Double Trouble for Cyberinsurers

Originally published by Ericom Software.

Written by Stewart Edelman, Ericom Software.

Read Part 1 of this blog, "How Well Will Cyberinsurance Protect You When You Really Need It?," here.

Times are tough for insurers, who face two distinct types of cybersecurity challenges: profiting from the cybersecurity policies they write and protecting their customers’ sensitive personal information from cyberattacks.

Challenge Number 1: Making a profit on cybersecurity policies

The cyberinsurance market is large and growing rapidly. In the US alone, the total cyberinsurance market in 2021 was estimated to be worth $6.5 billion in direct written premiums, up over 50% in just one single year, from $4 billion in 2020. The dramatic growth was driven by a strong upsurge in ransomware attacks in 2020. The surge resulted in some very big payouts by insurers, including one $40 million ransomware payment, leading insurers to raise premiums. The increase in cyberattacks was also a wakeup call to many business executives regarding the risk they faced from cyberattacks, inspiring them to purchase cyberinsurance for the first time.

Before 2020, cyberinsurance was generally a highly profitable line of business for insurers. With a loss ratio between 32% and 45% from 2017 to 2019, well below the 60-70% cutoff for profitable lines, the vast majority of insurers offering cyberinsurance coverage were doing quite well (according to data from the National Association of Insurance Commissioners).

The sharp increase in the reported loss ratio in 2021, from 45% to nearly 67%, indicated that even though the cyberinsurance industry as a whole was breaking even, a lot of insurance companies were racking up big losses on their cyber lines. According to Actuarial Review, the incurred loss ratio at the 75^th percentile was 76.7%, meaning a fourth of the insurers in the market that year likely were showing losses, with the 95^th percentile at 137%, indicating that 5% of the insurers were running sizeable losses.

That same year, two of the top ten cyberinsurance providers reported loss ratios of over 100%, which meant that they paid out more than they collected. Any company can have an occasional bad year, but a loss ratio over 100% is certainly not sustainable. Hence premiums were increased, along with narrower coverage and more stringent cybersecurity requirements for clients seeking insurance coverage.

The challenge for insurance companies is that premiums are set based on actuarial science which relies on historical data. The world of cybersecurity is changing so rapidly that reliable long-term data simply does not exist since the field is both relatively new and very dynamic.

Challenge Number 2: Protecting Insurers’ Own Data from Cyberattack

According to a Global Cyber Executive Briefing from Deloitte,

Cyberattacks in the insurance sector are growing exponentially as insurance companies migrate toward digital channels in an effort to create tighter customer relationships, offer new products and expand their share of customers’ financial portfolios.

The Deloitte report highlights several factors coming together that lead to risk for the insurance companies themselves:

• The move to tighter connections with customers and continuing migration toward digital channels that enable customers to manage their coverage online has required the introduction of new capabilities to insurer IT systems, which in turn create new vulnerabilities and new attack surfaces.
• Insurance companies have a treasure trove of personal information for people who submitted information for price quotes but did not become customers. For customers, they also often have credit card and other payment data. All this data makes insurance companies high-value targets.
• Because of the valuable data they hold, insurance companies attract “professional” cybercriminals with deep resources and the ability to launch sophisticated attacks that combine advanced malware, social engineering, and cutting-edge techniques.

Cybersecurity for the Insurance Industry

Insurers who offer cyber policies are optimally positioned to encourage – even incentivize – organizations across all sectors to adopt cybersecurity best practices.

But first and foremost, they need to set a strong example for their clients by applying those best practices to their own IT environments, protecting the large volumes of sensitive data in their own databases.

Beyond that basic step, by declining to write policies for companies with poor cybersecurity practices, or offering discounts for companies that are diligent about following best practices, they can encourage greater cybersecurity across all industries – an outcome that is good for everyone.

Today, cybersecurity best practices means implementing a Zero Trust framework, which starts with the assumption that every user and each packet on the network is suspicious. A Zero Trust framework includes techniques and protocols such as robust Identity and Authentication Management, a Cloud Access Security Broker (CASB), Remote Browser Isolation (RBI), and Microsegmentation.

A Secure Service Edge (SSE) platform offers insurance companies as well as their cyberinsurance clients a quick, simple way to transition to state-of-the-art cybersecurity by implementing a comprehensive Zero Trust solution that lowers risk for all parties.