ISC2Congress: A Cyber Insurance Reality Check

Cyber insurance has been around for a while – some say it dates back as far as 1997. It really became a mass-market product between five and 10 years ago, and many were surprised that a policy with a potential seven- or eight-figure claim pay-out cost just a few thousand dollars. Times have changed radically, though. As attacks become more prevalent and as fixing the damage gets more and more expensive, the premiums are rocketing up, the level of cover is plummeting, and the number of caveats and exceptions in the average policy is ballooning. In his session Cyber Insurance Reality Check at ISC2 Security Congress 2023 in Nashville, Tennessee, infosecurity specialist, podcaster and author Joseph Carson took a research-based look at the realities of cyber insurance in the 2020s. 

Carson’s first finding was that people do make claims on their cyber insurance – lots of them. A third of organisations had made one claim on their cyber policy, but almost half (47%) had made more than one call on their cyber insurance – and among smaller companies this figure was 52%. “That is a significant amount of claims”, said Carson, but warned: “Yes, those organizations, the great thing was is that at least they had the financial safety net. That's great. But it shows that just because you have cyber insurance doesn't mean you're gonna not become a victim of a cyber attack.” 

The weaker points of cyber insurance

The next focus was on the exclusions and limitations we find in cyber policies. The researchers asked their subjects what would cause their cyber insurance to be invalid. Top of the pile (43%) was having a lack of security protocols in place, though human factors – internal bad actors and people losing kit – were close behind on 38% each. The old favourites were in there too: acts of war voided 33% of policies, with terrorism just 1% behind. Carson noted that it’s important to ensure any controls you say you have are properly implemented: “This is where you get those small businesses who do the self-assessment and realize that when they check the box and said ‘Yes, we're using MFA’. And then they realized that yes, they only had MFA on, let's say, 60% of employees and it wasn't an all employees … where they checked the box and said, yes, we have MFA could potentially void a claim because they didn't have it on a hundred percent deployment”.

Carson also noted that on occasion companies play the “blame game” to make sure their insurer pays out by citing a root cause that they know is covered. “What's been interesting is that some insurance policies that I've seen in the past, if you have a process failure, or you have a, a process [or] compliance failure, then that voids your insurance. But if you find human failure, then you will get paid … Sometimes for organizations to make sure they get, get paid in the policy they want to find human blame.”

What can and should be covered?

Flipping over the previous concept, Carson then gave a view of some of the specific areas that cyber insurance does pay for, noting that there are so many different policies available that a company can pick the one (or several) that best suit the requirements, which really means buying something that addresses the organisation’s risks. “It’s really important to make sure that as you come down this path, you actually do a proper risk assessment. And a business risk assessment, not something that's a security risk assessment. You want to get into a business risk assessment when you're going down the path of cyber insurance? When you're doing cyber insurance, you need to focus on the operational. But you need to make sure that you're addressing the business metrics”.

More than half of policies (54% and 53% respectively) would pay out for data recovery or adding security controls, with 45% covering incident response services and 41% paying for fines or covering lost revenue. And if you’re considering paying the ransom for a ransomware attack … 40% of policies cover negotiation of the ransom and/or the actual payment itself. On this latter subject Carson also pointed out that some insurers consider paying the ransom as one of the potential approaches under the heading of “data recovery”, and also noted that ransom coverage can help out ethically when it comes to paying up: “You're handing over the decision making to the insurance company, whether they're gonna make the ransomware payment. That's something that's been happening in a lot of policies and some organizations are like, that's fine with me because it means I'm not having to do the ransomware payment directly”.

Going back to the first finding, experience in other fields of insurance tells us that if insurance claims increase, so will the premium. And no surprise, this is precisely what happens in the cyber insurance realm. A paltry 2% of respondents saw their premiums reduce, while a similar number saw them more than double. By far the majority – 67% - had their premiums increase by 50%-100%, 10% had an uplift of less than half, and the remaining 19% saw little or no change.

Paying for the insurance in the first place

The data on the cost of insurance was followed by a fascinating aside: those surveyed were asked whether they had been awarded a budget uplift to pay for cyber insurance. And the vast majority (81%) said “yes” – more than four times as many as those who said “no”. Part of Carson’s logic in explaining this was that since board members have personal responsibility for the company’s continued existence and, of course, for preserving shareholder value, they’re going to be inclined to ensure that funds are made available for insurance.

This factor carried through to the next data set, which was about people’s main reason for getting cyber insurance. Top of the heap was “the executive/board wanted me to”, in 36% of cases. 26% said they had jumped on board because they’d seen others in their industry being attacked (“They saw their peer organizations become victims”), while 19% admitted to being reactive and obtaining insurance because they had had an attack previously. And leaving aside the 1% who had no particular reason, 18% of insurance purchases were driven by external organisations, with customers, partners or other third parties insisting on the purchase of cyber insurance. Carson also brought up the fact that many of your board members work with more than just your organisation: “typically what you find is most board members sit in multiple boards and they hear from another organization they're dealing with that they're doing cyber insurance”.

Next came a discussion of tools – specifically which tools they had to purchase in order to get or renew their policy. It will come as no surprise that access management was the star of the show. 51% had been compelled to implement Identity and Access Management (IAM) tools, with 49% made to implement Privileged Access Management (PAM). Our old friend and ally Multi-Factor Authentication (MFA) came in at 47%, with password vaults/management at 48%. For a change Disaster Recovery brought up the rear of the examples covered, with a mere 38% being made to implement it.

And satisfying these prerequisites is key. “If you don't have an IAM program”, said Carson, “you may not even be able to become insured. If you don't have privileged access management in place, if you don't have multifactor authentication in place, if you don't have a password vault or actually some type of password management in place. Most organizations had to go and buy additional technologies to be able to make sure they can get insurance in the first place”.

Aligning policy with insurance expectations

The final key finding was around the time and effort taken to obtain or refresh cyber policies. In the most recent year 18% reckoned less than a month had been (or would be) required, with 1-3 months being the most popular answer with 45%. 30% said four to six months, with a handful either taking longer than this or citing themselves as unsure. Most organisations (63%) handled the start up or renewal internally, with 57% using the insurer’s tools and 55% looking to external risk assessors for help. The time delay has changed over time, too. Carson recalled: “Last year we did the research, it [the time to obtain insurance] was approximately three months. And this year now it's six months. So it's taking longer. So if you're a larger organization, it could take up to six months to actually do the process of getting insurance. If you're a smaller business, you could probably do the self-assessment and accelerate that quite significantly”.

The cyber insurance market has changed radically; we would of course expect cyber coverage in 2023 to be somewhat different to how it looked all the way back in 1997, but even in the few years since it really took off the market has become unrecognisable compared to the mid 2010s. This should be no surprise, of course – as claims go up, coverage gets sketchier and pricier – but the magnitude of change has been greater than expected. Joseph Carson has, however, reassured us that despite these factors cyber insurance is still a thing … though we should expect to have to jump through a load of hoops to get it and retain it.

The final word goes, quite rightly, to Carson, and the message is short and to the point: Cyber insurance is not cybersecurity. It's the financial safety net that should be combined with a good cyber security strategy."

• Register your interest in ISC2 Security Congress 2024 in Las Vegas here.