Cyber Insurance and the Changing Global Risk Environment

When security fails, cyber insurance can become crucial for ensuring continuity.

Cyber has changed everything around us – even the way we tackle geopolitical crisis and conflicts. When
Einstein was asked what a war will look like in the future, he couldn’t have predicted the importance of
digital technology for modern societies.

According to a report by IDC, by the end of 2022, nearly 65% of the global GDP will be digitized — reliant on a digital system of some kind. This shift to digital technology has created a new class of digital risks that are constantly evolving and strike faster and often with more severity than traditional risks. The events of the past two years have made this shift clear: from ransomware attacks to the challenges of managing distributed workforces, digital risk is different.

Our reliance on digital technology and the inherited risk is a key driving factor for buying cyber risk insurance. If the technology were to become unavailable, the resulting business impact could be mitigated with cyber insurance. Even if businesses invest in cybersecurity protections, as they increasingly do, security controls are not impenetrable. When security fails, cyber insurance can become crucial for ensuring continuity.

While traditional insurance has served mainly as a hedge against loss only after an incident, insurance designed for the digital economy needs to look at risk from a different angle, providing value before, during, and after an incident that could lead to a loss. This is essential for all businesses, as the analysis of security incidents that led to claims during 2021 reveals.

• Ransom demands continue to increase. The ransomware business model has begun to mature, and the average ransom demand has increased by 20%.
• The frequency of other attack techniques also rose as hackers expanded to new tactics. This heralds an era of omnidirectional threat. While ransomware may be the most newsworthy, no attack vector can be ignored.
• Small businesses are disproportionately impacted. As attacks become increasingly automated, it has become easier and more profitable for criminals to target small organizations.

“We are noticing a drastic increase in both likelihood and severity of all types of cyber-attack,” says Isaac Guasch, cyber security specialist at Tokyo Marine HCC International. “Whether you are a small independent business or a large, international organization, the increasingly interconnected nature of the businesses that form our economies, is a key threat. Even if you are confident that your cyber security measures are up to date, those of your partners may not be, so you may need to constantly redefine your perimeter,” Guasch adds.

Evolving global risk environment alters the cyber insurance landscape

However, not all risks are technology-related. Businesses operate in a hyper-connected environment where turbulences in one part of the world may have dire consequences in many remote markets. Geopolitical conflicts, societal upheavals, and financial cracks may put the stability of the business environment in question.

As digital technology and interconnectedness blur the boundaries with the physical world, it also becomes more difficult to calculate risk and set premiums. However, it is true that in times of global crisis, premiums do increase. For example, the Council of Insurance Agents & Brokers reported in March 2022 an average premium increase of 34.3% for cyber, marking the first time an increase of this magnitude is recorded since the events of 9/11.

As the global risk environment evolves and changes almost every day, the insurance industry needs to evolve as well. This level of evolution should not only cover cyber insurance but other forms of “traditional” insurance. For example, what happens if a facility is damaged or even destroyed because of a cybersecurity incident targeting a connected IoT device? What is the level of risk that each connected OT device exposes critical infrastructure to?

“With respect to insurance, cyber-attacks are not just affecting cyber liability policies. They are affecting many, if not all policies that are carried by a company,” Rick Toland, executive vice president at Waters Insurance Network, told Industrial Cyber. “Further, it is difficult to quantify where the cyber loss begins, and the property, automobile, GL, pollution or other policy begins and how the financial responsibility of each insurer will be allocated to pay the resulting loss,” Toland added.

Cyber insurance is not a panacea

Within a flux financial, technological, and geopolitical environment, many businesses, especially small-and-medium ones, tend to rely heavily on cyber insurers for answers to their cybersecurity posture challenges. However, buying cyber insurance cannot become the answer to all their security problems.

Instead, businesses can partner with an experienced managed security services company to guide and counsel them through the actions and best practices that can undertake now to better protect themselves against cyberthreats. Shaping a proactive and holistic cybersecurity strategy will better equip businesses in the event they need to submit a claim for losses or damages resulting from a ransomware attack or similar malicious activity.

Above all, it comes down to the basics. Organizations should start by analyzing the security controls they have in place to ensure adherence to guidelines developed by agencies like CISA, FBI, and ENISA, including multifactor authentication, employing antivirus and anti-malware scanning, enabling strong spam filters, updating software, and segmenting networks. Either way, failure to implement basic cyber hygiene measures is a no-go for buying cyber insurance.

About the author: Viral Trivedi

Viral Trivedi is the Chief Business Officer at Ampcus Cyber Inc—a pure-play cybersecurity service company headquartered in Chantilly, Virginia. As a CBO at Ampcus Cyber, Viral leads many customer-facing initiatives, including market strategy, channel partner programs, strategic accounts, and customer relationship management. He specializes in all aspects of managed security services, in both hands-on, and advisory roles.  Viral has also held executive and senior management positions with small, and large organizations, and is also a Smart Cities & Critical Infrastructure Professional, as well as an active member of Infragard.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, cyber insurance)

[adrotate banner=”5″]

[adrotate banner=”13″]