Aug 26 2023

Cybersecurity insurance is missing the risk

Category: Cyber Insurance,Information Securitydisc7 @ 11:27 am
Cybersecurity insurance is missing the risk

The cybersecurity insurance sector is experiencing swift expansion, with its value surging from around $13 billion in 2022 to a projected $84 billion by 2030, reflecting a robust 26% compound annual growth rate (CAGR). However, insurance providers are encountering challenges when it comes to accurately assessing the potential hazards associated with providing coverage for this category of risk.

Conventional actuarial models are ill-suited for an arena where exceptionally driven, innovative, and astute attackers are actively engaged in orchestrating events that lead to insurable incidents. Precisely gauging potential losses holds utmost importance in establishing customer premiums. However, despite a span of twenty years, there exists a substantial variance in loss ratios across insurance providers, ranging from a deficit of 0.5% to a surplus of 130.6%. The underwriting procedures lack the necessary robustness to effectively appraise these losses and set premiums that reflect a reasonable pricing.

Why is the insurance industry struggling with this?

The problem is with the nature of the threat. Cyber attackers escalate and adapt quickly, which undermines the historical-based models that insurance companies rely on. Attackers are continually shifting their maneuvers that identify victims, cause increasing loss, and rapidly shift to new areas of impact.

Denial of service attacks were once popular but were superseded by data breaches, which cause much more damage. Recently, attackers expanded their repertoire to include ransomware-style attacks that increased the insurable losses ever higher.

Trying to predict the cornerstone metrics for actuary modelers – the Annual Loss Expectancy and Annual Rate of Occurrence – with a high degree of accuracy is beyond the current capabilities of insurers. The industry currently conducts assessments for new clients to understand their cybersecurity posture to determine if they are insurable, what should be included/excluded from policies, and to calculate premiums. The current process is to weigh controls against best practices or peers to estimate the security posture of a policyholder.

However, these rudimentary practices are not delivering the necessary level of predictive accuracy.

The loss ratio for insurance firms has been volatile, in a world where getting the analysis wrong can be catastrophic. Variances and unpredictability make insurers nervous. At maximum, they want a 70% loss ratio to cover their payouts and expenses and, according to the National Association of Insurance Commissioners Report on the Cyber Insurance Market in 2021, nearly half of the top 20 insurers, representing 83% of the market, failed to achieve the desired loss ratio.

In response to failures to predict claims, insurers have been raising premiums to cover the risk gap. In Q4 2021 the renewals for premiums were up a staggering 34%. In Q4 2022 premiums continued to rise an additional 15%.

There are concerns that many customers will be priced out of the market and the insurance industry and left without a means of transferring risk. To the detriment of insurers, the companies may make their products so expensive that they undermine the tremendous market-growth opportunity. Additionally, upper limits for insurability and various exception clauses are being instituted, which diminish the overall value proposition for customers.

The next generation of cyber insurance

What is needed are better tools to predict cyber attacks and estimate losses. The current army of insurance actuaries has not delivered, but there is hope. It comes from the cyber risk community that looks to manage these ambiguous and chaotic risks by avoiding and minimizing losses.

These cybersecurity experts are motivated by optimizing limited resources to prevent or quickly undermine attacks. As part of that continuous exercise, there are opportunities to apply best practices to the insurance model to identify the most relevant aspects that include defensive postures (technology, behaviors, and processes) and understanding the relevant threat actors (targets, capabilities, and methods) to determine the residual risks.

The goal would be to develop a unified standard for qualifying for cyber insurance that would adapt to the rapid changes in the cyber landscape. More accurate methodologies will improve assessments to reduce insurers’ ambiguity so they may competitively price their offerings.

In the future, such calculations will be continuous and showcase how a company will benefit by properly managing security in alignment with shifting threats. This should bring down overall premium costs.

The next generation of cyber insurance will rise on the foundations of new risk analysis methodologies to be more accurate and sustain the mutual benefits offered by the insurance industry.

The Cyber Insurance Imperative, 2nd Edition: Updated for Today’s Challenging Risk Landscape

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: Cyber Insurance

Jun 27 2023

How cyber insurance empowers CISOs

Category: CISO,Cyber Insurancedisc7 @ 3:41 pm
How cyber insurance empowers CISOs

The Cyber Insurance Imperative, 2nd Edition: Updated for Today’s Challenging Risk Landscape

InfoSec tools | InfoSec services | InfoSec books

Tags: Cyber Insurance

Aug 09 2022

Buying Cyber Insurance Gets Trickier as Attacks Proliferate, Costs Rise

Category: Cyber InsuranceDISC @ 11:00 pm

Security chiefs should shop early for coverage and prepare for long questionnaires about their companies’ cyber defenses, industry professionals say


Insurers are scrutinizing prospective clients’ cybersecurity practices more closely than in past years, when underwriting was less strict.
PHOTO: GETTY IMAGES/ISTOCKPHOTO

For many businesses, obtaining or renewing cyber insurance has become expensive and arduous.

The price of cyber insurance has soared in the past year amid a rise in ransomware hacks and other cyberattacks. Given these realities, insurers are taking a harder line before renewing or granting new or additional coverage. They are asking for more in-depth information about companies’ cyber policies and procedures, and businesses that can’t satisfy this greater level of scrutiny could face higher premiums, be offered limited coverage or be refused coverage altogether, industry professionals said.

“Underwriting scrutiny has really tightened up over the past 18 months or so,” said Judith Selby, a partner in the New York office of Kennedys Law LLP.

In the second quarter, U.S. cyber-insurance prices increased 79% from a year earlier, after more than doubling in each of the preceding two quarters, according to the Global Insurance Market Index from professional-services firm Marsh & McLennan Cos.

Direct-written premiums for cyber coverage collected by the largest U.S. insurance carriers—the amounts insurers charge to clients, excluding premiums earned from acting as a reinsurer—climbed to $3.15 billion last year, up 92% from 2020, according to information submitted to the National Association of Insurance Commissioners, an industry watchdog, and compiled by ratings firms. Analysts attribute the increase primarily to higher rates, as opposed to insurers significantly expanding coverage limits.

Companies buying insurance are subject to tight scrutiny of internal cyber practices. This is different from past years, when carriers poured into the cyber market and competition produced less-stringent underwriting, Ms. Selby said.

Now, insurers aiming to limit their risk are putting corporate security chiefs through lengthy lists of questions about how they defend their companies, said Chris Castaldo, chief information security officer at Crossbeam Inc., a Philadelphia-based tech firm that helps companies find new business partners and customers.

“Prior to the questionnaires, you just gave them the coverage amount you wanted and the industry you were in, and that was it,” Mr. Castaldo said, referring to interactions with cyber insurers.

Discover Financial Services has a third party validate the robustness of its cybersecurity program, which helps with insurance, said CISO Shaun Khalfan. “Insurers want to have confidence that you are making the right investments and are building and maintaining a robust cybersecurity program,” Mr. Khalfan said.

Some of the questions insurers ask—and the level of detail required—can depend on the carrier, the size and type of the business seeking coverage and the amount of coverage desired.

Around 18 months ago, underwriters asked companies whether they required multifactor authentication when administrators accessed their system, said Tom Reagan, cyber practice leader in Marsh McLennan’s financial and professional products specialty practice. Today there’s an expectation that multifactor authentication is used throughout the organization, not just by administrators, he said.

Insurers also expect organizations to have planned and tested for a cyber event, such as through tabletop exercises, Mr. Reagan said: “They are not just interested in your smoke alarms, they want to hear about the fire drills.”

Carriers want to know what kind of backup plans companies have if a ransomware attack strikes and how those plans are tested. Insurers also diving deeper into whether a company’s networks are segregated to limit the spread of malware, Ms. Selby said. Other important criteria some insurers consider, she said, include endpoint protection, or monitoring and protecting devices against cyber threats, and incident-response exercises.

Some companies will need to work with more carriers than in the past to get the desired level of coverage because no single insurer wants to carry so much risk, Ms. Selby said.

Amid the changing landscape, Mr. Reagan recommended that companies start to re-evaluate their cyber-insurance needs as early as six months before a policy comes up for renewal. Starting earlier to identify possible holes allows businesses to make changes to their cyber defenses, if necessary, and gather information that carriers require, he said.

https://www.wsj.com/articles/buying-cyber-insurance-gets-trickier-as-attacks-proliferate-costs-rise-11659951000?tpl=cs

Demystifying Cyber Insurance

Tags: Cyber Insurance

Apr 22 2022

Cyber Insurance and the Changing Global Risk Environment

Category: Cyber InsuranceDISC @ 8:38 am
Cyber Insurance and the Changing Global Risk Environment

When security fails, cyber insurance can become crucial for ensuring continuity.

Cyber has changed everything around us – even the way we tackle geopolitical crisis and conflicts. When
Einstein was asked what a war will look like in the future, he couldn’t have predicted the importance of
digital technology for modern societies.

According to a report by IDC, by the end of 2022, nearly 65% of the global GDP will be digitized — reliant on a digital system of some kind. This shift to digital technology has created a new class of digital risks that are constantly evolving and strike faster and often with more severity than traditional risks. The events of the past two years have made this shift clear: from ransomware attacks to the challenges of managing distributed workforces, digital risk is different.

Our reliance on digital technology and the inherited risk is a key driving factor for buying cyber risk insurance. If the technology were to become unavailable, the resulting business impact could be mitigated with cyber insurance. Even if businesses invest in cybersecurity protections, as they increasingly do, security controls are not impenetrable. When security fails, cyber insurance can become crucial for ensuring continuity.

While traditional insurance has served mainly as a hedge against loss only after an incident, insurance designed for the digital economy needs to look at risk from a different angle, providing value before, during, and after an incident that could lead to a loss. This is essential for all businesses, as the analysis of security incidents that led to claims during 2021 reveals.

  • Ransom demands continue to increase. The ransomware business model has begun to mature, and the average ransom demand has increased by 20%.
  • The frequency of other attack techniques also rose as hackers expanded to new tactics. This heralds an era of omnidirectional threat. While ransomware may be the most newsworthy, no attack vector can be ignored.
  • Small businesses are disproportionately impacted. As attacks become increasingly automated, it has become easier and more profitable for criminals to target small organizations.

“We are noticing a drastic increase in both likelihood and severity of all types of cyber-attack,” says Isaac Guasch, cyber security specialist at Tokyo Marine HCC International. “Whether you are a small independent business or a large, international organization, the increasingly interconnected nature of the businesses that form our economies, is a key threat. Even if you are confident that your cyber security measures are up to date, those of your partners may not be, so you may need to constantly redefine your perimeter,” Guasch adds.

Evolving global risk environment alters the cyber insurance landscape

However, not all risks are technology-related. Businesses operate in a hyper-connected environment where turbulences in one part of the world may have dire consequences in many remote markets. Geopolitical conflicts, societal upheavals, and financial cracks may put the stability of the business environment in question.

As digital technology and interconnectedness blur the boundaries with the physical world, it also becomes more difficult to calculate risk and set premiums. However, it is true that in times of global crisis, premiums do increase. For example, the Council of Insurance Agents & Brokers reported in March 2022 an average premium increase of 34.3% for cyber, marking the first time an increase of this magnitude is recorded since the events of 9/11.

As the global risk environment evolves and changes almost every day, the insurance industry needs to evolve as well. This level of evolution should not only cover cyber insurance but other forms of “traditional” insurance. For example, what happens if a facility is damaged or even destroyed because of a cybersecurity incident targeting a connected IoT device? What is the level of risk that each connected OT device exposes critical infrastructure to?

“With respect to insurance, cyber-attacks are not just affecting cyber liability policies. They are affecting many, if not all policies that are carried by a company,” Rick Toland, executive vice president at Waters Insurance Network, told Industrial Cyber. “Further, it is difficult to quantify where the cyber loss begins, and the property, automobile, GL, pollution or other policy begins and how the financial responsibility of each insurer will be allocated to pay the resulting loss,” Toland added.

Cyber insurance is not a panacea

Within a flux financial, technological, and geopolitical environment, many businesses, especially small-and-medium ones, tend to rely heavily on cyber insurers for answers to their cybersecurity posture challenges. However, buying cyber insurance cannot become the answer to all their security problems.

Instead, businesses can partner with an experienced managed security services company to guide and counsel them through the actions and best practices that can undertake now to better protect themselves against cyberthreats. Shaping a proactive and holistic cybersecurity strategy will better equip businesses in the event they need to submit a claim for losses or damages resulting from a ransomware attack or similar malicious activity.

Above all, it comes down to the basics. Organizations should start by analyzing the security controls they have in place to ensure adherence to guidelines developed by agencies like CISA, FBI, and ENISA, including multifactor authentication, employing antivirus and anti-malware scanning, enabling strong spam filters, updating software, and segmenting networks. Either way, failure to implement basic cyber hygiene measures is a no-go for buying cyber insurance.

About the author: Viral Trivedi

Viral Trivedi is the Chief Business Officer at Ampcus Cyber Inc—a pure-play cybersecurity service company headquartered in Chantilly, Virginia. As a CBO at Ampcus Cyber, Viral leads many customer-facing initiatives, including market strategy, channel partner programs, strategic accounts, and customer relationship management. He specializes in all aspects of managed security services, in both hands-on, and advisory roles.  Viral has also held executive and senior management positions with small, and large organizations, and is also a Smart Cities & Critical Infrastructure Professional, as well as an active member of Infragard.

cyber insurance

Embracing Risk: Cyber Insurance as an Incentive Mechanism for Cybersecurity

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Cyber Insurance, Global Risk Environment

May 11 2021

Significance of risk management in cyber insurance to determine premium

Category: Cyber InsuranceDISC @ 3:33 pm

By DISC InfoSec

The limited availability of data on cyber incidents has made it difficult to develop full probabilistic models for use in pricing cyber insurance cover. While a few insurance companies, brokers and other companies have developed pricing models that provide quantifiable probabilistic estimates of potential losses based on Fair methodology, the vast majority of insurers still continue to use scenario-based approaches for estimating the potential frequency and severity of cyber incidents. Assessments of frequency and severity are usually based on publicly available data on past incidents. There are a few commercial companies that collect and market data on past incidents.

The insurability of a given risk is usually economically viable only where Risks must be quantifiable: the probability of occurrence of a given peril, its severity and its impact in terms of damages and losses must be assessable.

In the case of data confidentiality breaches, data on past breaches provides insurance companies with a basis to assess the level of risk based on different company characteristics and estimate the per record cost of a breach. Therefore, part of the underwriting process involves understanding the business activities and number and types of information records held by the company. Given the longer experience with data breach notification laws and the more developed stand-alone cyber insurance market, much of the available data is based on experience in the United States.

Insurance companies also focus significant attention on the company’s security practices and policies, depending on company size and amount of coverage being sought. For smaller companies/coverage amounts, the underwriting process will focus on basic cyber security practices such as use of a firewall, anti-virus/malware software and data encryption, as well as frequency of data backups and use of intrusion detection tools. In some cases, applications may ask about compliance with specific standards, such as the International Organization for Standardization standard on Information Security (ISO/IEC 27001); the US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity; or the UK Cyber Essentials. Companies that hold payment card information might also be asked about their compliance with the PCI Data Security Standard while US companies with health records might be asked about their compliance with Health Insurance Portability and Accountability Act security requirements. Some stand-alone cyber insurance applications also request information on plans and policies, such as data protection policies, network access policies, internal auditing policies, disaster recovery plans, etc., as well as governance processes in place for those policies. Larger companies would face additional scrutiny, potentially involving on-site interviews, security audits and/or penetration testing. Risk and vulnerability assessments by external security consultants are offered by some companies as an additional service included as part of the insurance policy.

Insurance companies use the information gathered through the underwriting process to determine premium levels or deny the coverage. Some insurers may also establish minimum security standards that must be maintained through the coverage period in order for coverage to be maintained or sustained, such as timely patching of vulnerabilities and/or other software updates.

Cyber-insurance is an insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Cyber insurance purchased by an insured (first party) from an insurer (the second party) for protection against the claims of another (the third party). The first party is responsible for its own damages or losses whether caused by itself or the third party.

Cyber insurance may offer services products and countermeasures to protect business from known and unknown risks. There are now mandatory breach notification state laws (in many states) and regulation (HIPAA) which require breach notification. In services area cyber insurance may help organization to cover the cost of notifications and sometime may notify on behalf of an organization. The breach notification service may be necessary for SMB’s to acquire due to lack of necessary in-house resources. Depending on your business, few other items you may want to consider under cyber insurance are data restoration cost, payment of ransom, identity theft protection and reissuing of cards, potential downtime due to DDoS and potential regulatory fines.

How does a second party, an insurance company determine that first party premium (an amount to be paid for an insurance policy) and even decide that first party is insurable. The insurance company will look at organization’s security posture maturity based on industry standards and regulations (ISO, NIST, CSC, CSF) and determine if their Security Program is worthy of cyber insurance. Based on the existing security posture of an organization the second party will determine the risk they are willing to take and first party will determine the cost they are willing to pay for the premium. In the some cases insured might be able to absorb losses of the breach which were not covered by insurance but for some SMB’s these losses may be business limiting.

A point–in-time evaluation of an organization’s information security posture in constantly evolving, threat landscape only increases the challenge of insurance company to determine the first party premium. The insurance company may require a continuous feed to an organization security posture dash board which may also include but not limited to monitoring of security incident response on regular basis. Before making a decision on cyber insurance premium, an insurance company should utilize an in-house expertise or collaborate with InfoSec consulting organization to evaluate the frequency and severity of cyber threats facing an organization information security management system.

At end of the day, cyber insurance is a proactive security measure to counter potential data breaches and network security failures. Routinely, organizations are willing to spend money on security initiatives after the breach which is reactive action. Proactive security measures such as (developing sound security policies, compulsory cloud security, continuous monitoring, strong security awareness, effective BCP, proactive patching, resilient incident response plan…) may help not only to reduce the overall risk landscape but can assist in lowering the cyber insurance premium.

Proactive information security program which include but not limited to the basic cybersecurity measures may require acquiring cyber insurance. Insured organization (first party) may need to keep up with the basic cyber security measures to prevent voiding the coverage. When a functional and operational information security program which has a clear definition of an organization risk threshold becomes a priority, it can minimize potential risk of security breach and should be able to absorb losses for future security breach with cyber insurance as a part of risk management strategy.

DISC InfoSec assist in acquiring the cyber insurance which is aligned with business objectives and based on organization risk threshold. Before coverage is issued by the underwriter, in some cases, organization is asked to mitigate some risks to lower the premium. DISC InfoSec assist in compliance with standards, coverage inclusion/exclusion and risk mitigation process for organization acquiring cyber insurance.    

Cyberinsurers mandate multifactor authentication


Checkout our previous blog posts on cyber insurance

Cyber Insurance explained in a simple and joyful way.

Cyber Insurance

More Cyber Insurance titles:

Tags: Cyber Insurance, cyber insurance premium

Jul 27 2019

Cyberlaw wonks squint at NotPetya insurance smackdown: Should ‘war exclusion’ clauses apply to network hacks?

Category: Cyber InsuranceDISC @ 3:04 pm

Are war exclusion clauses fit for purpose under International Humanitarian Law as cyber-attacks?

When UK and US said it was Russia, they weren’t thinking of the litigators!
Among the victims was US food giant Mondelez – the parent firm of Oreo cookies and Cadburys chocolate – which is now suing insurance company Zurich American for denying a £76m claim filed in October 2018, a year after the NotPetya attack. According to the firm, the malware rendered 1,700 of its servers and 24,000 of its laptops permanently dysfunctional.

In January, Zurich rejected the claim, simply referring to a single policy exclusion which does not cover “hostile or warlike action in time of peace or war” by “government or sovereign power; the military, naval, or air force; or agent or authority”.

Source: Cyberlaw wonks squint at NotPetya insurance smackdown: Should ‘war exclusion’ clauses apply to network hacks?

What Does Cyber-Insurance Really Bring to the Table and…Are You Covered?




Cyber Insurance – an essential part of the risk mitigation strategy?




Enter your email address:

Delivered by FeedBurner




Tags: Cyber Insurance, Cyber Insurance exclusion

Dec 29 2016

Cyber Insurance – an essential part of risk mitigation strategy?

Category: Cyber InsuranceDISC @ 10:01 am

CyberInsurancepng

By Foundstone Services

Advancement of technology is deriving proliferation of threat landscape rapidly which extend attack vectors. With proliferation of automated tools available for cyber criminals; it’s not a matter of “if” but “when” there will be a security breach. There are two types of organizations in this category, those who’ve been hacked, and those who don’t know they have been hacked. The likelihood that your organization is next is not very unlikely. Is your organization prepared for a target of information security breach?

That will depend on if you have an operational Security Program which is functional enough to manage risk of a potential security breach. Now, the million-dollar question may be, is your Security Program resilient enough to sustain the risk and can it afford to absorb losses for future security breach. The security threats are evolving on daily basis and there are unknown threats like zero day threats where you need to add cyber insurance (which provides coverage from losses resulting from data breach or loss of confidential information) as a part of risk management strategy to tackle unnecessary disruptions to your business. As a part of risk management program, organizations regularly determine which risks to avoid, accept, control or transfer. This where transferring risk to cyber insurance take place and it can compensate for some residual risk.

Some may argue that they got liability insurance, which should cover security breach. Those days are behind us when organizations thought liability insurance were enough to cover the security breaches. Sony thought their general liability insurance covered them, but the court confirmed that policy did not have specific clauses to cover the security breach which was estimated $170M. Another highly publicized security breach of Target cost the retailer about $348M but the retailer had only $100M in cyber insurance coverage from multiple underwriters.

To read the remaining article…





Tags: Cyber Insurance

Jun 19 2015

Cyber Resilience Best Practices

Category: Cyber Insurance,cyber security,CybercrimeDISC @ 11:07 am

Cyber Resilience

Cyber Resilience

RESILIA™ Cyber Resilience Best Practices

AXELOS’s new guide RESILIA™ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle

RESILIA™ Cyber Resilience Best Practices

Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIA™ portfolio.

RESILIA™ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.

The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.

  • Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
  • Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
  • Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
  • Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
  • Aligned with ITIL®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBIT® and organization-specific frameworks.

 

Target market

 

  • Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
  • IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
  • IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
  • The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.

 

Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
RESILIA™ Cyber Resilience Best Practices

Related articles





Tags: Chief Information Security Officer, CISO, Computer security, CSO, cyber crime, Cyber Defence, Cyber Insurance, Cyber protection, Cyber Resilience, cyber security, Cyber Security countermeasures, Cyber Security Safeguards, cyber threats, data security, Information Security, Information Technology Infrastructure Library, ISO, iso 27001, iso 27002