The cyber insurance industry may be on the brink of a total collapse due to the dramatic increase in claims over the last few years. The FBI’s annual Internet Crime Report states that cyber-related complaints have increased by almost 200% since 2017, resulting in $18.7 billion in losses. For the cyber insurance industry, this has led to some insurance carriers paying out more in claims than they took in from premiums. In an effort to remain financially solvent, providers are now demanding their customers reduce their risk profile or expect a significant price hike or even cancellations.
Some insurance providers are even taking it one step further by getting directly involved with clients in order to reduce their exposure to risk. This most notably includes looking for ways to decrease the number of human errors that are the source of most incidents. In fact, according to Verizon’s 2021 Data Breach Investigations Report, accidental clicks or other human mistakes make up more than 85% of all successful hacks.
An increasing number of insurers are finding a solution to the problem in the form of behavioral-based cybersecurity training programs that have been independently verified to change the way people respond to a potential threat.
Survival is paramount
Cyber insurance is no longer optional for most companies. In fact, according to the National Cyber Security Alliance, 60% of small to medium businesses (SMBs) fail within six months of a cyberattack. Ironically, while these same SMBs can’t afford to operate without cyber insurance, they may soon not be able to afford the insurance itself.
Upon the arrival of this year’s renewal letters, a number of business owners and CEOs began to feel the seriousness of the situation. It was not uncommon to see premiums increase by as much as 300% year-over -year, according to a report by Risk Placement Services Inc. the escalations could intensify at an even more dramatic pace moving forward.
The problems don’t end there. Many insurers are adding exclusions that limit what exactly gets covered, as well as assigning blame to those that fail to properly mitigate their exposure. While fault was never part of cyber insurance claims in the recent past, go forward, if a company fails to properly train employees or demonstrates poor security hygiene and gets hacked, its claim may be denied and future access to coverage could also be in jeopardy.
Further driving up costs is the reduction in competition. Many insurers have decided that the potential risk outweighs any rewards and have exited the market entirely.
“Despite the fact that taking risks is their business, the insurance industry doesn’t like uncertainty,” noted Mark Weir, who has spent over 30 years in the insurance industry and is now managing director of LCM Solutions, a Canadian consulting firm. “For some underwriters, the risk in offering cybersecurity coverage is simply too great at this point in time.”
This is in stark contrast to the early days of cyber insurance when profits were sky high. Back then, insurance companies were all too eager to dole out insurance to anyone who wanted it because demand was high and the perceived risk was low.
“Initially, companies were offering cyber insurance thinking they would never actually have a claim,” explains Jeremy Harris, CEO of Mindshare IT, a managed service provider offering both IT and cybersecurity services. “Now they find themselves in a sticky situation and are looking for solutions.”
Unexpected consequences
The cyber insurance industry may have been a victim of its own success. As insurers started offering more coverage, businesses often became less vigilant in their defenses. In many cases, they were quick to pay ransomware assuming they would be reimbursed. As a result, cybercriminals may have become incentivized to target companies with cyber insurance policies in place.
The need to undue this paradox has insurers looking to their customers to take a much more vigorous role in reducing risk, or else. This has brought more stringent cybersecurity employee education to the forefront.
In order to slow down successful phishing breaches, which account for an overwhelming majority of attacks, experts feel training is paramount. Phishing, along with other forms, like vishing – over the phone, smishing – via text, and pharming – visiting fraudulent websites, often leads to the deployment of malicious software, like ransomware.
An increasing number of new regulations now require many industries to add ongoing education to their security programs, but some top executives question whether these generic training programs work as advertised.
“Our view is training that does not impact risky behaviors is a waste of time and money for our clients,” says Kirsten Bay, CEO of Cysurance – a US-based cyber insurance company that writes policies to protect against privacy breaches, identity theft, system damage, and other cybercrimes. “For us, the goal is to find proven ways to detect and prevent harm which then lowers the risk of both a security event for our clients and also a future claim,”
Bay says that Cysurance was looking for a training platform that would identify the personality types that are more inclined to be a victim of an attack. Then you could design a program to deliver consistent, ongoing training materials to those specific people in order to evoke a change in one’s actions.
“I think what you’re seeing with the better security training companies out there is that they really focus on the individual’s personality and train them accordingly,” says Harris. “Those that have metrics proving a reduction in potential breaches are rising to the top.” And, indeed, some personalized behavioral training programs are now able to greatly reduce the rate of phishing failures.
A personal touch
“What we look for is to develop a ‘culture of compliance,” remarked Weir. “However, what helps one person, may not be helpful to another. So, this idea of first evaluating the psychology of the individual and then educating that person based on their natural propensity is a game-changer. I think it is going to be what keeps the cyber insurance industry afloat.”
By partnering with a cyber training company that provides verified proof of reducing claims, insurance companies can greatly minimize their risks and therefore reduce the costs of their coverages.
“I give a lot of credit to those insurance companies who are smart enough to realize they have to help their clients mitigate risk,” concludes Harris. “It’s for the good of these small companies as well as the overall health of the cyber insurance industry.”
Dr. James Norrie, Founder & CEO of cyberconIQ. Norrie has more than 30 years of experience in business management, psychology and the cybersecurity industry. He was the Founding Dean of the Graham School of Business at York College of Pennsylvania and is currently a tenured faculty member at the school.
Pingback: Taking uncertainty out of cyber insurance - Cyber Protection Magazine