As 2021 became the year of ransomware attacks, businesses realized that failing to incorporate risk-sharing techniques into their risk management strategies can have significant financial ramifications. As a result, organizations are transferring a large part of their cyber risks to insurers. Last year alone, IT firms saw an increase in claims frequency by 46%, professional services companies by 53%, and a whopping 263% for businesses in the industrial sector, according to a report by Coalition.

As the financial impact of cyberattacks continue to surge beyond $6 trillion annually, cyber insurance is predicted to become as crucial for businesses as auto insurance is to cars and health insurance is for people. It is only a matter of time before cyber insurance becomes mandated for organizations, like workers compensation, property and liability insurance. Before this happens, what needs to be required to standardize and regulate cyber insurance? There is a win-win solution for both the payer and enterprise in the form of standardized cyber risk measurement.

What are the current challenges in cyber insurance?

While there has been a significant boom in the cyber insurance industry, we observe problems on both ends — the payer and the enterprise.

As the cyber industry is still a relatively new field that lacks historic data as threats continue to evolve, it is difficult for insurers to justify increasing premiums. Today, other than regulatory guidelines, there is not a definitive calculation method or transparency around how insurers justify their premium increases, the cost of reinsurance, and other surcharges. For instance, insurers who issued $5 million cyber liability policies last year have scaled back to limits between $1 million and $3 million in 2021, according to a U.S. broker Risk Placement Services (RPS) report. Similarly, many companies have been faced with cyber insurance premium increases anywhere from 75% to over 1000%, as reported by XL Net.

On the other hand, enterprise organizations researching cyber insurance are unaware of the risk level they are facing and unable to accurately calculate the financial risk they can potentially transfer compared to the amount of insurance needed. Businesses have neither defined their cyber risk appetite nor tolerance level because they have never measured the true financial impact of data breaches, incident response and their resulting business interruption. To date, cybersecurity assessments have relied on point-in-time, disintegrated and ad-hoc procedures or audits that yield pages of subjective reports that few people can understand or contextualize. While these reports expose vulnerabilities and provide insights into potential indicators of compromise, they do not inform an organization about its actual cyber risk level. They also do little to educate businesses or insurers of the financial impact of accepting, mitigating or transferring these risks through insurance. This has unfortunately fostered a cybersecurity culture that is threat-driven and reactive.

How can insurers introduce a predictive approach in the cyber insurance industry?

Cyberattacks are only increasing in frequency and impact. Meanwhile, businesses still rely on a reactive protection approach while the costs of recovering from an incident are also rising, which causes uncertainty with insurance providers. The solution lies in standardizing risk measurement for cyber risk insurance.

Akin to putting black boxes in cars to check driving trends and behaviors to predict the chance of a road accident — cyber insurers should predict potential breaches by analyzing the real-time cybersecurity practices of a business. This will help them price premiums accurately and know the risk of underwriting, while also simultaneously guiding the business to have proactive rather than reactive cybersecurity strategies to reduce the chances of a claim settlement.

This can be done by applying a cyber risk quantification approach through machine-learning-enabled platforms that aggregate signals from the APIs of every cybersecurity product or service leveraged by a business. These areas encompass regulatory requirements, employee cybersecurity risk posture, the company’s cybersecurity policies, vulnerabilities across its hybrid technology stack, the industry type, size and geography, and the kind of data managed, stored or transferred to the business. Most importantly, this inside-out risk analysis gives both the insurance industry and end-user a real-time understanding of their cyber risk, because the data is transparently gathered from the cybersecurity products and services that already exist in the business’ environment. Once the signals are integrated and massaged by a risk quantification engine, it generates a simple-to-understand breach likelihood score that also shows the potential financial impact of a data breach.

Having both parties proactively move to embrace a standardized way of measuring, managing and mitigating cyber threats in real-time through breach-likelihood prediction is crucial. Cyber risk posture is the combination of an organization’s threats, vulnerabilities and their potential business impact. Quantifying cyber risks and placing them into two metrics provides a common denominator for all cybersecurity conversations — both within and outside of a business. These two key metrics are: 

  1. The breach likelihood per asset (people, processes, technology, supply chain, etc.).
  2. The financial impact of a data breach through each asset.

Why standardized cyber risk measurement is beneficial

Cyber risk quantification benefits both the enterprise and the cyber insurer by standardizing cyber risk measurement. It gives the business an absolute means to prioritize mitigation initiatives, thereby improving cyber risk posture and reducing premiums, while transferring risks through cyber insurance. Meanwhile, insurers can understand the risk they are taking on and underwrite more confidently. Ultimately, it takes businesses one step closer to being able to predict breaches before they occur and creates a dynamic relationship between the insurer and insured throughout the policy lifecycle.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.