ISC2Congress: A Cyber Insurance Reality Check

By /

nn

n

nCyber insurance has been around for a while –nnsome saynnit dates back as far as 1997. It really became a mass-market product betweennfive and 10 years ago, and many were surprised that a policy with anpotential seven- or eight-figure claim pay-out cost just a few thousandndollars. Times have changed radically, though. As attacks become morenprevalent and as fixing the damage gets more and more expensive, thenpremiums are rocketing up, the level of cover is plummeting, and the numbernof caveats and exceptions in the average policy is ballooning. In hisnsession Cyber Insurance Reality Check atnnISC2 Security Congress 2023nnin Nashville, Tennessee, infosecurity specialist, podcaster and authornJoseph Carson took a research-based look at the realities of cyber insurancenin the 2020s. 

n

nCarson’s first finding was that people do make claims on their cyberninsurance – lots of them. A third of organisations had made one claim onntheir cyber policy, but almost half (47%) had made more than one call onntheir cyber insurance – and among smaller companies this figure was 52%.n“That is a significant amount of claims”, said Carson, but warned: “Yes,nthose organizations, the great thing was is that at least they had thenfinancial safety net. That’s great. But it shows that just because you havencyber insurance doesn’t mean you’re gonna not become a victim of a cybernattack.” 

n

nThe weaker points of cyber insurancen

n

nThe next focus was on the exclusions and limitations we find in cybernpolicies. The researchers asked their subjects what would cause their cyberninsurance to be invalid. Top of the pile (43%) was having a lack of securitynprotocols in place, though human factors – internal bad actors and peoplenlosing kit – were close behind on 38% each. The old favourites were in therentoo: acts of war voided 33% of policies, with terrorism just 1% behind.nCarson noted that it’s important to ensure any controls you say you have arenproperly implemented: “This is where you get those small businesses who donthe self-assessment and realize that when they check the box and said ‘Yes,nwe’re using MFA’. And then they realized that yes, they only had MFA on,nlet’s say, 60% of employees and it wasn’t an all employees … where theynchecked the box and said, yes, we have MFA could potentially void a claimnbecause they didn’t have it on a hundred percent deployment”.n

n

nCarson also noted that on occasion companies play the “blame game” to makensure their insurer pays out by citing a root cause that they know isncovered. “What’s been interesting is that some insurance policies that I’venseen in the past, if you have a process failure, or you have a, a processn[or] compliance failure, then that voids your insurance. But if you findnhuman failure, then you will get paid … Sometimes for organizations to makensure they get, get paid in the policy they want to find human blame.”

n

nn

n

nWhat can and should be covered?n

n

nFlipping over the previous concept, Carson then gave a view of some of thenspecific areas that cyber insurance does pay for, noting that therenare so many different policies available that a company can pick the one (ornseveral) that best suit the requirements, which really means buyingnsomething that addresses the organisation’s risks. “It’s really important tonmake sure that as you come down this path, you actually do a proper risknassessment. And a business risk assessment, not something that’s a securitynrisk assessment. You want to get into a business risk assessment when you’rengoing down the path of cyber insurance? When you’re doing cyber insurance,nyou need to focus on the operational. But you need to make sure that you’renaddressing the business metrics”.n

n

nMore than half of policies (54% and 53% respectively) would pay out for datanrecovery or adding security controls, with 45% covering incident responsenservices and 41% paying for fines or covering lost revenue. And if you’renconsidering paying the ransom for a ransomware attack … 40% of policiesncover negotiation of the ransom and/or the actual payment itself. On thisnlatter subject Carson also pointed out that some insurers consider payingnthe ransom as one of the potential approaches under the heading of “datanrecovery”, and also noted that ransom coverage can help out ethically whennit comes to paying up: “You’re handing over the decision making to theninsurance company, whether they’re gonna make the ransomware payment. That’snsomething that’s been happening in a lot of policies and some organizationsnare like, that’s fine with me because it means I’m not having to do thenransomware payment directly”.n

n

nGoing back to the first finding, experience in other fields of insurancentells us that if insurance claims increase, so will the premium. And nonsurprise, this is precisely what happens in the cyber insurance realm. Anpaltry 2% of respondents saw their premiums reduce, while a similar numbernsaw them more than double. By far the majority – 67% – had their premiumsnincrease by 50%-100%, 10% had an uplift of less than half, and the remainingn19% saw little or no change.n

n

nPaying for the insurance in the first placen

n

nThe data on the cost of insurance was followed by a fascinating aside: thosensurveyed were asked whether they had been awarded a budget uplift to pay forncyber insurance. And the vast majority (81%) said “yes” – more than fourntimes as many as those who said “no”. Part of Carson’s logic in explainingnthis was that since board members have personal responsibility for thencompany’s continued existence and, of course, for preserving shareholdernvalue, they’re going to be inclined to ensure that funds are made availablenfor insurance.n

n

nThis factor carried through to the next data set, which was about people’snmain reason for getting cyber insurance. Top of the heap was “thenexecutive/board wanted me to”, in 36% of cases. 26% said they had jumped onnboard because they’d seen others in their industry being attacked (“They sawntheir peer organizations become victims”), while 19% admitted to beingnreactive and obtaining insurance because they had had an attack previously.nAnd leaving aside the 1% who had no particular reason, 18% of insurancenpurchases were driven by external organisations, with customers, partners ornother third parties insisting on the purchase of cyber insurance. Carsonnalso brought up the fact that many of your board members work with more thannjust your organisation: “typically what you find is most board members sitnin multiple boards and they hear from another organization they’re dealingnwith that they’re doing cyber insurance”.n

n

nNext came a discussion of tools – specifically which tools they had tonpurchase in order to get or renew their policy. It will come as no surprisenthat access management was the star of the show. 51% had been compelled tonimplement Identity and Access Management (IAM) tools, with 49% made tonimplement Privileged Access Management (PAM). Our old friend and allynMulti-Factor Authentication (MFA) came in at 47%, with passwordnvaults/management at 48%. For a change Disaster Recovery brought up the rearnof the examples covered, with a mere 38% being made to implement it.n

n

nAnd satisfying these prerequisites is key. “If you don’t have an IAMnprogram”, said Carson, “you may not even be able to become insured. If youndon’t have privileged access management in place, if you don’t havenmultifactor authentication in place, if you don’t have a password vault ornactually some type of password management in place. Most organizations hadnto go and buy additional technologies to be able to make sure they can getninsurance in the first place”.n

n

nAligning policy with insurance expectationsn

n

nThe final key finding was around the time and effort taken to obtain ornrefresh cyber policies. In the most recent year 18% reckoned less than anmonth had been (or would be) required, with 1-3 months being the mostnpopular answer with 45%. 30% said four to six months, with a handful eitherntaking longer than this or citing themselves as unsure. Most organisationsn(63%) handled the start up or renewal internally, with 57% using theninsurer’s tools and 55% looking to external risk assessors for help. Thentime delay has changed over time, too. Carson recalled: “Last year we didnthe research, it [the time to obtain insurance] was approximately threenmonths. And this year now it’s six months. So it’s taking longer. So ifnyou’re a larger organization, it could take up to six months to actually donthe process of getting insurance. If you’re a smaller business, you couldnprobably do the self-assessment and accelerate that quite significantly”.n

n

nThe cyber insurance market has changed radically; we would of course expectncyber coverage in 2023 to be somewhat different to how it looked all the waynback in 1997, but even in the few years since it really took off the marketnhas become unrecognisable compared to the mid 2010s. This should be nonsurprise, of course – as claims go up, coverage gets sketchier and pricier –nbut the magnitude of change has been greater than expected. Joseph Carsonnhas, however, reassured us that despite these factors cyber insurance isnstill a thing … though we should expect to have to jump through a load ofnhoops to get it and retain it.n

n

nThe final word goes, quite rightly, to Carson, and the message is short andnto the point: Cyber insurance is not cybersecurity. It’s the financialnsafety net that should be combined with a good cyber security strategy.”

n ]]>

Leave a Comment

Your email address will not be published. Required fields are marked *