Cybersecurity Insurance: Why Enough is Rarely Enough

If the headline makes you wonder if I’ve become a pessimist (never!), the larger point is that modern cybersecurity is not a box you can simply check off. Just like any insurance policy we might purchase to protect our house or car, transferring risk is a tempting play for confidence. In that way, a cyber insurance policy might seem like a one and done. Not true.?

?

The bad actors have a lot of channels to communicate with each other. They are not just “out there.” They could be sitting beside you at the next big cybersecurity conference. According to Interpol, there is an “unprecedented” surge in cybercrime with an attack happening every 39 seconds. Threats are constantly evolving, making cybersecurity a complex problem to solve at any one moment in time. Why is this??

?

Because technology is evolving too.

?

Emerging Technologies and Cybersecurity Insurance

Emerging technologies have long changed the way we work and play. They are, simply, the next new thing: the automobile in place of a horse and buggy or electricity instead of gas lighting. Emerging technologies, while undeniably useful, add new risks alongside rewards. Today’s emerging technologies are no exception.

?

For example, quantum computing poses a threat to commonly used encryption methodologies. Generative AI (GenAI) adds more complexity and allows bad actors to act faster due to the increase in attack surfaces. 5G networks, while deftly handling more devices and data, also introduce more potential security risks.

?

What do emerging technologies have to do with cyber insurance? There are 17 categories of security – from network security to APIs – with many subgroups underneath each one. A company must ask: Does the policy insure all 17 categories? What is qualified for coverage? What cybersecurity gaps exist? What is our company’s basic hygiene? What do we need to do before we buy insurance? Many nuances exist.

?

The need for cyber insurance is growing alongside today’s digital attacks.

?

Swiss Re , a reinsurance company based in Zurich, Switzerland, has published a comprehensive blog on cyber insurance entitled “Reality Check on the Future of the Cyber Insurance Market.” Its findings are based on the Swiss Re Cyber Data Lake representing around 70% of the global cyber insurance market.?

?

According to research by the Swiss Re cyber team, the cyber market grew 32% annually from 2017 to 2022 (the same year I first wrote about Swiss Re ) with double-digit rate hikes in cyber insurance in 2020 (remember, ransomware attacks surged at the start of this decade).?

?

The growth of cyber insurance, however, has leveled off and the Swiss Re cyber experts explore why and what this means for insurance companies in the future. Detailed charts show growth broken down by organic exposure growth and rate growth from 2017 to 2024.?

?

The Board’s Perspective on Cybersecurity: Whose Problem Is It??

From a board perspective, cyber insurance is a way to transfer risk. Even outsourced to a third-party risk management agency, someone internally still needs to guide the company. The decision point here is who that person is.?

?

According to Gartner ’s 2022 Gartner Board of Directors Survey , 88% of board members acknowledged that cybersecurity is a business risk (the remaining 12% called it a technology risk). Yet, a 2021 survey reveals that the chief technologist – CIO or chief information security officer (CISO), for example – “were held accountable for cybersecurity at 85% of organizations.”?

?

If cybersecurity is a known business risk, but the business’s top leadership are not accountable, what does that say about outcomes? Large corporations, guided by a board of directors, can reduce organizational risk by prioritizing cybersecurity and better understanding coverage gaps based on risk exposure. Also, while I do believe many companies realize the importance of cybersecurity, I also believe that the budget allocated is not aligned with risk exposure. I get it. It’s hard to justify investing in something that doesn’t connect directly to a revenue lever. However, that’s the “gotcha” with any kind of insurance. If something goes wrong, your operation could be shut down, lose revenue, erode trust and threaten operational continuity.

?

In the large corporate sector, according to Swiss Re’s research, the opportunity is organic growth based on clients purchasing higher limits and tailored policies relative to risk exposure. I believe that the more educated boards and business leaders are on cybersecurity, the more resilient they will be.?

Cyber Market Opportunities Going Forward

Earlier, I mentioned that having an automobile insurance policy provides confidence in the event something goes wrong. That policy alone, however, is not enough. In our teen years, we attend driving school. We earn the privilege of having a driver’s license. We get tested for our driving abilities and vision throughout the life of our driving careers. Same goes for cybersecurity.?

?

A multi-faceted security approach includes putting the basics in place, knowing your risk exposure, making cybersecurity part of your operations and culture, holding leadership accountable and allocating budget toward cybersecurity efforts.?

?

If the primary role of an insurance policy is to protect, then the insurer also bears responsibility. While Swiss Re findings reveal rate hikes earlier this decade largely hit big corporations, the real opportunity and need is with small to medium-size enterprise (SME) cyber insurance through clients purchasing new policies. (SMEs are defined as businesses with less than $100 million in annual revenues.) The Swiss Re cyber team found a huge cyber protection gap for small and medium-size businesses. This segment will need both education and resources to figure out how to approach both cybersecurity best practices and insurance coverage.

?

In addition to company size, one of Swiss Re’s detailed data charts show the global cyber insurance market by region with North America boasting 70% of the cyber insurance market.

?

Perhaps Swiss Re ’s Head Cyber Specialty Reinsurance Dani Tobler summarizes it best. He says, "The cyber insurance market continues to present a compelling growth opportunity, outpacing other lines of business."?Learn more in the?article by Swiss Re cyber team.

?

While we may never reach the upper limits of cybersecurity – and enough may never be enough – imagine if security was less of a business risk and more of a business asset. Swiss Re continues to reveal the path ahead. I’ll be watching Swiss Re to see how the cyber insurance market shapes up.