Cybersecurity, information assurance, and cyber resilience are essential for any organization. Despite the likelihood of being hacked, companies that implement effective protection techniques and have appropriate insurance coverage can minimize the damage of a cyber attack. Cyber risks present unique challenges to the insurance industry.
Business interruption and data-breach litigation insurance were some of the earliest policies sold in the U.S. to protect companies. Ransomware insurance is now one of the most commonly sold policies, covering the risk of malicious hackers seizing a company’s data and holding it hostage for a ransom payment.
When seeking cyber-insurance coverage, insurance companies require policyholders to complete detailed questionnaires to ensure that the policies meet the company’s specific needs. In some cases, insurance brokers may possess sufficient IT knowledge to guide policyholders through the process. In most cases, unless a policyholder has an IT expert with strong knowledge in cyber assurance in their employ, they will need to hire a managed-security services (MSS) company to assist them.
The challenges are further complicated by the increasing number of malicious hackers, causing different organizations to create their own directives, standards, rules, and requirements on how to protect their related data, report incidents, and comply with government or industry regulations, such as HIPAA, for the protection of health information; CMMC, for the protection of non-classified Department of Defense information; PCI-DSS, for the protection of credit-card information; or GLBA, a Congressional Act passed in 1999 for the protection of financial information. These standards, rules, models, and acts offer solutions to protect sensitive data and each has its own unique risks, fines, and legal fees for noncompliance.
Cyber insurance is becoming increasingly important in today’s world due to the rise in cyber-attacks. The total written cyber premiums in the U.S. have nearly doubled from 2019 to 2021, from $3.4 billion to $6.5 billion, and some predict that the cyber-insurance market will reach $60 billion within a decade. Insurance companies had a loss ratio of 65 percent in 2020, which recovered slightly in 2021 to 62 percent. A loss ratio between 40 percent and 60 percent is considered good. Finding the optimum risk point is challenging for insurance companies and buyers as the cyber threat keeps changing, is unpredictable, and protection methods must be implemented before being attacked.
Issues for small to medium-sized enterprises: Small to medium-sized enterprises (SMSEs) face significant challenges as they often lack IT staff knowledgeable in cybersecurity. They require help filling out detailed insurance questionnaires and complying with different policy requirements based on their industry. Hiring an MSS provider or a qualified internal person can be expensive and difficult to maintain, as cybersecurity IT professionals are in high demand by larger companies and MSS providers. An MSS provider may cost $5,000-$10,000 per month to document the client’s IT infrastructure, perform penetration testing, perform a gap analysis, and manage the IT infrastructure by performing periodic testing, educating SMSE staff, software-patch management, and reporting to management. (Note: The provider may also charge an additional fee to develop a plan for filling the gaps and implementing policies and procedures required by the SMSE’s respective industry.)
This cost may be too high for some SMSEs. However, if the SMSE is attacked by ransomware, the costs will include the ransom, the forensic investigation, business interruption, bad publicity, and potential liability and legal-defense fees. It is important for SMSEs to weigh these costs and preventive benefits of hiring an MSS provider and purchasing cyber insurance to protect their business from cyber threats.
What does the future hold?: The Internet of Things (IoT) and integrated circuits (IC), in general are everywhere. They are in our homes, businesses, factories, power plants, etc. They provide hackers a significantly greater attack surface. The average internal-combustion-engine vehicle in the U.S. has 150 ICs. The average electric vehicle has 3,000 ICs. How many ICs will self-driving EVs have? Modern-day vehicles have been shown to be lacking in effective security countermeasures, and the electric chargers have been exploited to steal credit-card information. What will happen when a self-driving vehicle is electronically compromised causing an accident? Vehicles have already been attacked by ransomware, demanding payment from the driver to drive the vehicle. How will these occurrences effect the cost of vehicle insurance?
Near-term recommendations: Tips for SMSEs:
• Find a trustworthy insurance broker.
• Consider hiring a cybersecurity specialist, or outsourcing to an MSS provider.
• Perform regular internal & external penetration testing and develop a cybersecurity plan.
• Employ multi-factor authentication (MFA), backup your system frequently, and implement an endpoint detection and response (EDR) tool like Microsoft Defender.
Tips for insurance brokers:
• Engage an IT cybersecurity specialist to help SMSEs complete insurance questionnaires.
• Recommend a reputable cybersecurity expert or MSS provider to SMSEs, if needed.
Conclusion: SMSEs, insurance brokers, and MSS providers should collaborate to harden and maintain SMSE’s IT infrastructure, thereby lowering the risk of cyberattacks, which will reduce the cost of cyber insurance, and in time improve insurance companies’ loss ratios. This collaborative approach will benefit everyone.
Gerard Capraro, Ph.D., is the chief scientist of Capraro Technologies, Inc. Contact him at email@example.com. Gary Scalzo is president of the insurance agency, Scalzo, Zogby & Wittig, Inc. Contact him at Gary Scalzo firstname.lastname@example.org.