Why breach-likelihood will be a game-changer for mandating cyber insurance
According to a Cybersecurity Ventures report, 2021 was predicted to have one cyberattack every 11 seconds and the cumulative cost to repair these post cyber incidents will soar to over $6 trillion in 2022.
As the digital business ecosystem expanded and the attack surface grew in tandem, cybersecurity investments have remained products and services driven. However, this approach only allows enterprises to accept or improve their cyber risk posture. Now, as the costs to manage and mitigate cyber risks rise – the average ransom demand increased by 170 percent from 2020-2021 -- businesses are seeking to 'transfer' their cyber risks through insurance. Last year alone, cyber insurance claim frequency increased by 46 percent for IT services, 53 percent for professional services, and 263 for the industrial industry, according to a report by Coalition.
As the onslaught of cyberattacks continues, I predict that the quantum of cyber insurance needed to protect against ransomware and other threats will be mandated, at least in some geographic regions and industries. Similar to auto liability insurance, businesses in at-risk industries such as financial services, healthcare, logistics (for supply-chain), and power, will be required to have a minimum level of cyber insurance. For instance, companies may be required to cover at least two percent of their annual turnover to protect against widespread industry disruptions.
The missing link in cyber insurance:
Akin to putting a black box in a car to track driving behavior, cyber insurers need to predict potential enterprise breaches to price premiums more accurately, change cybersecurity strategies from within and reduce the chances of a claim settlement.
Although the insurance industry is mature in terms of predicting risk, cyber insurers have yet to standardize a real-time prediction model. Consequently, the industry is seeing an almost-arbitrary increase in premiums as coverage clauses and amounts drop significantly. The average pricing for cyber policies increased 5-10 percent from 2019 to 2020, and the direct loss ratio for stand-alone cyber coverage reached 73 percent in 2020 from 47 percent in 2019 -- representing the highest loss ratio ever recorded since cyber data has been included in financial reporting.
Today’s methods to assess premium costs are based on point-in-time and ad-hoc audits, cybersecurity reports, and subjective abstractions that are inadequate to inform insurers of the likelihood of cyberattacks in the future. Similarly, businesses are also passively relying on insurers to quote premiums that are 'fair' without any standard guidelines. As cyber insurance becomes a key aspect of enterprise risk management and cyber risk appetite calculations, there needs to be a real-time, enterprise-wide quantification of cyber risks and the business's likelihood of being breached.
The advantages of predicting breach-likelihood:
A deliberate shift from both parties to adopt a standardized means to measure, manage, and mitigate cyber risks in real-time through breach-likelihood prediction will create the benefit of knowing the full risk picture. It will enable cyber insurance providers to have a dynamic view of who they are covering and the risk they are underwriting. Given the number of dynamic parts in enterprise businesses, including people, third parties, technology, and cybersecurity products, cyber risk quantification can be a game-changer for cyber insurance. Businesses and insurers can leverage the power of prediction-based cyber insurance to forgo traditional point-in-time and ad-hoc audits and instead establish policies that decrease claim settlements.
Image credit: sdecoret / Shutterstock
Saket Modi is Co-Founder and CEO at SAFE Security.