Here’s what your organization needs to know about cyber insurance

• Losses from cybercrime are expected to rise from $8.44 trillion in 2022 to approximately $11 trillion in 2023.The challenge facing insurance companies is quantifying the risk and complexity of measuring the cascading impact of a cyber attack.Despite the increasing complexity in cyber insurance and rapidly evolving cyber threats, security leaders can minimize and even simplify risk assessments by focusing on four core areas.

Currently, 4.7 million experts worldwide work in the cybersecurity field trying to limit the global costs of cybercrime. Losses from cybercrime are expected to surge in the next five years, rising from $8.44 trillion in 2022 to approximately $11 trillion in 2023 and potentially reaching approximately $24 trillion by 2027.Insurers provide cybersecurity recommendations and the insured look to insurers to understand the insurance needs. As such, it is critical to close the gap in both the insurers’ technical cybersecurity knowledge and their knowledge of how the insured’s organization is structured digitally to understand what is already deployed and what else is needed to increase security.

In addition, how these recommended technologies are implemented is often not monitored in an ongoing way, which means the security of critical assets may not be continuous. Many insurance company claims teams are utilizing high volume digital forensic firms that, as a result, aren’t necessarily imaging all of the evidence in a case. The ramifications of the gaps created by this high volume digital forensics scheme have yet to be seen in this rapidly changing space. Cybercrime has continued to rapidly increase in 2023 and cyber insurance cost increases have kept pace. According to a recent study of 3,000 cybersecurity and IT professionals, 95% of organizations that purchased a cyber insurance policy in the last year reported a direct impact of this trend on their cyber coverage:

• 60% said it impacted their ability to get coverage;62% said it impacted the cost of their coverage;and 28% said it impacted the terms of their policy.

While cyber insurance is a critical component of a risk-loss management strategy, the cost benefit is becoming more difficult to analyse owing to continued cyberattacks and increasing premiums. As the cost of premiums increase and organizations learn to implement better system backups, some have opted to invest more heavily in system recovery procedures over cyber insurance.

In addition to rising rates, insurers have introduced exclusion clauses into policies in an effort to minimize risk exposure. In the past two years, many cyber insurers have focused on potentially catastrophic cyber risk, including fallout from geopolitical conflicts and corresponding nation state activity. For example, Lloyd’s of London mandated new war exclusion wording, while Marsh continues to question insurers on clients’ behalf regarding their approach to war and cyber catastrophic risk.The challenge facing insurance companies is quantifying the risk and complexity of measuring the cascading impact of a cyber attack. This monumental task is complicated by a rapidly evolving threat landscape. Without continuous monitoring and reassessments to analyse the insured’s internal environment, the risk quantification is considered static and difficult to predictably rely on.Several IR cases point to Fortune 1000 organizations with eight-figure cybersecurity budgets that get compromised owing to poor implementation of tools and the lack of a critical asset inventory. Furthermore, appropriate internal and third-party access control continues to be a challenge for all organizations and something that cannot be surfaced by questionnaires and control checklists.

While these advances can improve internal risk management, they rely on detailed, reliable and continuous data. There is often a gap between the quality and quantity of information available to the insurers and the insured. Consequently, questionnaires are becoming more lengthy and complicated for potential insureds to fill out, often muddling the understanding of the final cyber coverage for the insured.

Organizations can minimize and even simplify risk assessments by focusing on four core areas. These can be summarized in four core questions that will be asked by the IR team in the event of a breach:

What type of firewall is being used?

Despite the increasing complexity in cyber insurance and rapidly emerging and changing cyber threats, addressing these questions can help security leaders and cyber insurance providers alike bridge the knowledge gap