The number of organisations that will either be unable to afford cyber insurance, end up with insufficient coverage or be refused a policy altogether looks set to double in the next 12 to 18 months, as a combination of more stringent global regulation and increasing threat volumes takes its toll.
This is according to Australia-based risk management and monitoring specialist Huntsman Security, which is today warning that this means organisations will no longer be able to rely on cyber insurance policies as a silver bullet in the event of a serious incident.
Huntsman CEO Peter Woollacott said that recent and upcoming regulatory changes, such as new EU laws, revisions to NIST’s cyber framework, stricter demands from the Financial Conduct Authority and new guidance from the Information Commissioner’s Office, meant risk is becoming harder to quantify, and proving compliance is an ever-more demanding job.
“Factors like the supply chain crisis, inflation and skill shortages are all adding to the difficulty for organisations trying to execute on their cyber security strategy,” he said. “At the same time, increases in insurance premiums, limits on coverage, increasing underwriting rigour and capacity constraints are all limiting the accessibility of cyber insurance for many.
“Loss ratios will not improve until premium incomes better match the current level of payouts,” said Woollacott. “With this reduced insurance access alongside increasing cyber threats and tightening regulations, many organisations are losing cyber insurance as an important risk management tool. Even those who can still get insurance are paying a prohibitively high cost.”
With at least a third of UK firms experiencing some kind of cyber attack every week, cyber insurance has come to form a critical element of overall risk management strategies – as previously explored by Computer Weekly – and while it is true that insurers are seeking to improve the quality of risk information so that premiums may better reflect the true cost of risk, unless organisations can demonstrate they have the insurer-specified controls in place to manage said risk, insurers will continue to have difficulty quantifying it.
Therefore, said Huntsman, insurers are changing the basis on which they offer their policies to reflect the risk being underwritten more accurately, and in such an environment, improving and demonstrating the effectiveness of one’s security controls will become even more essential for organisations that want the best chance of getting an appropriate policy.
Such controls will naturally vary between policies, but are likely to include the implementation of multifactor authentication, endpoint protection, restricted admin rights, patch application, staff awareness and training, regular backups, and tested business resilience and disaster recovery planning.
This recalibration will also likely centre third-party risk emanating from supply chains, said Woolacott. “Organisations must not just protect themselves but take responsibility to ensure their suppliers, partners and stakeholders are doing the same,” he said.
“The best way of achieving this is to follow best risk management practice to ensure that your organisation employs effective security controls to quickly identify and manage any emerging cyber risk. This will give businesses the best chance of identifying potential cyber security weak spots, and if the worst happens, still being able to benefit from a cost-effective cyber insurance policy that funds containment and recovery activities.”
If other lines of insurance are any guide, said Huntsman, adopting appropriate security risk management and controls will push insurers to improve their risk pricing models, rewarding those who have made the effort with more favourable pricing.
“Right now, the cyber insurance sector is driving security controls world-wide,” said Woollacott. “And even when legislators, regulators and the courts have caught up, it will still be insurers seeking to improve the quality of their risk pricing information that will set security terms.
“Organisations should ensure they are able to take advantage of any improvement in terms offered by enhancing their security controls and posture.”