The Cyber-Risk Data Gap Threatens Insurance Offerings

Given the recent rise in ransomware attacks, board members are asking more questions about how their organizations are proactively addressing cyber risk. While most companies are deploying resources in the form of people, technology, and processes to protect against cyber risks, many organizations are also purchasing a cyber insurance policy to protect against potential financial loss.

However, these protections have not stemmed the tidal wave of cyber incidents over the last year. In fact, due to mounting attacks and the resulting losses, cyber insurance has become more expensive and the breadth of coverage reduced.

Until late 2020, cyber insurance had been in a soft market cycle, in which coverage continued to expand in scope and premiums were decreasing year over year. However, as the COVID-19 pandemic forced companies into remote work environments, ransomware increasingly became the preferred attack vector for threat actors looking to make quick money, both last year and into 2021. Ransom demand amounts skyrocketed, and threat actors learned that they could ransom companies not only by encrypting networks but also by threatening to release private corporate information on the Internet. Threat actors further took aim at software and technology providers as a means of reaching additional attack targets.

In this environment, the cyber insurance marketplace shifted into hard market conditions. According to Aon, premium rates are anticipated to increase by up to 50 percent throughout 2021.

As insurance carriers struggle to adequately price their capacity, they are, in many cases, reducing coverage for ransomware events and business interruption. The result, as recently reported in The Wall Street Journal, is a challenged cyber insurance industry in which some organizations may not be able to afford to renew their policies or may find that the coverage available is insufficient. The real problem is a data gap, in that insurance providers are unable to get accurate and adequate underwriting information.

Typical underwriting processes include an organization completing an application about its cybersecurity controls. Most carriers also require a supplemental application focused solely on the company’s ransomware-related controls, such as multi-factor authentication, privileged access, network monitoring, and business continuity and disaster recovery planning. However, the information companies provide to insurance underwriters is often given only verbally during an underwriting meeting. The underwriters may not have all their questions answered in this format, resulting in a process that is neither efficient nor effective.

To combat rising rates and reduced coverage for cyber insurance, as well as more frequent and severe ransomware loss events, board members should be asking management for data to understand their companies’ overall cybersecurity posture and the financial impact of a breach. Too often, companies are unwilling to share information—both internally and externally—about their cybersecurity posture. This results in the data gap mentioned above, in which the intangible exposures of cyber risk remain underappreciated by the board and often underfunded. Unfortunately, many boards only seriously consider cybersecurity and cyber insurance budgets after a breach occurs.

In the current environment, sharing data about cybersecurity posture—not only from external, outside-in viewpoints but also from examining and interpreting signals from inside the network—can provide great insight to boards. Additionally, quantifying potential losses (for example, of a ransomware event or a technology provider disruption) can allow board members to understand the potential return on investment of cybersecurity and cyber insurance, ultimately empowering them to make better decisions. Improved data can likely help reverse current cyber insurance market conditions, as well as help underwriters gain the ability to more thoroughly understand the companies that they are insuring.

While it will take a multifaceted approach to quell the scourge of ransomware, boards should be at the forefront—leading their organizations to improve security posture on a proactive basis.