Over the past several years, cyber-insurance policies—instruments that cover businesses for the costs arising out of a cybersecurity incident—have become a key component of how organizations manage cyber-risk. These policies, mostly separated from ordinary property and casualty insurance since 2017, were widely adopted. They were available and affordable; premiums were reasonable; and generous payouts helped blunt the consequences of cyberattacks. Life was good.
Sure, defense efforts were a little siloed. Insurers brought actuarial expertise to the table but usually stayed out of the business of cybersecurity; and risk-management teams at buyers often focused on insurance alone; while CISOs and IT teams typically concentrated on their own cyber-defense strategies, setting insurance to the side. But the system, it seemed, was working.
Those days are over.
Ransomware attacks have spiked, and businesses are now on the hook for ransoms with the asks reaching between $50 and $70 million over the first half of 2021. Even as businesses can negotiate asks down, they grapple with the question of ‘to pay or not to pay’ while cyber insurers can no longer cover every demand, leading major policies to lose money. In response, insurers have increased premiums, restricted coverage, and in some cases, are washing their hands of cyber insurance overall.
That’s bad news for risk-management professionals who could be looking at premium spikes with a typical premium spike of 30%-45%. Some spikes are much higher. Other buyers will head into a renewal cycle only to be told that their business is no longer insurable. And IT and cybersecurity teams will face a rude awakening: there’s no insurance backstop to protect the business anymore. If even a single attacker gets past them, it could be game over.
But good things can come out of this reckoning.
The current situation isn’t comfortable—but it’s an important spur to necessary growth.
Insurance providers will have to take control of their policies by substantially increasing their cybersecurity expertise. By curating a deeper understanding of the attack landscape, providers can more accurately calculate risk for policyholders, while developing consistent cybersecurity metrics for businesses to meet.
Providers are faced with the question of whether they are subsidizing the criminal activities in question. When insurers are armed with more knowledge about the cyber threat landscape, they can more effectively partner with the criminal justice system and regulatory bodies to define a market that achieves business protection, without subsidizing the cybercrime industry.
This will take time—and the insurers who learn fast and partner effectively with security operations experts will be able to edge out the competition. But cyber insurance isn’t going anywhere. It’s just going to get smarter, stricter, and more effective.
Risk-management leaders will need to break down the walls separating them from IT. With this new collaboration, they’ll be able to understand their business’s security posture: its ability to protect its digital assets and detect and respond to threats. This knowledge will give risk-management teams a clearer appreciation of the state of business IT risk, an ability to serve as effective negotiators and buyers of cyber insurance, and the opportunity to help set a cybersecurity agenda that best protects the business as a whole.
IT AND CYBERSECURITY TEAMS
IT and cybersecurity teams need to deploy advanced cybersecurity capabilities, such as detection and response. They’ll need to build up their own expertise and partner effectively, both to protect their systems and to clearly explain their cybersecurity strategies to internal risk-management teams and external insurers. The eyes of the business are upon them. Now is the perfect time to make the case for meaningful cybersecurity investment. Now is the time to get it right.
If each of these separate constituents is able to build the appropriate expertise, break down silos, and coordinate effectively, the cyber-insurance and cybersecurity worlds can grow together. Businesses and those who lead them will be able to exit this storm better protected, better insured, and with stronger businesses all around. The only losers will be the cybercriminals.
WHAT COMES NEXT?
Of course, those cybercriminals won’t just give up and go home. Defenders will need to maintain their advanced capabilities—and sustain their effective partnerships with risk-management teams and insurers. That will mean ongoing investment in the frontiers of security—from vulnerability management to training, to cloud, and more. And insurers will need to partner with regulators and the justice system to help define a cybersecurity market that protects businesses without subsidizing crooks. A lot of big changes are coming, and they’re going to keep coming. In order to put yourself in the best position to handle them—whether you work in insurance, risk management, or IT—it’s a good idea to develop your security operations practice today.
Nick Schneider is President and CEO of Arctic Wolf, the market leader in security operations.