Cybersecurity Insurance Market State

Past

For more than a decade, initial steps in incident response plans focused on gathering volatile evidence: capturing data vital to the investigation before it is lost or overwritten. In recent years, these first steps shifted to focus on coordination with legal representation and insurance. This change is understandable –

• External communications and reputation must be included in breach impact analysis. Legal representation helps navigate reporting, identify due diligence required, and protect sensitive data under privilege. (While this can be abused, business continuity relies on managing public communications.)

• Incident management and response can quickly expand in scope and cost. Working with insurance early in the process helps ensure the efficient use of resources and confirms financial support prior to expenditures.

Legal filings with Target’s security breach in 2013 laid the groundwork for both points.

In 2021, for the first time, cybersecurity insurers lost money. The proliferation of ransomware caused reactionary fluctuations across the cyber insurance industry. The most impactful include:

• Forms and questionnaires changing with the dynamic threat landscape and customers unable to answer the questions.

• Contingencies (security controls) could not be deployed fast enough to meet evolving baseline requirements.

• Exclusions were developed and continually expanded. It was unclear to the insured what was covered.

Digital transformation and interconnectivity have exacerbated these challenges. Networks are growing faster than monitoring capabilities and investment. Organizations lack asset inventories to accurately describe the environment. If you are not sure what is on the network, you can’t accurately complete questionnaires or deploy effective security controls.

The evolution of digital assets and associated risk created a negative experience for cybersecurity insurance customers. Previous ‘yes/no’ questions became complicated.

For example, ‘Do you use MFA?’ Clients may answer ‘yes’ even though MFA is limited to HR systems. So, insurers expanded the questions to include coverage, type, and management. Although customers continued to complete the forms in good faith, insurers lacked the expertise to validate the intent of each question.

To stay current, policies changed rapidly and some customers were deemed uninsurable because not enough was known to make risk-based decisions.

Several organizations that previously included insurance as part of their cybersecurity strategies were now voluntarily or involuntarily ‘running bare.’

Present

There is a race to understand the cybersecurity insurance market and providers are making substantial investments:

• Insurers are creating technical teams that work closely with customers to identify vulnerabilities, refine impact potential, and recommend (or even deploy) security controls for their customers.

• Insurer panels are being restructured and expanded to include technical expertise.

• Technologies that proactively scan customer environments to augment questionnaires are emerging and gaining market position.

• Brokers are leveraging technical partnerships in go-to-market plans.

These are not novel advancements but explain the in-house growth of technical expertise within insurance companies. Providers are creating teams that help improve customers’ security posture and inform their employers of acceptable risk. When a questionnaire does not provide the level of detail required to create policies for the environment, subject matter experts are staffed to bridge the information gap.

The result is a net positive. Good providers are adding continual value through technical support to their clients. Security vendors are considering impacts outside of technical triage; working directly with insurance and legal partners during response. Most importantly, these collaborations help the cybersecurity industry mature. If everyone is informed, the industry can avoid exclusions, forms, or requirements that don’t address the threat or are impractical for customers.

Future

Policy implications will continue to develop. In August 2022, Lloyd’s of London announced exclusions regarding Cyber War & Operations that have substantial impacts regarding ‘State-backed cyber attacks.’ Multiple revisions have been announced as the industry works towards adoption. Discussions are largely targeting verbiage around impact and attribution, as these are instrumental and influence investigation processes (which are the largest cost of IR).

The current landscape of unknowns will cause an increased demand for litigation. The resulting policies will continue to change as the industry discovers what customers are willing to purchase and what insurers are willing to accept, and previously non-technical roles get further exposed to cybersecurity. In the meantime, legal representation will be required and should be included early in the response process. Understandably, customers are anxious they will need to pay additional premiums and retain counsel to defend newly accepted policies. Fortunately, insurers, brokers, and customers have shared goals for risk mitigation and acceptance. The previous limitation was technical expertise being limited to the end customer.

The explosion of ransomware and impact potential of cyber-physical systems (especially in operational technology) are fuel to the cybersecurity insurance market—this is already evident by the number of insurance conferences highlighting cybersecurity and policy variations being offered. This also means substantial career opportunities. If you understand insurance, legal, or cybersecurity, and have an interest in the other two, get involved because this is a field that will mature quickly.