The volatility of the cyber insurance market and the threat landscape makes understanding how your company fits into both incredibly important.
Cynthia James, an enterprise security executive at Microsoft, spoke at RSA Conference 2022 on Monday about what makes cyber insurance so tricky and the best ways for CISOs and others in the field to navigate the complex market.
To open, James acknowledged that even cyber insurance companies may not always have a grasp on what they are doing. She cited a conversation she had in 2017 with a cyber insurance provider that was sponsoring a convention.
"I said, 'How is it that you guys know how to estimate who is going to get hit, and for how much, when we don't even know?'" James said. "They said 'Oh, we don't know; we just want a piece of that market because we know it's going to be big.'"
James then mentioned that while the market did explode in recent years, the costs and overall stress on the field increased, too. In 2019, experts said cyber insurance policies were inexpensive and easy to obtain, with minimal underwriting or cybersecurity reviews. James noted that companies used to be able to get $3 million in coverage for $3,000.
"You can't get anything close to that today," she said, adding that the price for the same coverage is closer to $300,000 today.
The reasons are simple, James said. There isn't a lot of actuarial data for insurance carriers to properly assess risk, but there are a lot of cyber attacks, and they're becoming too costly for the market.
"It's a big market [worth] $20 billion in 2021, but it has a terrible loss ratio. The way the insurance companies look at it is, for every dollar they bring in for a premium, they want to pay 50 cents or less on a claim," James said, noting that the ratio for cyber insurance is much higher. "80 cents on every dollar goes out [for cyber claims], which is a huge problem for them."
According to James, the complexity of the plans and the coverage is rising with the prices. She noted that insurance providers will riddle policies with fine print, making the job of an adept CISO who can accurately address the needs of the company even more important.
While around 95% of claims are paid, insurance providers will sometimes waive coverage following an event. James said that the top five reasons insurers don't pay are:
- "It's related to the same breach as last year."
- "We only pay up to _____ (sublimit)."
- "We only pay for costs AFTER you notify us."
- "We gave you negotiators/forensics/media advice you didn't use."
- "Your depiction of your security posture was inaccurate."
James also presented the seven biggest pitfalls and errors that she's seen companies make with cyber insurance.
The first error was not making sure to get more than one bid for a policy and not trying and get as much coverage as possible within the budget allotted. James urged audience members to go to more than one provider and capitalize on any possible cost reductions that are available like better security posture scoring or advancing technology.
The second was not being explicit enough with the coverage and allowing for providers to harp on fine print and technicalities to avoid paying out claims. These can include policy exclusions for cyber acts of war, which have loomed in the wake of Russia's invasion of Ukraine and the escalating cyber attacks that followed.
The third pitfall was not communicating with the rest of the company about the different trade-offs of each plan and what is best for the company. James said one of the worst things a CISO or someone in a similar position could do is fail to document the suggestions and end up a scapegoat following a breach.
The fourth pitfall was overreporting or underreporting incidents to insurance providers. She recommended that providers be kept in the loop about a company's security breach and make sure that they are alerted on time. However, she also said that telling too much about a breach could lead to them picking out minor examples of human negligence to void the coverage.
The fifth pitfall was similar to the fourth -- oversharing or undersharing when it comes to the state of a company's security systems. An insurance provider should be made aware of the state of a customer's cybersecurity posture and any significant updates made, but they do not need to see the underbelly of the infrastructure, James said.
The sixth was that a company should never renew a cyber insurance policy without first revaluating the policy price as well as the threat environment. Throughout her presentation, James hammered home that an active examination of the company's risk and potential cost is incredibly important for getting proper coverage.
The final pitfall that James mentioned was not ensuring that all critical threats are covered. If a company cannot have full top-down coverage due to its size, she said it is imperative that it examines which systems are at the highest risk and which are the most valuable and make sure that they are insured for all kinds of breaches. She also urged organizations to present specific attack scenarios to their insurance carriers to make sure those types of threats will be covered.
James said that the best way to spend money and obtain affordable coverage by implementing multifactor authentication, phish-testing users, have tested backup systems and encrypt sensitive data, among others. In closing, she urged audience members who have cyber insurance to get a copy of their current policies to review for any pitfalls, errors or shortcomings that need to be addressed.