Cyber insurance is the fastest-growing sector of the world’s insurance markets. But, a recent increase in ransomware attacks and business email compromises has led to a sharp uptick in claims, resulting in significant losses for cyber insurers and increased premiums. Cyber insurance customers need a way to increase their cyber resilience, reduce premiums, and improve their cyber postures.
3 New Cyber Insurance Trends
At the recent St. John’s Insurance Regulatory Conference, we had the honor of sharing some of the key trends that are shaping the future of the cyber insurance industry:
1. Metrics matter
When it comes to cybersecurity, there’s been some resistance around measurement and cyber metrics. But this has changed. The success of cyber insurance is tied directly to a new methodology to accurately measure risk in real time because the nature of cyber risk is constantly changing. By working with cyber insurers to align on this risk, insured organizations will be better able to get ahead of threats, obtain policies that meet their unique needs, and reduce claims, thereby providing a dual benefit to enterprises and carriers alike.
Security ratings are critical factors relied upon by the cyber insurance industry in assessing cyber risk. Cybersecurity ratings offer insurance companies the capability to accurately and rapidly provide quotes and manage their risk exposure while offering customers the opportunity to manage and improve their security posture. For the last ten years, companies such as SecurityScorecard have offered cybersecurity ratings and scores that use continuous, external scanning to provide an outside-in view of risk in this constantly shifting landscape. Our recent report with the Marsh McLennan Global Cyber Risk Analytics Center looked at how cybersecurity ratings correlate with reduced cyber insurance risk and found seven factors that have predictive power for a breach, including endpoint security, patching cadence, network security, and more.
2. Supply Chain
While businesses can implement robust cybersecurity measures internally, they often depend on third-party vendors, suppliers, and partners to support their operations. That interdependency is only increasing in our global economy. These external entities can introduce additional risks into the supply chain, making it crucial to evaluate and manage third-party cyber risks effectively. It’s estimated that 65% of organizations don’t know which third parties can access their most sensitive data. Furthermore, 51% of organizations have experienced a breach due to a third party.
To effectively address third-party risks in your supply chain and ensure comprehensive cyber insurance coverage, your organization should consider the following:
Conduct a thorough risk assessment of third-party vendors’ security practices, including their cybersecurity policies, incident response capabilities, and compliance with industry standards and regulations.
Establish clear contractual agreements that outline security responsibilities, liability, breach notification requirements, and indemnification clauses for both parties.
Cyber Insurance Review
When evaluating cyber insurance policies, assess the extent of coverage for third-party incidents and liabilities. Ensure that the policy aligns with the specific risks associated with third-party relationships. Further, ask your partners questions about any cyber insurance they may carry.
Regularly monitor and evaluate the security posture of your third-party vendors to identify any changes or vulnerabilities that may impact your organization’s overall risk profile.
Historically, the approach of global governments to combat cyber threats has been through incentive programs. These incentives have not moved the needle, so government organizations are now beginning to regulate cybersecurity. Regulations spark compliance, and therefore, the future looks bright. For example:
- The New York State Department of Financial Services (NYDFS) now has 40+ examiners and cybersecurity staff monitoring 3000+ institutions, tracking threat actors and ransomware groups. They are collaborating with monitored entities to remediate vulnerabilities.
- The Digital Operational Resilience Act (DORA) is a new European framework that embeds a more robust and resilient approach to delivering digital capabilities in Financial Markets. This framework shifts the focus from guaranteeing firms’ financial soundness to also ensuring they can maintain resilient operations through severe operational disruption caused by cyber security and information and communication technology (ICT) issues.
- The U.S. Securities and Exchange Commission (SEC) has released a set of new rules requiring publicly-traded companies to disclose whether their entire board, specific board members or a committee are responsible for cybersecurity. This includes informing the board about cybersecurity risks, how frequently this topic is discussed, and how the board considers these risks as part of its broader business and risk management strategy. These regulations highlight the importance for executive boards to handle cybersecurity risks like any other material business risk.
The Future of Cyber Insurance
With the Biden Administration’s release of its National Cybersecurity Strategy, multiple sectoral risk management agencies have already begun implementing new requirements to measure, report, and manage third-party risk. In Europe, the evolving Cybersecurity Resilience Act will require providers to document product vulnerabilities. In France, a new cyberscore law will require Internet-facing platform companies to disclose “report cards” on cyber resiliency based on third-party audits of systems and processes.
The move towards metrics, regulations, and securing the supply chain all point to a future with greater cyber resilience. One where all stakeholders will benefit by improving their individual cybersecurity health for the sake of the greater good. With a more transparent and measurable view of cyber risk, the cyber insurance industry as a whole can move toward a more sustainable and resilient future. To learn more about how to secure your organization and measure your cyber risk, visit securityscorecard.com and get your free score now.