Buying a cyber insurance policy is considered an effective way to manage residual cyber risk. Insurance carriers have jumped into the category. While still small by insurance industry standards, cyber insurance is now a $9 billion business, projected to reach $38 billion by 2030. However, there may be some bumps on the road to accompany this 15% compound annual growth rate (CAGR).
A recent report from Delinea, maker of privileged access management (PAM) solutions, reveals that 80% of companies have used their cyber insurance policies. The report is based on a survey of 300 US-based IT decision makers. Eighty percent is a high number. Indeed, cyber insurance carriers are starting to require policy holders to establish and verify that they have more security controls, with the goal of reducing how many policy holders are turning to their cyber insurance when they suffer an attack.
According to Joseph Carson, chief security scientist and advisory CISO at Delinea, insurers are now putting hard limits on payouts for incidents like ransomware attacks. He said, “The shock from this latest research is how so many organizations who have obtained cyber insurance have need to use it and again half of those multiple times.” He added. “It is almost like continuously crashing your car and not learning from the first one on how you are going to change prioritizing prevention.”
Avishai Avivi, CISO at SafeBreach, which offers attack simulation and “red team” solutions, offered insights into the report and its findings. He said, “Cyber insurance helps cybersecurity professionals manage risk by transferring the cost of a data breach. However, if 80% of companies with cyber insurance are actually using it, insurance providers will soon have to start adjusting their calculations.”
Avivi offered also offered an automotive comparison: “Think of it this way: if a car insurance company knew that there is an 80% chance that the driver they’re insuring will be in a serious accident, or an 80% chance that the car will be stolen, would it still make sense to offer the coverage?”
He elaborated, sharing, “To continue the metaphor, while seatbelts, airbags, and even car alarms might be required before a premium is granted, who knows if the drivers are really using their seatbelts, or turning on the alarm?” As Avivi sees it, cyber insurance providers need to start advancing beyond simple checklists for security controls. They should require their customers to validate that their security controls work as designed and expected. They need their customers to simulate their adversaries to ensure that when they are attacked, the attack will not result in a breach.
Further to these points, Avivi remarked, “In fact, we’re already starting to see government regulations and guidance that includes adversary simulation as part of their proactive response to threats.” He added, “As this trend continues, we foresee that cyber insurance companies will mandate or incentivize companies seeking coverage to implement security validation and adversary simulation as part of their ongoing security program. This will be especially true for customers in regulated industries or with very high-risk digital assets, such as personal data records.”