Cyber Insurance, One (Temporary) Step Backwards
Dale Peterson
ICS Security Catalyst, Founder of S4 Events, Consultant, Speaker, Podcaster, Get my newsletter friday.dale-peterson.com/signup
I still do a bit of ICS security consulting for asset owners in between S4, speaking at events, and the Unsolicited Response show. This consulting typically requires a $1M Professional Liability Insurance policy. It's renewal time, and below are two new exclusions that would result in denial of a claim that are called out in the new policy.
This approach is just one of many examples that insurance companies are struggling with the cyber insurance product. Sure, these are two important vulnerabilities. But only two of many. And are they going to add exclusions for specified vulnerabilities each year? They are groping for solutions and, unfortunately in this example, not getting or heeding good advice.
A Fitch Ratings article is chocked full of 2020/2021 bleak numbers on cyber insurance, https://www.fitchratings.com/research/insurance/sharply-rising-cyber-insurance-claims-signal-further-risk-challenges-15-04-2021. In 2020, Fitch estimates that 73% of premiums were paid out in claims. For most insurers this means a loss, as breakeven is typically between 60% and 70%. No need to cry for the insurers though as claims have been a low percentage in 2017 (35%), 2018 (34%) and 2019 (47%), albeit on a lower premium base.
One response by the insurers to higher cost of claims is to raise rates. Information on the percentage increase varies widely with Fitch saying 11% and insurer AIG saying their cyber policy premiums are 40% higher for renewals, https://www.reuters.com/article/aig-results-cyber-idCNL1N2PD1AJ.
The good news, from the insurer's perspective, is cyber security product revenue is growing at ~20% per year and is now at $2.7B.
The trends of increasing claims and increasing premiums has some skeptical that cyber insurance will be a helpful cyber risk management tool.
It is too early to judge the role cyber insurance will play. I'd agree with Dmitri that to date it has not made things better, and I would not bet against the insurance industry figuring out this cyber insurance product. I hope to have an insurance industry expert on the Unsolicited Response show to explain how the industry has developed new products, such as piracy, hurricane, and other expansions to property/casualty.
Progress in this market will require the insurers to get a better idea of how to measure cyber risk based on a company's security posture. Clearly whether a patch or two has been deployed isn't the answer, but the Moody's/Team8 cyber risk rating may be. Others are developing risk ratings as well.
Progress can also be made in reducing the claim size through a more effective response, and insurers will get better at assisting, and even dictating to some degree, the response. In the near term, I'm less hopeful in cyber norms and law enforcement diminishing the frequency and impact of the incidents.
---------
One last thought on cyber insurance, particularly related to critical infrastructure asset owners. Some believe that insurance can't play a role in managing critical infrastructure risk because a claims payment to the asset owner doesn't help the people and business who have lost the service provided. While insurance may not be as useful of a risk management tool in critical infrastructure, it still can be useful.
For example, imagine cyber insurance for an electric utility. If a cyber attack takes out one or more units at a power plant, the corresponding generation capability would be lost. Insurance does not help the impacted customers. The power would be out. (but not really, in most cases the utility would either tap into their reserve capacity or buy power) The customer impact and impact on its reputation would be large if the utility said, "It's not a big deal the power went out. We won't lose much revenue because we have cyber insurance". Outages happen for a variety of reasons at Power Plants, and the utility needs to be able to meet its customer demand when it happens.
Where insurance could be a useful risk management tool in this example is if the cyber attack caused physical damage to very expensive systems to buy and deploy. A utility, manufacturing company and other organization relying on ICS could have a resilient operation that allowed them to continue to provide the product or service to their customers, and still cover a portion of the physical system replacement cost via insurance.
It's early in the cyber insurance game.
Executive Director | (Re)Insurance | Cyber | Risk Management | InsTech
3 年There’s a lot at play here, and not simplistic to overcome. Firstly, rate rises are required for a sustainable market and product solution. However, that needs to be transparent and better communicated as to why. Secondly, marginalising coverage and reducing participation and/or excluding claims is not the answer. The product is now clearly needed from customers - the insurance market needs to lean into this after years of trying to market the value proposition. Thirdly, ransomware… losses arising from ransomware need to be covered. It is a key risk. However, what must be done by all parties and stakeholders is be more robust and transparent in providing evidence that such action is the last resort; not the path of least resistance. Overall it isn’t a failure of insurance or indeed a failure of MSSP silver bullet solutions, or vendor hardware. It is a combined failure in a complex risk ecosystem. The only way to overcome that, bring down premiums, and ultimately reduce losses is to work in closer partnership. As opposed to simply saying “patch more, exclusion X”. I think it’s safe to say that’s not typical for the customer insurer dynamic but it’s the only way to arrive at sustainable solutions.
Thanks for the article. For sure there is a big product gap as insurers play the same catch up game as the wider cyber security space albeit from a different perspective. We're all working hard to understand, manage and mitigate the risk. Your example of the CVE exclusion indeed seems laughable for its ignorance. Most organisations have a backlog of CVE patching that can simply never be completed in their limited patch windows (thus the need to prioritize carefully and the tools families are available to help). Insurers tell us that one of their primary concerns is that clients are co-opting their cyber insurance policies to cover incidents that the policies were never designed to cover. Relying on Information Technology experts to unpick the facts and prove that the damages did not accrue from an incident that could reasonably be included in the cyber policy takes us to the place where insurers need to go if the risk accumulation is to be limited with any level of certainty. Some solace perhaps in this quote: “All of this is under our control. Cyber is not an Act of God”?QUOTE:?Curtis St. Michel, CTO, INL Cybercore Integration Center
Founder & CEO at DeNexus, Inc.
3 年Great post Dale Peterson. Rates are hardening, but I do not think that it is a step backwards. It is the market reaction to recent events and an indication of the state of the art in the current offering. I totally agree that it is early in the cyber insurance game. In plain words, the model that the insurance industry has developed to underwrite traditional classes of static risks does not work for the highly dynamic cyber risk with changes taking place potentially every day. Traditional actuarial approach, long static questionnaires cannot capture the risk to be covered by the next year′s policy. Risk qualification and ratings are steps in the right direction, but evidence-based quantitative and auditable data on exposures is essential for insurers not only to price the risk but to set capacity, loss reserving and many other “behind the scenes” activities to secure a profitable insurance business that can write large checks when the inevitable claim/settlement comes. Cyber risk quantification is the problem that we are tackling at DeNexus, and the underwriting of this risk will be the theme for a blog series sponsored by our insurance expert and Board Member Jeffrey Sirr that we will be launching next week. Stay tuned!
Cyber Strategy Director at BMS Group | Cyber Risk Aficionado | (Re)Insurance Evangelist |
3 年Clients ability to articulate cyber risk needs to mature, with organizations presenting how and why controls are effective at reducing risk and to what degree. Risk takers such as insurance companies or ultimately reinsurers, want to measure economic impact and if organizations can discuss and illustrate what this impact is it will put the cyber insurance market in a position to better manage the volatility and the unnecessary exclusions. Measuring systemic risk is an art (at the moment), with a few firms trying to bring science to the discussion, but it’s certainly a long term challenge all stakeholders are responsible for.
Chief Delivery Officer ◆ Led 40 analyst 24/7 $25MM SOC ◆ Critical Infrastructure OT & ICS ◆ NIST CSF, ISA/IEC 62443, SOC 2 Type 2, NERC CIP, GDPR ◆ 2022 CISO of the Year ◆ Former Navy Fighter Pilot
3 年Raising rates is not the only option for beleaguered cyber insurance providers; totally getting out of the business of paying ransoms might start spreading: https://www.insurancejournal.com/news/international/2021/05/09/613255.htm