Innovative companies are investing in digital transformation to increase productivity and enable development of new services, allowing them to grow market share and increase profitability. These innovations will continue, but the growth in digitally enabled systems has seen a corresponding growth of professional hacking. Cyber-attacks continue to increase in number and sophistication. The impact of these attacks is rising. According to IBM’s Cost of a Data Breach Report, the cost of a data breach for healthcare organizations reaching $10M per incident in 2022. Healthcare is not alone. Cyberattacks impact every major industry.
Due to the rising cost of cyber-attacks, cyber-insurance has become one of the fastest growing segments of the insurance market. Banks are now requiring cyber-insurance before they will provide certain types of loans. Despite the growth in cyber-insurance revenue, cyber insurance companies are losing money, with loss ratios reaching 66% in 2022.
Risk assessment for cyber-insurance companies
Cyber-insurance carriers currently assess risk using questionnaires submitted by the insured organizations. These questionnaires can be as long as 50 pages. Despite this, they often fail to capture the true state of cybersecurity for the organization’s computing infrastructure. At best, the questionnaires are tedious and difficult to fill out. In most cases, the individuals filling out the questionnaires simply don’t have a complete view of what is happening on their network.
For example, the organization may assert that they have two factor authentication (2FA) enabled, but it may not be enabled for all applications. Networks are dynamic, a new application may be added later without 2FA enabled. The result is insurance policies written without a clear view of risk, leading to unexpected claims.
Both insurance carriers and policy holders are failed by the current approach. Cyber-insurance companies need a better view of risk to enable a sustainable cyber-insurance business with reasonable profits and premiums.
Risk assessment platform
Cyber-insurance companies now require companies attest to a nine-point cybersecurity plan covering:
- Multifactor authentication
- Patch management & vulnerability scanning
- Endpoint detection & response
- Email security
- Cybersecurity Awareness training
- Identity management
- Network segmentation
- Backup protection
- Breach plan/incident response plan
History has shown that mandates work, when followed. Seat belts laws and smoke detector mandates have both reduced insurance losses and saved lives and property damage. Cyber insurance mandates will work equally as well, but only when tools are in place to ensure they are being followed.
Automated solutions, such as Dragonfly Cyber’s Cyber Insurance Compliance Platform, enable cyber insurance carriers to apply actuarial rigor to cyber insurance underwriting by performing risk analysis based on accurate data. This provides real benefits to the insurance carrier including:
- Eliminating manual processing of questionnaires
- Ensuring accurate information based on collected data
- Detailed reporting of risk for 6 of the 9 categories
- Ongoing monitoring to ensure companies remain in compliance as infrastructures changes
Automated tools provide an accurate and up-to-date view of cyber-risks
Automation and continuous monitoring are critical to cyber-insurance risk management. Unlike traditional insurance categories, corporate computing infrastructure is dynamic. New applications are installed and updated, devices are added or moved, and new services are enabled on a regular basis. Any of these changes can have a dramatic impact on the organization’s risk profile.
Risk compliance for companies purchasing cyber insurance
Cyber risk evaluation is a required step in obtaining cyber insurance and is intended to allow insurers to manage exposure. The insurance industry uses questionnaires to evaluate risk for traditional lines of insurance including health insurance, life insurance, and property insurance. In these cases, information is verifiable with public records or a health checkup, and the risk is relatively static. Information gathered provides insurance companies with a clear view of risk, allowing them to price insurance policies consistently, fairly, and profitably.
Companies are increasingly turning to cyber-insurance to cover financial losses due to cyberattacks. But cyber-insurance is not a silver bullet solution. The costs of cyber-insurance policies are high and deductibles often even higher. These policies protect an organization from the full cost of a cyber-attack, but still leave companies with a large cost to restore their systems to operational status. Furthermore, cyber-insurance policies are placing higher requirements on organizations to qualify for coverage. In some cases, companies with strong cyber security practices have been denied coverage.
Business networks, unlike buildings or people, are dynamic. Cybersecurity policies and controls are updated continually, core assets are being added, removed, or migrated between zones. At the same time, staff are moving between home offices, corporate offices, and remote work locations such as coffee shops and airports. Continual monitoring of the network is required to ensure cyber-insurance mandates are being followed as network changes.
More challenging than the dynamic nature of the networks is the fact that it is difficult to ensure that cyber security controls are consistently applied on all applications and devices in a network. Questionnaires only provide a limited view of cyber risk.
An automated cyber-risk management platform provides significant benefits to companies purchasing cyber insurance policies, including:
- Ensuring precise premiums based on real cyber-risk data
- Eliminating the need to fill out questionnaires, which have grown to as much as 50 pages
- Ensuring accurate data is provided to insurance companies
- Improving the security of their infrastructure by providing actionable information on vulnerabilities discovered
The management representative responsible for verifying questionnaire responses for cyber insurance as “true and complete” is put into a difficult position. Due to the dynamic nature of corporate networks, it is difficult to ensure the accuracy of all information included on the questionnaire. Furthermore, the management representative may be held liable for incorrect responses. Automated tools solve this problem.
Summary
Cyber-insurance claims may be denied if your network is not in compliance when an attack occurs. Corporate networks are highly dynamic. Devices are continuously added or moved, new applications are installed, software is patched, users change passwords and configurations, and other changes occur on an almost constant basis.
Without continuous monitoring and assessment of security against cyber-insurance requirements, your organization remains at risk. Tools to automate this process, especially those with unique capabilities that find otherwise unknown vulnerabilities, are critical to the viability of your business.
