MSSPs can help insurers improve the pricing of their premiums, but how can this be achieved?
Cyber insurance premiums have risen exponentially. Premiums rose by 92% in the UK in the final quarter of last year and, exacerbated by Russia’s invasion of Ukraine and the prospect of cyber warfare, this trend has continued through 2022. As a result, cyber insurance has quickly become unaffordable for SMEs in particular, with almost 30% cancelling their policies in 2021 to save money.
For smaller businesses in the UK, rising premiums have unfortunately also been paired with a struggle against the cost-of-living crisis and spiking energy costs. External pressures on already protracted cybersecurity budgets have forced SMEs to make a choice in what they invest in: cybersecurity or cyber insurance. But neither alone is fit for purpose. All businesses, small and large, need cost-effective and commercially flexible cybersecurity and insurance solutions which can only come from cross-industry collaboration between MSSPs and insurers.
The difficulty of quantifying risk
The economic digital transformation has created many opportunities but has also generated extensive cyber risks. The insurance sector has been identified as an area to improve global cyber resilience and cyber risk management. In addition, awareness of cyber risks has greatly increased by the general public, who witnessed a rising number of attacks during the Covid-19 crisis, including critical infrastructures, such as hospitals.
Security has not always been the top priority for devices that connect to the internet, as innovation was always a priority. As such, many of the vulnerabilities introduced for businesses are not fully insured today, and the number of companies purchasing cyber insurance is still relatively low. As a result of this, many cyber losses remain uninsured.
There is no one size fits all approach when it comes to quantifying cyber risk for an insured or potential insured. Cyber security is constantly evolving and there are numerous variables that dictate the premiums of cyber insurance.
One aspect of quantifying cyber risk is professional indemnity, which involves looking at what risk an insured or potential insured brings to the table. This information can provide details of historic claims which can be quantified, helping to better understand how that risk might look moving forward. Cyber risk is precarious, as there is so much diversity within the market in terms of how insurers quantify that risk, and what sort of benchmarks they look at in terms of security, which makes it difficult to foresee how it could be formally mandatory. In some industries, it is almost mandatory by default, due to contractual requirements that are placed on some companies. For example, anyone working with a local authority or within the health service, it doesn’t really matter what they’re doing, there is an expectation that there will be cyber cover in place.
This can be quite prohibitive, as increasingly the market is becoming tougher in terms of the security prerequisites required to get insurance. There are many instances where organisations are unable to acquire cyber insurance coverage and are at a loss for what to do in that instance. Taking that into account, it is difficult to see how cyber risk insurance could be made mandatory until the market matures, which is going to be a real driver in making it more accessible.
Development trends within cyber insurance?
A trend that has come to light since 2021 is the large impact of ransomware cases, which have resulted in severe losses. In reaction to this, the risk factor of the insurance sector has changed. Another important trend that has been identified by AXA is the move from ‘silent’ to ‘affirmative’ policies, that is, being explicit about what is included and what is excluded from policies.
The reinsurance community have already started exploring these questions with numerous mandated insurers being explicit in their policies and giving insurers 24 months to roll out the changes. Many in the reinsurance industry are now asking their clients whether their policies are silent or affirmative, which is driving the behaviour of the insurance sector on all lines of business. This is not only affecting the direct cyber products themselves but also those products where cyber is a peril in other lines of business such as property or liability. There is also an increasing global awareness of cyber risks and losses, with small businesses starting to buy stand-alone policies covering cyber with higher limits, as opposed to insurance packages that include cyber.
How should business leaders quantify cyber risks?
Another limitation to quantifying cyber risk is the awareness of company directors. Many differ in how they perceive the risk and whether they should address it through a combination of applying a cyber security budget, self-insuring the risk or whether they want to transfer it to a specialist cyber insurer.
Why cyber risk questionnaires are not fit for purpose
If you’re a business looking to purchase cyber insurance, you would think it’s like navigating a minefield before you can even get there. A primary reason is that the insurers have had to standardize their questions because ultimately, it’s not one size fits all. There are various insurers specialising in different industries, requiring them to capture as much information for as many businesses as they can without going too niche into one specific sector.
If you’re a manufacturing business, you might have an operation technology set of questions in addition to a ransomware form, and that’s in addition to the application form. If you’re completing this form as a business, there are potentially thirty pages of questions to complete. The problem is that many of these questions are closed-ended.
For example, a business may have to utilise Multi-Factor Authentication (MFA), which is rolled out across their emails but not within their backups. They tick ‘yes’ on the questionnaire. However, in the event of a claim, the insurer will dig deeper and uncover the fact, but the business ticked ‘yes’ on the questionnaire. The clients are doing everything that is being asked but there is a clear separation between what is understood and what is expected. The caveat is that if they go any deeper in the questions being asked, it could make the insurance industry uncompetitive and potentially uncommercial.
Vulnerability Scan Insights
Insurers need to understand the nuances of each client with insights from performing vulnerability scans. In the instance of MSSPs working with professional indemnity brokers, all clients are vulnerability scanned before their insurance is provided. Similar to the black box scenario when a car insurance provider brings on board a new client. As long as all critical threats are remediated, their insurance policy may remain in place. When it’s time for renewal, another vulnerability scan is performed.
Vulnerability scanning serves an essential purpose for insurers. If an organisation prioritises regular scanning, it acts like a black box for a car. It helps reduce the insurance because you know that they’re a lower risk and that their ‘driving carefully’. There is valuable insight due to the technical overview of the company that is available through the vulnerability scans, making the question of ‘how risky are you to insure?’ much easier to answer. Insurers can receive up-to-date data on a customer’s cyber resiliency, and consequently more accurately measure risk and price premiums. Real-time data should be provided by MSSPs to insurers and play a more central role in cyber risk assessments and cyber insurance policies for everyone’s benefit. Insurers need to start using this type of technology and allow the intelligence of the software to provide the answers they’re looking for.
One of the biggest problems in the cyber realm at present is the lack of collaboration between MSSPs and cyber insurers to help quantify cyber risk. The question is how they can work together to benefit themselves, their customers, and the cyber insurance market. It’s the role of MSSPs to support organisations in achieving a strong foundation of cyber hygiene and improving cyber resilience with a proactive, combined cybersecurity solution. From there, a company will be better positioned to approach insurers and secure lower premium costs.
Regular vulnerability scanning identifies unknown vulnerabilities in internal and external systems, enabling an organisation to respond to and remediate vulnerabilities before cybercriminals can exploit them. Vulnerability scans can also include Dark Web monitoring to detect if compromised business credentials are for sale on the Dark Web.
The importance of annual check-ins twice a year should also not be underestimated as this can make a huge difference to cyber insurance. Completing these checks and getting to know the client before they have to pick up the phone to report an issue; understanding how their systems are calibrated; how they store their data before we have to sit in a room with them having crisis talks.
Insurers also need to start looking at cyber risk slightly differently. Many primarily assess the amount of damage that can be done, and how much reactive services would cost in the event of a data breach. They need to move their focus away from viewing this as the primary consideration and start analysing how safe and secure an organisation is and what proactive measures are in place. How mature is this company’s cybersecurity, how many attacks have they mitigated, and how regularly is vulnerability scanning used to provide a reliable, real-time risk posture? Working with trusted partners in the cybersecurity industry is crucial to help shift this mindset, enabling insurers and MSSPs to embark on collaborative partnerships and reduce risk together.
Cybersecurity experts and insurance shouldn’t be at odds with each other. The two can, and should, work together to find new and better ways to measure cyber risk, and price premiums, and protect customers.