Cyber insurance: What does a CISO need to know?

Insurance challenges

Although the cyber insurance market is expected to grow, it is becoming tougher for organisations to arrange the right cover.

Chief among the challenges is cost. Premiums are increasing, and cover is more restricted. Also, insurers may look for security and compliance measures that some businesses cannot afford. 

“I’d say premiums are surging, and I guess that trend is here to stay because the technical and legal landscape is becoming more and more complex,” says Ilia Kolochenko, founder of security firm Immuniweb. He points to rising fines under data protection laws as an increasing risk, with some insurers refusing to write new business.

He advises CISOs to be very careful with how cyber insurance contracts are drafted, as a lack of attention to detail can result in firms not having the cover they thought they had bought.

“The most frequent pitfalls that we observe is either you have too many exclusions, or the policy uses overbroad language,” says Kolochenko. This leads to insurers refusing to pay out.

And, as the NCSC points out, cyber threats change rapidly. CISOs need to check whether cover applies to new or emerging threats. If it does not, the policy might be of more limited use.

Another issue is the need for organisations to put in place specific cyber security measures before they can buy cover. Many of these measures are steps that responsible businesses will take anyway, but others are too onerous, expensive or of debatable practical value.

This is a particular challenge for smaller companies, says Muttukrishnan Rajarajan, a member of the Chartered Institute of Information Security and professor of security engineering at City, University of London.

“Even when SMEs are aware of insurance, the biggest challenge I see from interacting with them is that they are pushed to perfect their cyber hygiene and secure certification like Cyber Essentials Plus before even attempting to get cyber insurance,” says Rajarajan.

“In many instances, they simply don’t have the resources or budget to address challenges and implement controls, leaving them uninsured, whether because of a flat unwillingness to insure or due to prohibitively high premiums.”

Larger firms face their own difficulties. “Nowadays, it’s challenging to get cyber insurance as the insurers bring in a red team or pen testers to evaluate the security programmes of the potential client to ensure they are meeting a level of cyber security standards,” says James McQuiggan, security awareness advocate at KnowBe4.

These tests will be done before any policy is agreed. Even then, policy cover is likely to be lower than it was in 2019, says McQuiggan. He points out that policies increased by about 50% from 2018 to 2019, and firms are now seeing “anywhere from a 5% to 18% increase each quarter, due to ransomware attacks”.

Other industry observers are seeing similar issues. “Unrealistic or unnecessary inclusions in cyber insurance checklists are a challenge for CISOs,” says Rob Demain, CEO of security firm e2e-assure. “For instance, a checklist might ask if a company applies security patches within 30 days of release. Not all companies will need every patch, and they might not be able to apply it within 30 days. Another checklist might say the company needs to have a SIEM [security information and event management] monitored 24/7 by a SOC [security operations centre]. Purchasing, commissioning and managing a SIEM, as well as implementing 24/7 response, could be a £250,000 expense that organisations just don’t have the budget for.”

Some large insurers approve only 5% of applicants, says Demain. “That tiny percentage must remain compliant all year round, too, which is hard to achieve with continuous and stringent assessment,” he adds. However, this does not mean cyber insurance is without value. 

Making cyber insurance work

The cyber insurance market certainly suffers because of its complexity, and both insurers and their clients have made matters more difficult by using policies to pay ransomware demands.

“The good news is that in most cases, the insurers are willing to cover the full limit for business interruption from ransomware attacks,” says broker Simon Gilbert. “It is the actual ransom demands that have been tailed back most.”

However, CISOs and risk officers do need to be realistic with their boards about what policies can and cannot do. For all the pre-contract testing and advice, cyber insurance will not stop attacks. Nor can it prevent loss of business, or reputational damage.

As one insurance expert puts it, a cyber policy is a “backstop”. It should prevent a loss that threatens the business’s existence. Boards can adjust the level of cover they need, and the premiums they will pay, according to their own appetite for risk.

And firms can do much to put their own houses in order. In recent years, certainly before the pandemic, some organisations relied too much on cyber insurance to cover risks that they could – and, arguably, should – have mitigated themselves.

“There are about 185,000 vulnerabilities out there in the world at the moment. But if you boil that down in terms of the associated risks, you get down to probably 30, 40 or 50, which are things that organisations need to fix, and which will stop breaches from happening in not all, obviously, but in a huge number of cases.”

Middleton-Leal adds: “The reduction in overall risk in doing that, versus buying insurance, is much greater. But organisations haven’t been doing it because they haven’t been able to get that data and associate it with the corresponding risk.”

This is an area where insurers – and CISOs – could work more closely together. Insurers want to write policies that are profitable, at least in the medium to long term. Firms need cover that protects them from the worst consequences of cyber attacks, and allows boards to offset risks that cannot be carried or mitigated in-house.

Ultimately, cyber insurance is as much about an organisation’s risk management as it is about protecting its systems or data.

“In my experience, there is still more work to be done by the insured for them to understand and express their cyber risk to their executive committees and boards,” says KPMG’s Martindale. “What is the risk we are carrying, what is the risk we think we can get to, and what is our risk tolerance?”