Cybersecurity Expert: Why Are Cyber Premiums ‘Going Gangbusters’?
Five years ago carriers thought of cyber insurance as “stealing candy from babies” but they were totally unprepared for how the market has changed.
Back in the mid-2010s, most cyber-attacks were against international, enterprise-scale firms. The mid-market, firms worth up to about $20 million, was not a big target.
That made it easy for these companies to get cyber insurance: it was low cost, with very little underwriting. Adoption was low, but the process was simple and easy.
It was a golden age for insurance carriers, who thought of cyber insurance as “like stealing candy from babies,” said Wes Spencer of FifthWall Solutions, opening The Channel Company’s MES IT Security conference in Indianapolis this week, which Computing attended as a partner.
“If you want insurance, you’re going to get it,” is how he characterized the market at the time.
How Did We Get Here?
So what happened? How did we get to an insurance market where premiums can go up 10x in a year?
To answer that we have to look back to the late 2010s, when groups like GandCrab realised SMEs were low-hanging fruit. This was the start of ransomware-as-a-service. The volume - and cost - of attacks started to scale, and “carriers were not prepared.“
Demand for cyber insurance “rocketed” up in 2020, and underwriting ”began to actually get serious.“
The rate of incidents began to slow last year, which Spencer thinks is mostly down to most criminal groups operating out of Russia turning their attention to Ukraine - but premiums remain high, and he expects attacks to climb again after the war.
“It’s not that these bad guys are out there holding AK47s, but they are partnering with kinetic warfare… We’ve seen a 200% increase in [cyber]attacks from Russia against Ukraine, and they’re not asking for money; it’s just a smash and grab.“
Premiums are following hockey stick-shape growth - “Going gang-busters,” as Spencer called it - but carriers’ loss ratios have followed a similar trend.
A good loss ratio - how much an insurer pays out per-dollar - is 15%, but in the cyber industry it’s only ever gone down to 30%, in 2018. Today it sits above 60%.
Because of this, carriers are “starting to draw lines in the sand” in terms of when, why and how much they pay.
“Carriers are operating in 1992 mode,” said Spencer, evaluating risk with questionnaires and “knee jerk” reactions to threats to their bottom line.
Nobody in the audience thought questionnaires were a good way to assess risk, according to an informal poll.
The Future Is Standardization…And Data
To limit payouts, carriers are beginning to bring in standardized minimum requirements across the industry. Five of the most common are:
* MFA everywhere - including your CEO!
* Segregated backups
* Endpoint detection & response and ‘next-gen’ antivirus
* Patching and vulnerability management
* Cybersecurity employee training
This doesn’t necessarily apply to every company. If you’re under $10 million revenue, insurance will normally be granted with minimal checks. The questionnaires start to come in between $10 million and $20 million; and above $20 million “they will go through your security with a fine-tooth comb.”
At the end of the day, it all comes down to data. Premiums today are high because insurers don’t know exactly how to assess risk - cyber insurance still being a relatively new industry - but “insurers are data nerds,” and understanding is coming.
Whether that will lower premiums or not is anybody’s guess.
This article originally appeared on CRN’s sister site, Computing.