the late 1800s, and life and renters’ both date back to the late 1700s.
All this to say, cyber insurance is a very new market that has only picked up real steam in the last five to seven years, and there are still many kinks in the system. However, there are also solutions and reasons for hope.
The Current State Of The Market
Let’s not sugarcoat this: The cybersecurity insurance market is extremely unhealthy as it currently stands. It’s characterized by demand higher than the willingness to supply and unsuitable underwriting processes.
Insurers are developing stricter requirements for policies, causing the number of insurable companies to decline and the demand to skyrocket. Insurers are getting more stringent because they originally underestimated the frequency and severity of cyberattacks. According to a National Association of Insurance Commissioners (NAIC) report, loss ratios jumped from 32.4% in 2017 to 66.4% in 2021. They were forced to make a correction and increase the price of their premiums to stay profitable—and they did.
The NAIC found that cyber insurance premiums surged by 75% between 2020 and 2021, and an AM Best study found that premiums rose 50% between 2021 and 2022. It seems that strategy is working, as insurers’ average loss ratios dropped to 44.6% in 2022. Given that drastic increase in profitability, we shouldn’t expect to see premiums going back down anytime soon.
Next, to understand why there are such drastic miscalculations when it comes to coverage, we need to look at insurers’ underwriting practices. Right now, cybersecurity insurance policies are written based on static rather than dynamic underwriting practices. Static underwriting works for “predictable” or pattern-based sectors like life insurance. Of course, life science changes over time, but a dramatic shift in life expectancy for any demographic group isn’t likely to take place over 12 months.
The cybersecurity industry, on the other hand, could go from being calm one minute to facing a ransomware attack that wipes the systems of the largest companies in the world the next. This is why a shift to dynamic underwriting is critical if cyber insurance policies are going to be written accurately and if the market is going to stabilize.
Dynamic underwriting involves constantly reassessing your cybersecurity posture—not assessing, writing a policy to cover the next 12 months and then trying again next year.
A dynamic underwriting approach may seem much more time-consuming, but it’s undoubtedly in the best interest of both parties. It creates a relationship built on increased communication, with the insurer and customer working together to avoid an attack. Insurers gain an understanding of what to look out for, alert their customers of potential issues and work to help customers get them resolved before disaster strikes. As cyber risk management and risk quantification become increasingly popular, the shift to dynamic underwriting will become more feasible.
Now that we’ve established the market has a long way to go, let’s walk through some solutions.
1. Give It The Old College Try
First, you should do everything you can to try to secure a cyber insurance policy. The market being unstable doesn’t mean cyber insurance isn’t still a good thing to have. Being able to transfer risk and have coverage is never a bad thing.
Yes, the qualifications to obtain a policy are becoming more rigorous, but if you work with an insurance broker, they should be able to pretty clearly lay out what you’ll need to secure a policy. A few things that are given include multifactor authentication, regular vulnerability assessments, an incident response plan and employee training. Get the basics in place before you attempt to obtain a policy, and be prepared to pay a heftier price while the market is still correcting itself.
2. Have Conversations About Remediation And Risk Acceptance
If you can secure a policy, your next job is to advocate for a close relationship with your insurer and remedy any and all issues they may find with your security stack. Insurance companies communicate, and the last thing you want is a reputation as an unreliable policyholder.
While insurable companies should also do this if you’re not able to secure a policy, make sure you’ve had conversations with your leadership about your acceptable risk levels. The risk you have to accept may be higher than anticipated, so having honest conversations about that upfront is key to ensuring all leaders are on board and share responsibility for the organization’s risk profile.
3. Cover Yourself
Whether you obtain a cyber insurance policy or not, make sure your risk is accurately calculated. Going through the process of quantifying your risk is absolutely critical for not only being prepared for when an attack inevitably hits but also for communicating your organization’s risk to your board and executives.
We’re now seeing CISOs face extreme legal consequences for security incidents that happen at their organizations. That burden placed on the CISO isn’t likely to decline anytime soon, which is why creating a sense of shared responsibility with the board of directors and other executives is crucial.
At the end of the day, even though the cybersecurity insurance market is unstable, there’s no reason to panic and no reason to boycott cyber insurance. Again, it’s an extremely valuable asset to have, and the market will not miss out on a financial opportunity as enormous as cyber insurance. Insurers and vendors will inevitably work together to develop a sustainable solution. Security leaders just have to take extra precautions on both the security and communications sides of the equation until an answer is reached.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Based in New York, Stephen Freeman is a Senior Editor at Trending Insurance News. Previously he has worked for Forbes and The Huffington Post. Steven is a graduate of Risk Management at the University of New York.