The Shifting World of Cyber Insurance

Joe Uchill from SC Media shared a critical insight in this article on how the cyber insurance market bubble is bursting. Over the last 16 months, the statistics show a consistent increase in breaches and a rise in insurance payouts and loss ratios. The cyber insurance industry urgently needs to adopt practices that align with the reality of cybercrime.

Keeping up with the reality of cybercrime

Historically, insurance risk models have been based and trained on massive sets of historical data, which are modified minimally over time. And the overall direction of the data does not change radically year over year. Historic data is interesting for behavioral patterns but insufficient for predictive breach prevention that changes direction continuously. A company that has been relatively secure and unbreached for the past five years could be breached through an unknown attack vector tomorrow.

Cyber security is unlike any other industry model that cyber insurers have faced before. As a fast-paced and relatively new industry, it challenges insurance companies with the prospect of rapidly changing tactics and models. Digitization has swept over every organization, accelerating technology adoption and fuelling a growing external attack surface. Combine this with skilled attackers who continuously scan the internet for new attack vectors and security weaknesses, and you have an ever-changing IT ecosystem with an evolving threat landscape.

Add to that an over-reliance on outdated tools, increasing ransomware payouts and more avenues for cybercrime and it leaves an organization alarmingly exposed. To combat this apparent rise in risk and the pace of change in cybersecurity, there have been some insurance companies choosing to “opt-out” of the cyber business, while others are raising their rates and lowering their coverage, which is unsustainable. If insurance companies want to stay in the cyber security market and remain profitable, there needs to be a new and agile approach based on modern technology. 

Cyber Insurance industry needs to think like an attacker

Approaches that mimic attacker behaviors to assess risk not only during underwriting but also continuously throughout the policy will see more success.

The smaller, tech-centric insurance vendors have demonstrated an understanding of this already. Now, it is time for the heavyweights in the industry to adapt or opt-out. Cyber insurers can utilize external attack surface management solutions and look at their top insured organizations and assess their attack surface and associated risks. The CyCognito platform automates the process and combines guidance on the assessment so that users of the platform can clearly understand how much risk is associated. Insurers can immediately determine the real risk associated with an organization and decide whether or not to insure them.

Managing risk won’t be a one-off task, it can be an ongoing process of discerning risk due to the real-time data being fed into the platform. The data can be shared with the insured organizations in order to inform them about what they need to fix in order to potentially get a lower premium. Implementing an attack surface management program that provides external visibility, risk assessment of internet-exposed issues, and guidance to remediate is a strategy that benefits both insurers and the insured.