Cyber Insurance: Could Rising Premiums be a Step in the Right Direction?
The perception of cybersecurity insurance and how it is used to support enterprises with business continuity has shifted significantly. Years ago, risk transference – transferring the risk of an impending cyberattack from an organisation onto its insurance company – often formed part of a reliable security strategy. This strategy was welcomed by insurers, who could previously quantify the risk of a data breach in a less volatile cyber environment.
However, as the cybercrime landscape has evolved and attacks have surged, the transference of this risk between organisations and their insurers has become something of a problem. Ransomware strains like WannaCry and NotPetya played a big role in raising awareness of how malware is evolving. As the industry looks back at these two pivotal attacks five years on, it seems that they signify the ‘beginning of the end’ for affordable premiums and wide-spanning policies. While the WannaCry worm was reported to be the single biggest driver for cyber insurance enquiries in the first half of 2017, NotPetya brought insurance policies into question. In particular, Zurich Insurance managed to avoid pay-outs by citing its “war exclusion” clause, protecting the company from reimbursing costs related to damage from war. Labelled as a ‘watershed moment’ for the insurance industry, NotPetya catalysed the implementation of more rigid clauses and rising premiums to protect insurance companies.
Since these attacks, ransomware and other forms of cybercrime have been on an exponential growth curve. Today, premiums are at an all-time high, as insurers are no longer able to comfortably quantify the risk of such a changeable and dangerous environment. In fact, reports have found that the price of cover in the UK grew by 92% in the fourth quarter of 2021 alone. For enterprises looking to ensure survival post-attack, this means an enforced implementation of better cyber hygiene in an attempt to drive down costs, which ultimately can and should be viewed as a step in the right direction.
The environment for rising premiums
There are a number of factors feeding into the rise in cyber insurance premiums, one of which is undoubtedly the political uncertainty in the wake of the Russian’s invasion of Ukraine in February 2022. In terms of the conflict and the impact this has on the cyber world, tensions between the two countries have been long-standing and began to heighten, particularly in cyber terms, around eight years ago. Within a string of cyber-attacks launched against Ukraine since then, it is NotPetya that has been the most devastating – labelled the “most economically damaging cyber-attack of all time”. The ransomware initially targeted Ukraine’s financial, energy and government sectors, but it quickly spread indiscriminately causing billions in financial damage to western and even Russian organisations.
Considering Russia has again launched attacks on Ukraine, organisations around the world should be on high alert. As the former Chief of the National Cyber Security Centre (NCSC) has warned, we should be increasingly concerned about another NotPetya-style event and what a “spillover” from this could mean for the UK. For cyber insurers, the risk of attacks on government, large organisations and any smaller business linked within the supply chain is simply too high not to consider. Therefore, insurance premiums are inevitably sky-high.
NotPetya also formed the start of what can only be described as a ransomware crisis. Since then, breaches have led to fuel shortages and fears over food supply chains in the US, school closures in the UK and hospital disruption in Europe. The risk of ransomware is now not only critical, but also unpredictable. Operators are indiscriminate in who they target and, more often than not, are happy to target any weak organisation – from large charity to small supply chain partner. It is therefore unsurprising that cyber insurance companies are both increasing coverage costs and being more selective with who they insure.
Are rising premiums a good thing?
It is important to ask the question of whether cyber insurance, as an industry, may be exacerbating the issue of ransomware. If cybercriminals are aware that their financial demands will be no real loss to organisations who can quickly claim it back, will they be incentivised to target those that are covered? It is a quick and easy win, considering that research has found organisations with insurance are twice as likely to pay ransoms compared to those without it. This may be why insurers are taciturn about exactly what and who they pay out for.
It is also possible that insurance has previously bred complicity and laziness within cybersecurity. Teams may have seen their insurance policy as their central security strategy and not recognised the value of proactive protection. Yet given the current climate, this will no longer be the case. Costs will continue to rise and cyberattacks will continue to increase. For businesses to even be considered by insurers and be able to afford the cover, they will be forced to up their cyber hygiene and embrace a more security-focused culture. In this way, rising premiums can only be seen as a positive move that will manifest better security.
Securing cyber insurance
So, how do organisations demonstrate to insurers that they’re worth insuring at the lowest premium? Firstly, there needs to be a company-wide, top to bottom cultural shift that makes cybersecurity the responsibility of the entire team – not just the IT managers. This can start with education and training, conducted regularly and through phishing simulation that can test employees against the latest scams and feed back to insurers on how they’re performing.
Businesses must also be proactively and continuously detecting and mitigating threats on their network. For organisations that simply do not have the resource in-house for regular threat monitoring, but will still be a target for ransomware, working with a certified security partner is key. This is particularly pertinent considering the cyber skills gap that is making hiring in-house a huge challenge. With a security partner, organisations can benefit from access to greater expertise and resources, and draw on the aggregate value of cyber professionals with extensive knowledge of the cybersecurity landscape. An outsourced Security Operations Centre (SOC), in particular, can help protect businesses of all sizes with 24/7/365 threat monitoring and protection.
By demonstrating a security-first culture, with well-trained staff that can identify attacks, and implementing tooling and outsourced support to detect threat to your network, a business will be in far better situation to secure cyber insurance. While insurers are simply not prepared for the risk transference in the new era of ransomware and nation-state attacks, their stringent assessments of cyber hygiene may be what drives far better compliance in the coming years.