Lloyds of London wrote the 1st Cyber Insurance policy in 1999, which has become an $8 billion market in the US alone. A fact that has become a blessing and a curse depending on who you ask. The problem for the industry has been the rise of the business of ransomware and the degree it has gotten out of hand over the past few years. Our society has become accustomed to paying ransomware and paying contributes to the profitability and proliferation of cybercrime, rewarding hackers, encouraging more attacks, and driving more clients to need policies.
Cyber security has long been treated as a discretionary expense and the 1st area to look for budget cuts because it neither generates revenue nor cuts costs. Small organizations compared to their larger brethren lack the scale to as easily allocate the resources to present a proper defense in funding or personnel. Attacks on smaller organizations don’t catch the public’s attention, the attention of law enforcement or government policymakers. Combine that with the fact Cyber policies make access to ransom funds a non-issue, and smaller organizations suddenly become cash-rich victims and the easiest targets of opportunity.
While the average policy payout from a breach was $4.2M for 2020 and there is a correlation between the size of an organization and payout, it is not proportional or absolute. Organizations with over 25,000 employees paid an average of $5.53M and that figure drops to $4.09M for teams between 1000-5000 and again drops to $2.63 for teams between 500-1000. However, it was surprisingly higher for organizations of less than 500 employees, who paid $2.98M on average.1
Cyber insurance has proven an excellent method to transfer risk to the insurer and create a financial safety net in the event of a breach to cover costs associated with lost revenue, incident response, systems recovery, legal fees, the payment of ransomware, etc. Cybercriminals are aware of these available funds, the business requirements driving you to carry a policy and the typical dynamics at play between the policyholder and the insurer. Dynamics which so far have overwhelmingly supported the decision to pay ransomware versus pursuing a hardline approach and absorbing the hard to predict financial impact of that decision.2
Messaging is mixed as policyholders claim it’s up to the insurance provider to make the decision while the insurance industry claims it’s the client. However, paying the ransom is considered a lot cheaper than pursuing a path that attempts to restore operations, while experiencing business losses, which the insurer is also on the hook to cover. For the client it seems like a great model to transfer risk to the insurer by acquiring a policy. The downside is the proliferation of breaches of late has caused many insurers to re-evaluate the market.
Writing Cyber policies has for a long time been good business. In 2018 the loss ratio in the U.S. was 35%. Meaning for every dollar of revenue the insurance companies took in they paid out $.35. For comparison, the mature property and casualty market has a loss ratio of 62%. Current data is causing the industry some concern. Cyber policy loss ratios increased to 44.6% in 2019 and rose again to 66.9% for 2020, per public data from the NAIC.3 Figures for 2021 have not yet been published.
As a result, insurers are scrambling to create some normalcy in the business, premiums are on the rise, limits are being reduced, contract language is being tightened, exclusions are being added, some are vacating the market, and all remaining are establishing minimum cyber security prerequisites to better protect the operation, thereby reducing risk.
The security industry has long been aware of the basic mechanisms, just look at the NIST frameworks, but budgets almost always fought against them as previously stated. The insurance industry has now become a proponent of these mechanisms because they have experienced the simple truth, breach costs decrease in relation to the maturity of the cyber security posture.
Defining what parameters equate to a mature cyber security program can lead to a never-ending debate, but the insurance industry has identified a few that if followed reduce the apparent risk.
Environments that represented a mature zero trust architecture exhibited breach costs of $3.28M versus $5.04M for those that did not.1 Zero Trust is defined as an approach that assumes that the network and identities have already been compromised and relies on tools, AI and analytics to continuously validate connections between users, data and resources. Multifactor Authentication (MFA) is the most basic application of this approach. It is relatively easy to deploy and its cost to implement and maintain is easy to predict. As a result, MFA has become a prerequisite to all Cyber policies we have observed since mid-2021.
Security AI and automation reduced average breach costs to $2.9M from $6.71M. An 80% differential and the largest factor found to reduce costs. Yet only 65% of organizations are using this technique in 2021, up from 59% in 2020.1 Security AI and automation are security technologies that augment or replace human intervention in the identification and containment of incidents and intrusion attempts.
On average, organizations operate 34 security tools which can easily overwhelm any security team to tune, respond to and correlate telemetry to understand what is occurring within an environment. Small and large organizations alike are turning to SaaS providers offering Managed SIEM, SOAR, XDR, MDR and EDR to relieve themselves of maintaining the necessary infrastructure and domain expertise as a benefit. They can then take direct feeds from these aggregation tools or direction from these “managed” services to better secure their environments.
The use of Encryption was the 3rd highest mitigating factor, with organizations employing a high standard of encryption reducing the average cost of a breach from $4.87M to $3.62M.1 This took the form of both network encryption as well as encryption of data at rest. While a breach may still occur, the exfiltration of encrypted data has significantly fewer ramifications on the business and penalties from regulatory bodies. Ransomware may still be a factor to regain access to your data, but the attacker’s ability to extort funds to refrain from releasing data to the public, causing business and reputation damage is greatly reduced.
While 2021 saw MFA become a common cyber insurance prerequisite, the industry is learning they have the leverage to force practices that reduce both their risk and that of their customers. They also have the data points to know which best practices to push next. MFA is rather a quick technology to deploy, and we helped several clients at the end of 2021 fulfill this obligation to maintain coverage. However, some of these follow-on practices will require more preparation. Becoming aware of what they are and having a plan in place is your best course of action.
- Cost of a Data Breach Report 2021 – https://www.ibm.com/security/data-breach
- Report on the Cyber Security Insurance Market – https://content.naic.org/sites/default/files/index-cmte-c-Cyber_Supplement_2020_Report.pdf
Contact us today if you would like to discuss how Focus Technology is able to help in your efforts.