Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    [Head Scratcher] The cyber insurance market is badly broken. But why exactly?

    Cyber Insurance Market Broken - courtesy TechmonitorGreg Noone at the Techmonitor site covered this problem early October 2022, starting with a horror story.

    A company had taken cyber coverage for the past year with no claims, but during a routine scan a software vulnerability was discovered. They did not fix it in time. A new policy was proposed that would not cover ransomware. They signed it. Guess what happened a week after? Right. Here is a short extract and further below a link to the site. 

    “I would be disingenuous if I told you that ransomware wasn’t a key factor in some of the headwinds that we’ve seen in the market with regards to pricing,” explains Bob Parisi, head of cyber solutions in North America for German reinsurance company Munich Re.

    The first half of this year saw one cybersecurity vendor block 63 billion threats, a year-on-year rise of 50%, while cyber insurance costs shot up by 102% in the first quarter. Terms and conditions for coverage have also been tightened. Lloyds of London, for example, went as far as to eliminate coverage for breaches that arose directly from state-sponsored attacks, a sizeable portion of the overall damages accrued from ransomware. Its reasoning, according to the firm’s underwriting director Tony Chaudhry, was that policies shouldn’t “expose the market to systemic risks that syndicates could struggle to manage”.

    Cyber insurance does not have a long history. The market itself, explains Mario Vitale, chief executive of cyber insurance provider Resilience., has only been around for about 15 years. “I have to say we are still within the infancy stage,” he says, a term that’s also relevant when describing the segment’s size. 

    “I think the insurers are still figuring out, ‘How confident are we in our ability to estimate and predict this risk?” says Josephine Wolff, a professor in cybersecurity policy at Tufts University and an expert in the cyber insurance market. Over time, adds the professor, this has led to a “less stable market… and also just a lot of uncertainty in which people aren’t confident about what their cyber insurance will cover.”

    Ongoing volatility is making reinsurers nervous

    Ongoing volatility in the cyber insurance market has also made reinsurers nervous about increasing their exposure to the space. These behemoths, explains Vitale, help to keep many of the frontline providers afloat. In recent years, however, they “have cut back on their coverage terms and conditions, just like these [cyber] insurers have done to their clients”, he says. Resilience’s answer to this problem, explains Vitale, has been to double down on closely liaising with clients to minimise their vulnerability to breaches as far as is humanly possible.

    The process of drawing up cyber insurance policies is rigorous. It begins with an assessment of how well-equipped the client is to deal with a cybersecurity threat from a governance standpoint, explains Parisi. After that, he continues, providers typically drill down into the mundanities of cyber defence: whether multi-factor authentication is in place on corporate devices, how data is uploaded to the cloud, and the extent of security awareness training among staff.  This is the link to the full article. Warmly recommended.

    As Cyber Insurance Dries Up, Treasury Department Eyes a Backstop

    Bloomberg law covered the same topic from another interesting angle: "A US Treasury Department request for public input on a potential federal cyber insurance program highlights a coverage gap for US companies as insurers reduce offerings.

    The regulator is seeking public comment until Nov. 14 on whether the government needs to shore up the insurance industry to pay for severe cyberattacks, especially those involving critical infrastructure such as power grids, train lines, hospitals, and utility companies.

    Cyberattacks are happening so frequently that underwriting standards sometimes can’t match the fast development and sophistication of the hacks. Insurers are raising rates to levels that make it hard for businesses to find affordable coverage. A federal insurance backstop could close the gap as insurers cut coverage to limit their exposure.

    The Treasury Department’s Federal Insurance Office is seeking comment on a list of questions, including what kinds of cyberattacks are “catastrophic,” whether businesses are getting enough coverage, and how to encourage policyholders to strengthen cybersecurity practices.

    Cyber insurers have seen losses jump 300% from 2018 to 2021, according to Fitch Ratings. Insurers, including Lloyd’s of London, Chubb Ltd., and Beazley PLC are racing to cut coverage for catastrophic cyberattacks that can paralyze multiple industries at once.

    Federal financial support for certain cyber risks would also give insurers relief and security to make cyber insurance more widely available, said Andy Moss, a partner at Reed Smith LLP. “A cyber insurer can write policies with comfort knowing it can transfer some risk to the government, so it can offer bigger policy limits for businesses,” Moss said. Link to full Bloomberg article: https://news.bloomberglaw.com/privacy-and-data-security/as-cyber-insurance-dries-up-treasury-department-eyes-a-backstop?

    It is clear as daylight that you need defense-in-depth and a data-driven approach to protecting your networks. Ransomware turns out to be a real headache and here is an on-demand master class to get you up to speed.

     

    Return To KnowBe4 Security Blog

    A Master Class on IT Security: Roger Grimes Teaches Ransomware Mitigation

    Cyber-criminals have become thoughtful about ransomware attacks; taking time to maximize your organization’s potential damage and their payoff. Protecting your network from this growing threat is more important than ever

    RogerMasterClass-FeatureImage (1) (1)
    Join Roger Grimes, Data-Driven Defense Evangelist at KnowBe4,  for this thought-provoking webinar to learn what you can do to prevent, detect, and mitigate ransomware. You'll learn:

    • How to detect ransomware programs, even those that are highly stealthy 
    • Official recommendations from the Cybersecurity & Infrastructure Security Agency (CISA)
    • The policies, technical controls, and education you need to stop ransomware in its tracks
    • Why good backups (even offline backups) no longer save you from ransomware

    Watch Now

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://info.knowbe4.com/ransomware-master-class

    Topics: Ransomware, Cybersecurity

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews