The surge in ransomware and other advanced cyber attacks during the last 18 months has led to significant changes in the way insurance carriers approach cyber policies and those changes are far from over.
For more than two decades, insurance companies have been issuing cyber policies with little to no verification of a client’s cybersecurity controls. The amount of cyber risk being transferred to insurance has for too long been determined based on unverified answers to as few as five or 10 questions.
“And there were no internal resources in place at the carrier level to ensure that they were making good underwriting decisions,” said Felicia Thorpe, Managing Advisor at AHT Insurance, speaking July 13 during a webinar sponsored by ThreatConnect. “Ransomware now has a supplemental application that is being required in most cases in order to offer coverage. And we’re getting a lot of non-renewals, which is indicative of the questions being asked and the answers being received. If you do not have a good cybersecurity posture, it is very likely you can get a non-renewal on your cyber policy.”
Thorpe agreed, however, that additional changes may be on the horizon particularly in the area of cyber risk quantification. Insurance carriers are doing a lot more analysis on the front-end before issuing policies and may begin demanding more of clients, Thorpe said.
“We need you to have some skin in the game. There’s no way that we can insure you for $5 million and you haven’t done the basic things to make sure that you’re protected,” Thorpe said. “The underwriters are putting in a lot more time and effort. They’re utilizing companies like ThreatConnect to get more information. And I’m seeing an increase from those five to 15 questions to sometimes it can be up to 10 pages,” she said.
Cyber Risk Quantification
Insurance is one of the three key pillars of every cyber risk management program, said Jerry Caponera, Vice President of Cyber Risk Strategy at ThreatConnect. But understanding your risk, mitigation options, and the return on those investments are also important.
“The first thing we have to do is we have to accept some level of risk,” said Caponera. “Then we have to figure out our transfer mechanism. And the third pillar is what do we do? How do we mitigate the impact of an attack?”
That’s where automated cyber risk quantification will have a major impact on insurance underwriters and the insured. “Cyber risk quantification is a tool. It’s a decision-making capability,” Caponera said. “You have to accept some level of risk. You have to transfer it where you can, and then you have to mitigate risk in ways that provide the most effective return on your investment.”
The major challenge facing insurance underwriters remains the point-in-time nature of their cyber risk assessments and the quality of the data they receive from prospective clients. By deploying an automated cyber risk quantification platform, the risk assessment guesswork is removed from the equation and replaced with actual data on threats, vulnerabilities, and controls.
“One of the things we’re trying to do with ThreatConnect Risk Quantifier (RQ) is help organizations understand the different kinds of financial impacts they face and the different kinds of attacks,” said Caponera. “Everybody talks about ransom or extortion costs when it comes to ransomware attacks. But you also end up dealing with some legal costs, remediation costs, and revenue costs as well. We gather data from a variety of sources and build our own loss tables to really describe this.”
This is perhaps one of the most significant improvements in the ability of insurance carriers to accurately determine if a policy should be written, renewed, or canceled.
“I think that it would make the most sense. I think if you see significant losses, they’ll probably have to integrate that as part of their policy delivery and maintenance,” Thorpe said. “They’re learning lessons by how much they payout.”