In today’s cyber security environment, organizations always strive for getting the best return on investment when shopping for cyber insurance. Companies desire low-cost policies without accurately assessing risk. Insurers want low risk and to cover as little as possible. How did we get here and where do we go?
Increased payouts or the cost of claims to carriers, reached an average of 72% in 2020, up from 47% in 2019, based on regulator-supplied data. Insurers have responded by raising premiums as much as 50% while making it more difficult to actually levy a claim.
Increased costs with an increase in attacks (38%, according to Check Point Research) has resulted in coverage so expensive that organizations are reportedly seriously considering not having insurance or self-insuring. Part of these organizations’ cost calculations includes the effort required to actually buy insurance – filling out 400 question forms and spending considerable time gathering data – is an unnecessary cost to many companies.
How can organizations lower cost and still decrease risk while simplifying the insurance-buying process? Some industry experts advocate for “increasing cyber resiliency”, but increased resiliency doesn’t necessarily make organizations more secure. Additionally, measuring cyber resiliency is imprecise and expensive to implement. A practical example of a successful insurance example is auto insurance giant GEICO’s “Drive Easy” app. The app monitors a user’s driving performance and offers better rates to safer drivers. A similarly applied concept could be implemented in the cyber insurance industry.
That concept, continuous risk monitoring, more so than cyber resilience, zero trust, or any other approach, will square this circle for the simple reason that “life happens”. Imperfectly configured devices are added to the cyber environment by people, who despite their best efforts, are naturally prone to mistakes. Adversaries are constantly increasing their attack frequency and adding new capabilities, which in turn means companies’ best defenses are to continuously measure, monitor, and quantify cyber risk in order to see how secure they are at all times.
In a world where cyber risk is continuously being monitored both parties – companies themselves and the underwriter – understanding the risks, developments, and dealing with them quickly and efficiently should be easier for companies to manage.
Still, this easier management is not expected to happen soon. Surprisingly most companies I spoke with indicated that although they are in favor of continuous risk monitoring, they are reluctant to share their data with the underwriters.
Read the rest of this article, written by ThreatConnect’s GM of Cyber Risk, Jerry Caponera: CPO Magazine – Cybersecurity Insights