5 Cyber Insurance Trends To Watch Right Now
The pricing surge has slowed, but will it last? And what’s the deal with the ballooning questionnaires? Here’s what you need to know about how cybersecurity insurance is changing.
In 2023, cyber insurance is not only evolving itself in major ways — it’s also prompting unprecedented changes in cybersecurity investment at the SMB level, experts and solution providers told CRN.
Increasingly, smaller businesses are being hit with ransomware and other crippling cyberattacks, or are being targeted by hackers as a jumping-off point to reach bigger fish, according to cybersecurity experts. For many SMBs, such attacks are “going to put you out of business if you didn’t get cyber insurance,” said Novacoast CEO Paul Anderson.
But until now, many haven’t.
To obtain cyber insurance, many SMBs will need to invest in an array of security capabilities that until now they’ve never been forced to implement. Those include multi-factor authentication (MFA), in place of the traditional password-only approach, and endpoint detection and response (EDR) for a more-modern approach to protecting laptops and other devices than standard antivirus.
For SMBs, “you’re not going to be able to get insurance unless you do all of these security [upgrades] — or you’re going to pay a whole lot more for it,” said Anderson, who also co-founded Novacoast, a major cybersecurity services provider and No. 263 on CRN’s Solution Provider 500.
Ultimately, with cyber insurance and its related security requirements coming to more SMBs, “I think it’s very impactful,” he said. “I think it’s a huge change.”
At the same time, the cyber insurance market itself has been changing in significant ways — not all of them bad. First and foremost, pricing for cyber insurance has cooled off in 2023, particularly in the U.S.
Still, to get a policy, the cybersecurity requirements — and the questionnaires — just keep growing in size and complexity.
For CRN’s Cybersecurity Week 2023, we’ve spoken with cyber insurance experts on the major trends impacting cyber insurance, and also heard from solution and service providers about the biggest ways cybersecurity insurance is changing for them.
On the whole, when it comes to the cybersecurity requirements placed on businesses, “insurance is taking over the entire compliance space in many ways,” said Bill Young, managing partner at cybersecurity solution and service provider Optiv, No. 24 on CRN’s Solution Provider 500.
For many organizations right now, “the goal is to become insurable,” he said. “And if you can do that, you’ll probably be PCI [Payment Card Industry] compliant.”
What follows are the details on five key cyber insurance trends to watch right now.
More SMBs Need It
The escalating need for SMBs to obtain cyber insurance is coming from multiple directions, experts said.
Not only are hackers hitting small businesses more often than in the past, but there’s also a growing recognition that in today’s economy, everyone is connected when it comes to cybersecurity, experts said. Larger companies are increasingly thinking about their third-party risk, said Andy Anderson, founder and CEO of DataStream, an MSP-focused cyber insurance broker and services firm. The 2013 breach of Target via a third-party HVAC contractor is often cited as a prime example, he noted.
This is a big issue for SMBs to be aware of, given that large businesses often try to structure contracts to push any liability they can onto their suppliers, Anderson said. “As part of those contracts now, it’s often including cyber insurance requirements,” he said.
Until now, many SMBs have never felt it was necessary to invest too heavily in their cybersecurity, Novacoast’s Anderson said.
“This cyber insurance paradigm is changing all that,” he said. Without a doubt, requirements to attain a stronger security posture are “now flowing down to the midmarket and the SMB.”
Bruce McCully, CEO of cybersecurity assessment and consulting firm Galactic Advisors, pointed to other heightened compliance pressures that are impacting SMBs. Those include the FTC Safeguards Rule, which requires data security measures for financial institutions of all sizes, even down to small accountants and tax preparation firms, McCully noted.
All in all, “we’re seeing more and more compliance requirements moving downmarket,” he said. “And cyber insurance has led the pack.”
Pricing Has Leveled Off—For Now
Driven by the onslaught of ransomware attacks, cyber insurance premiums went through a period of stunning price hikes in 2020 and, especially, in 2021. The pricing surge peaked in late 2021, when cyber insurance pricing was up 133 percent from the year before, according to global figures from Marsh McLennan.
The increases have cooled off since then, and as of the second quarter of 2023, pricing was pretty much flat — up just 1 percent globally year over year, Marsh McLennan reported. In the U.S., cyber insurance pricing actually declined 4 percent in Q2 from a year ago, the firm said.
The leveling-off in premium pricing correlates to the decrease in ransomware activity (and thus, fewer ransom payments and business disruptions that need to be covered). The pricing slowdown could also be due, in part, to improved risk control and better underwriting, according to Brian Mahon, an adviser at independent insurance agency EHD Insurance.
Still, the softening around pricing is not universal across policies, according to DataStream’s Anderson. And in any case, “I’m not sure how long that’s going to last,” Anderson said. There are, he noted, indicators that cybercriminal groups have “started to get a little bit more active.”
While ransomware activity remained low during the first quarter of the year, there were signs of a rebound in the second quarter — with ransomware attack volume jumping 74 percent quarter-over-quarter, according to data from SonicWall.
More recently, a series of ransomware strikes against targets including casino operator MGM and hotel chain Motel One have brought the highly disruptive attacks back into the headlines. And in late September, the FBI warned of a notable increase in “dual ransomware attacks” — in which threat groups unleash “multiple ransomware attacks on the same victim in close date proximity.”
The Questionnaires Are Longer
Anyone who has applied for cyber insurance recently will know about this trend: The questionnaires “just keep getting longer and longer,” Young said.
The underlying issue is that the insurance industry still “doesn’t understand the cyber space well enough,” he said. “So each time they get burned, they add another 50 questions.”
DataStream’s Anderson said he’s also seen this expansion of cyber insurance questionnaires to an unwieldy size in recent years. On top of that, “you might have to fill out multiple applications for different carriers,” he said.
That’s a common scenario, according to Wayne Hunter, president and CEO of AvTek Solutions, who helps advise clients on filling out the questionnaires. And to make matters worse, the questionnaires are “all different,” he said. “There’s not a standard [set of questions].”
Optiv has been working with the carriers to try to improve the situation, Young said. The hope is that the insurers will “stop adding questions and start adding more tangible validation,” he said.
For example, insurers could require a penetration test to validate the security posture of an organization, according to Young.
“I think that will allow them to create a higher level of assurance and trust,” he said — “instead of just asking questions that, frankly, are not the right questions.”
The Requirements Are More Detailed
The standard set of requirements to get cyber insurance have not changed much in 2023, experts said. Most insurers continue to look for MFA, employee security training, EDR (or managed detection and response), data backup and a strong password policy (including password rotation).
However, many cyber insurance providers now want to see more-specific details around these required security measures. For example, many now not only ask if the applicant has backups, but also: “Are those backups secured with MFA? Have you tested those backups?” DataStream’s Anderson said. “They’re getting much more fine-grained in terms of the questions.”
In addition, the details expected by insurers are sometimes getting unrealistic, AvTek’s Hunter said. He recounted seeing questionnaires that ask for the number of records containing personally identifiable information (PII) at an organization, as well as the specific location of the PII-containing records and the protections around the data.
“A typical client can’t do this,” Hunter said. “They don’t have the tools to do it.”
Reading The Fine Print Is More Crucial
Cyber insurers aren’t just adding questions as the threat landscape evolves — they’re also adding new exclusions into policies, experts said.
A well-known case was the move by insurance marketplace Lloyd’s to require stronger exclusions for state-backed cyberattacks related to war in the wake of Russia’s attack on Ukraine.
Optiv’s Young said he also expects that organizations will find it more difficult going forward to get coverage for high-cost attacks such as business email compromise (BEC). The average cost of a BEC attack is now $4.7 million, according to IBM, and the FBI has said the attacks cost a total of more than $2.7 billion to U.S. organizations in 2022.
But exclusions aren’t the only area where applicants should be paying close attention. For example, another measure now baked into many cyber insurance policies concerns cases of a “neglected” software vulnerability, EHD Insurance’s Mahon said in July.
“Essentially they’re referencing this Common Vulnerabilities and Exploits list, and saying, ‘If you don’t address these in [a certain] timeframe that your coverage will slowly decrease,’” he said. “That’s something to be wary of.”
Additionally, Mahon said he received notice this summer that at least one carrier — which lacked a blanket statement related to neglected software vulnerabilities — was adding “special wording” to policies about the critical MOVEit vulnerability. Attackers exploiting the vulnerability in Progress’ MOVEit file transfer software have breached more than 2,300 organizations, according to a tally by Emsisoft.
Typically, however, cyber insurers are “not trying to pull a fast one on you,” DataStream’s Anderson said. The bigger issue for most organizations is, “you didn’t read the policy,” he said.
“You didn’t really know what you had here,” Anderson said. “You thought you had coverage — but then you went to go pull the parachute, and you realized that this was not really a sufficient parachute.”