Cyber Insurance - is it worth paying?
Chris Merchant
Director of Sales & Marketing @ Remora | Developing Innovative Cyber Security Strategies for Clients and Partners
The validity of some cyber insurance policies being offered in the UK is currently under increasing scrutiny.
Insurance companies have throughout 2022 changed underwriting requirements, increased rates, and limited coverage. In response to loss ratios over 100%, where insurers paid out more in claims on policies than premiums written. Some other insurers have issued endorsements at renewal that seek to limit coverage for “widespread events,” or those that may impact many different insureds, such as the recently discovered Log4j vulnerability.
Lloyd’s of London has suggested major changes to coverage, including proposing four exclusionary endorsements that attempt to limit or preclude coverage for otherwise covered losses arising out of actions
?“by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.”
When a policyholder gets a new cyber insurance quote, they can discover that the coverage is now vastly different from earlier quotes. Insurance companies have added ransomware sub limits or coinsurance clauses, which means that coverage for all ransomware-related losses is restricted to a lower limit than other policy coverages or that the policyholder is responsible for a portion of all such losses. For example, some policies require the policyholder to pay 50% of all such losses while the insurer covers the remaining 50%, subject to a sublimit.
The message from insurers to policyholders is clear, that they should not expect the same coverage at renewal as the market is moving so quickly. Some organisations should now consider if new pricing and new endorsements that may limit coverage should begin the renewal process as soon as possible, or even if they should move away from insurance and consider alternative services from cyber security firms.
Companies should examine their other policies that may offer coverage after a cyber attack, such as errors and omissions, general liability, kidnap, ransom and extortion, crime, directors and officers, and occasionally commercial property policies, in addition to auditing their cyber insurance policies to ascertain the extent of coverage following a cyber attack.
A service I will provide for free.
Companies must consider their programme when obtaining or renewing insurance to make sure that new coverage gaps are understood such as the potential costs and liabilities the firm might now incur following a cyber attack. It is now more likely that cyber insurance coverage may result in patchwork coverage with restrictions or holes in protection for cyber-related hazards.
When renewing, care must be taken to cover these gaps. Corporate policyholders should consider the following as they evaluate their coverage:
These coverage gaps are only a few of the pitfalls that lurk for the unsuspecting insured. The best way for businesses to optimise coverage for the organisation, board, and executives in the event of a cyber disaster is to review coverage and remedy gaps in collaboration with knowledgeable insurance coverage counsel and insurance brokers.
In their dealings with clients and vendors, many businesses are compelled to make contractual representations or warranties about their cyber security policies or standards. Yet this is not something now that insurance companies seem keen to expect of their own clients.
This is the overriding factor in understanding the broken nature of the cyber insurance market, it is because the insurers have long ignored the regulators and have almost steadfastly chosen to not utilise the tools that have been placed before them, by regulators, and the cyber security industry.
领英推荐
Regulators
The Bank of England has long been implementing a strategy of simulation phishing exercises, penetration testing, and international cooperation to assist companies in reducing the risk of cyber crime since Andrew Gracie set out the policy in 2015 under the auspices of the Regulation, Risk, Policy, Enforcement and Supervision Committee of the Bank of England. In what was designed to be a twelve-year programme, a programme now rolled into the Prudential Regulation Authority. The programme now on its third lead, Duncan Mackinnon, has changed the focus to operational resilience.
Despite the Bank of England’s best attempts to assist companies in enhancing their operational resilience, a lack of fundamental cyber hygiene still leaves most companies vulnerable to criminal attacks. The Bank of England has been trying to roll out the programme through the financial and insurance sectors but pick up has been slow. Therefore, although cyber resilience is increasing overall, it is not increasing as quickly as cyber criminals are evolving, leaving far too many companies who continue to have fundamental security flaws, including improperly managing vulnerabilities and information storage, designing IT infrastructure, and mismanaging user accounts and passwords.
Due to the lack of cyber preparedness for many companies the spectre of an attack is never too far away, and therefore cyber insurance is becoming more important than ever before. Which makes the lack of synergy between the insurance sector and its clients a much bigger problem.
Divergence
It is the divergence of messaging between regulators and those that it regulates which breeds confusion. The Bank of England’s operational resilience strategy, if adopted, would make insurers more profitable if they worked together. The Bank of England wants to deliver CBEST, CBEST is a framework to deliver controlled, bespoke, intelligence-led cyber security tests. The tests replicate behaviours of threat actors, assessed by Government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions. As part of the threat intelligence and a risk assessment the Bank of England has developed CBEST as a threat-led penetration testing framework-CBEST-to assess organisational resilience. CBEST has become its flagship cyber resilience testing program and is on its second cycle. CBEST constantly evolves to mirror the "very dynamic nature" of cyber risk and is now focusing more on malicious insider and supply chain risks.
Follow the regulator
If insurers asked policyholders to prove that they were following CBEST, a framework which is a single test that is less time-intensive than traditional penetration testing and offers a comprehensive evaluation of a financial services or infrastructure provider's cyber capabilities, it would allow insurers to understand what policyholders’ potential threats are, and they could be given cover commensurate with their actual cyber security posture.
If insurers used this as a benchmark it would not only strengthen the position of those who underwent CBEST, but it will also help identify areas that require improvement for their clients and enable the cyber security to recognise and take appropriate action against the threats, vulnerabilities, and risks that would be identified.
????????????????????????????????????????????????????????????????????????????????????????????The Future
This is a critical time for the sector's future. Given the volatile threat environment, recent losses, and immature commitment of insurers, a new wave of cyber attacks this year would have significant effects on the insurance industry. So, if the insurers believe that CBEST is not yet established, they could look at other options from the cyber security industry that they could ask policyholders to implement to reduce premiums or increase cover. such as cyber security awareness training or security controls assessments.
The excuse given by insurers are that the dangers are exceedingly intricate, highly erratic, and variable. The security dangers posed by using technology changes along with it. The widespread adoption of remote work and the cloud exposed numerous security flaws that hackers gladly exploited. As true as that is, if insurers who offer cyber insurance understood that they could be part of the solution, and that by being part of the solution they would become more profitable, then things would change for the better.
If insurers want to be part of the solution they must adapt and they can do this by embracing frameworks set out by regulators, and by working with the cyber security industry. If they do not adapt, the market will adapt, and it will be at the expense of the insurers.
The present
Why this is important, and why I have brought this to your attention is that I have been working with a client to attempt fund retrieval following a hack for which they are insured. Yet the insurer has refused the claim based on the exemption that the hack utilised electronic communication, that would be email, and according to this insurer they exempt any hacking claim that involves email!!!!!!!!
When asked what hacking attempts, they do not exempt, the insurer replied