Forrester senior analyst Alla Valente told Government Technology that businesses of all stripes may start to find that they need to obtain cyber insurance or risk losing potential customers. At the same time, rising cyber threats have led insurers to raise prices and be choosier about who they’re willing to cover.
This tension poses new questions for state regulators and federal officials who may consider cyber insurance coverage and rate policies as a useful tool to compel organizations to improve their digital defenses. Should government intervene to keep coverage affordable?
The State of Cyber Insurance
Cyber insurance protects entities from liability and property loss should their digital systems and operations be disrupted, with some plans covering not only the policyholder but also their customers.
Ransomware victims might turn to their insurers for advice on whether to pay a ransom, for assistance recovering from an attack or for a contribution toward a ransom. Lake City, Fla., had a plan that paid ransomware attackers $460,000 during a June 2019 incident, and the city provided an additional $10,000 per its deductible.
Small business research firm AdvisorSmith estimates that U.S. businesses with cyber insurance paid an average annual premium of $1,485 in 2020. The firm based this finding on 43 insurance companies’ estimates of what they would charge clients who earn $1 million in revenue and present moderate risks, for plans stipulating a liability limit of $1 million and a deductible of $10,000.
Business Necessity
“Let’s say you’re a shipper or a trucker, and you have a cyber attack,” Valente said. “While you’re going through your incident response ... [and] trying to figure out whether to pay the ransom or not, there is going to be some business interruption. Why should my business be interrupted because you have a cyber attack? You having that cyber policy, at least, might reimburse me for some of the losses that I have to now sustain.”
Cyber insurance rates are rising, however, which could leave small and mid-sized businesses unable to afford coverage that could reassure customers. Government officials might need to consider whether they would want to intervene to help these players still compete, Valente said.
Insurer Caution
Insurers have been paying out more and larger claims as cyber attacks grow in number and severity. Many insurers are becoming cautious about offering coverage until they’re confident that they understand the risks well enough to create profitable pricing models.
Awareness of cyber threats has been increasing steadily, but cyber insurers, when estimating risks and costs, are still working off of a more limited historical data pool compared to those who work in the field of traditional business insurance, Valente said. The fact that many victimized companies don’t report attacks further reduces available information, she added.
Even if insurers improve their knowledge of past attacks, the Government Accountability Office (GAO) noted in a 2021 report that the ever-evolving nature of technology and cyber criminal tactics make it difficult to predict future risks. Cyber insurers are also likely to pay out multiple claims at once. A single cyber attack can affect a broad swath of businesses. For example, one hack can impact every entity that uses a compromised cloud software or installs a patch containing malware.
Such challenges, however, are unlikely to scare insurers away from a market that has high customer demand, Valente said.
Some insurers are instead guarding their bottom lines by limiting the maximum amount they would pay claimants, restricting the scope of their coverage and raising prices. More than half of insurance brokers said the premiums they charged clients in Q4 2020 were 10 percent to 30 percent higher than what they charged the prior quarter, according to a survey cited by the GAO report.
Leverage for Change?
Insurers are also trying to control their risks by requiring customers to follow cyber best practices in order to get their claims approved, according to recent Forrester research.
Some businesses used to treat purchasing cyber insurance as their entire risk management strategy, Valente said. This approach has always been inadvisable and is decreasingly possible as insurers become reluctant to accept applicants that don’t adopt other protective measures.
“Now that so many claims are being made on the cyber attack, the insurance companies are saying, ‘Well, hang on a minute, before we approve you for this policy … we want to understand what level of risk we’re taking on,’” she said.
Forrester also predicts that insurers might partner with managed security service providers (MSSPs) to provide better rates to clients that contract MSSP services.
Still, the Cybersecurity and Infrastructure Security Agency (CISA) appears to agree that insurers can be an influential force in improving the nation’s cybersecurity posture. The agency’s website states that a thriving cyber insurance market can play a strong role in encouraging organizations to implement defenses and best practices, if doing so qualifies firms for more extensive coverage or lower premiums.
But insurers only have such leverage if firms believe their offerings are attainable. Should insurers raise rates too much, smaller organizations with limited budgets may decide coverage is not worth the cost.
Government Engagement
Government officials looking to elevate organizations’ cyber postures may need to either mandate certain best practices — rather than rely on the lure of insurance coverage to incentivize voluntary adherence — or intervene to help make offering affordable coverage more financially attractive for insurers.
The Cyberspace Solarium Commission, an entity created to deliver recommendations on improving the nation’s cyber defenses, proposed in its 2020report that Congress create a bureau that would collect and publish information on cyber incidents. This move could help insurers access historic data to inform their price setting, for example.
CISA also stated online that some companies say they bypass cyber insurance plans due to “confusion about what they cover.” According to the GAO report, the insurance industry lacks common definitions of key terms like “cyber terrorism,” which can lead to misunderstandings and client-insurer disputes. The report suggested federal and state governments should establish standard language.