A New Cyber Insurance Model: Continuous Control Validation Report
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
Insurance is a historical lever for hedging risk that dates to the ancient world. Few modern-day objects or events prove incapable of protecting as insurance companies devise policies for personal (home, auto, life, umbrella, etc.) and commercial (lawsuits, employee injury, unexpected events, etc.) coverage to reduce the probability of monetary loss. However, consumer choice in private insurance markets requires a profitable business model. Accordingly, insurance companies have determined profitable formulas for pricing risk which are codified in actuarial tables.
Conversely, cyber insurance policies have proven difficult to appropriately price evidenced by mounting insurance industry losses. Cyber insurance emerged at the end of the twentieth century and demand for coverage accelerated in the first two decades of the twenty first century as cyber threats matured and proliferated. Most recently, Ransomware-as-a-Service has proven to be an exceptionally successful criminal monetization model driving increased demand for risk mitigation strategies that includes cyber insurance. Thomas Johansmeyer encapsulates the current situation: “So, prices are low, and the risk is high. This dynamic has negatively influenced the market’s ability to continue to grow at its previous aggressive rate – and has led to a profound shortage of cyber insurance.” Interviews with an insurance broker, insurers, and Recorded Future clients confirm that the cyber insurance market is experiencing an aggressive contraction. Businesses are facing significantly higher premiums to obtain and renew cyber insurance policies with coverage parity. One company shared the prospect of employing ten different insurers to renew a policy with $100M of aggregate coverage. Demand is superseding available supply as insurers exit the market. The U.S. General Accountability Office confirmed these trends, “The extent to which cyber insurance will continue to be generally available and affordable remains uncertain. Despite the upward trend in take-up rates to date, insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors such as health care and education for the public-sector entities, according to the Council of Insurance Agents and Brokers, Marsh McLennan, and A.M. Best.”
Losing access to private market cyber insurance is a threat to businesses and a disservice to the public interest, similar to personal flood or fire coverage in disaster prone areas. Even if governments must intervene with additional capital (becoming the insurers of last resort) or improved governance, taxpayers deserve a better model for insuring cyber risk. Certainly, reinsurers play a significant role in market liquidity, but even they face “[sic] structural challenges and systemic risks, the increase in cyber-attacks, and an accumulation of exposures. These could include the nonaffirmative exposures we refer to as ‘Silent Cyber.’” The risks remain opaque for insurers and reinsurers due to the difficulty with international cyber-attack attribution and the complexity of technical business operating environments. Further, technical control efficacy frequently changes, leaving point in time assessments lacking and traditional underwriters’ dependent on third-party auditing services that provide only partial exposure visibility. An improved underwriting model is required to restore insurer faith in risk exposure and expand the global cyber insurance market to the benefit of the global economy.
Editor’s Note: This post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.