With cyberattacks paralyzing organizations one after the other, CEOs are turning to cyber insurance companies for protection. Following a barrage of costly data breaches in the past few years, the demand for specialized cyber insurance policies has gone up by 21%, the New York Times reports. But with the demand, premiums too have shot up leaving many companies without coverage.
In this Delegate Roundtable recorded at the Security Field Day event in Silicon Valley, Tom Hollingsworth and the attending delegates talk about pricy premiums, the pains of cyber claims, and the market driving adoption of new technologies.
“We Are Reducing Risk One Bite at a Time”
Sophistication of cyber incidents and their financial impacts have been on a slow and sinister rise. Every year the numbers are hitting a new high with companies sustaining big losses in the forms of damage to the brand, lost revenue, and sometimes, full and final closure of business.
The general liability policies typically don’t protect against these kinds of risks. The losses from cyberattacks are intangible, and therefore not readily quantifiable.
“We have certain kinds of insurance that are set up to protect life and limb. But what happens if a company finally gets to the point where it has collected so much data that the likelihood of a breach could materially impact the lives of every person in the world?” asks Tom Hollingsworth.
As a way to protect against the potential impacts of such attacks, it is critical for every organization to be on a specialty plan that provides coverage against emerging threats.
The market has shifted significantly since companies started purchasing cyber insurance policies. Trends show that between 2022 and 2023, cybercriminal gangs purposely targeted cyber-insured organizations for easy payoffs.
Indiscriminate claim flows from organizations hit by cyberattacks have caused carriers to tighten their belt and mitigate losses.
Underwriters are actively looking for ways to throttle claim payouts. “The underwriters started pushing back on the companies saying you can’t just issue these policies with any hope that they’ll never pay off. They will and you need to put some basic protections in place,” he says.
One of the ways they’re doing this is by setting up stricter requirements which includes adoption of certain security technologies. “Lately we’re seeing more and more detailed attestation almost to the level of an audit. It reminds me of HIPAA compliance, and this is driving customer adoption of technologies. Before, they would do the cost-benefit analysis of whether a technology is going to slow the business down, or anger the users. Now it’s not a question,” says Ben Story, Network and Cybersecurity Engineer.
These requirements incrementally mandate the use of DNSSEC, SOC, SIEM and such technologies as the baseline to qualify for cyber risk coverage.
SEC’s New Discloser Rules
For carriers, up until recently, there wasn’t enough data to analyze the likelihood of an attack or what it’d cost, but recently, the U.S. Securities and Exchange Commission (SEC) passed a rule that requires organizations to disclose a breach within 4 working days after the incident is determined.
Over time, this will help provide more visibility into the threat landscape, and help leaders make better risk assessment.
In the current landscape, cyber insurance is an essential element of the security posture, but it is not made mandatory yet. Experts worry that escalating premium prices may make purchasing difficult for smaller companies.
Max Mortillaro, industry analyst, points out that having cyber coverage, if one can afford it, is a great addition, but it is not a silver bullet. “It’s more of an add-on to make sure that you have this extra buffer rather than something which is going to save you because the cost, if you want to embed everything into such a policy, is going to be astronomical. So, it doesn’t make sense economically.”
Be sure to catch the full discussion, and other interesting presentations from the recent Security Field Day event.
