There are certain immutable laws of economics, though not all of them are well received. One such law is the mechanism by which organizations price their products and services. They consider their costs (e.g., labor costs, regulatory costs, taxes) and apply some percentage to account for profit (ignore, for a moment, the concept of loss leaders). Regardless of how complex a product or service is, some iteration of this basic formula is leveraged. This is also true in the cyberinsurance market.
Responding to a significant increase in ransomware incidents, cyberinsurance carriers increased their rates in 2020 and 2021, according to a report from Marsh. Because of the rise in claims (both in frequency and magnitude), the collective industry needed to adjust its variable for cost in the mentioned simplified formula. The report also discusses how costs leveled off in 2022, but remain higher than in 2020.
There are several additional insights that can be gleaned from the report:
- Frequency and magnitude of loss are immutable variables of risk assessments. Any assessment of risk, whether conducted by an insurer or an internal audit team, that does not assess and express results using these variables should not be considered a risk assessment.
- Although Marsh represents only a portion of the total market, an interesting table in the report shows the frequency of claims (i.e., loss events) dated back to 2017. Spoiler alert: Less than 300 claims are made per year. While most organizations experience events daily, only a fraction of them become true loss events that require the organization to file a claim to recover its losses. These are the events for which organizations spend money on cybersecurity programs.
- There are several ways to reduce insurance premiums. First, policyholders can choose lower limits (e.g., transfer less risk). Second, and a corollary to the first, is that policyholders can choose higher retention values. The first US dollar of loss is always the most expensive to insure, so by increasing retention (i.e., the deductible), the more affordable it becomes. Finally, premiums can be reduced by demonstrating good security.
- While reducing insurance premiums is a desirable outcome, the ultimate goal for many organizations is to reduce overall risk to an acceptable level. To achieve this, an organization can take measures to improve its security posture. Alternatively, it can choose to exit certain business endeavors (reducing the so-called inherent risk). This can include exiting lines of business, geographies and technologies. Those factors are represented by an organization’s firmographics. In the Marsh report, certain industries are said to have higher rates of claims. The sentiment “If you live in a dangerous area, you should not be upset when dangerous things happen” comes to mind. In other words, it makes sense that industries that face more cyberrisk are prone to more claims. It should be noted that altering firmographics as a cyberrisk reduction method is not as common as improving security posture.
- There are 2 ways organizations can manage the financial impact of cyberevents. First, losses can be transferred to another organization (i.e., cyberinsurance can be purchased). In this case, the purchasing organization is essentially buying down future losses using today’s dollars. Another way to manage risk is to increase savings to help withstand future losses. In financial services organizations, these savings are known as capital reserves. Other organizations may consider their savings as part of a rainy day fund, kept in case something bad happens. When it is indicated in the Marsh report that organizations have increased their retention value or lowered their limits, this is effectively what they have done. It is important that the process of creating the fund includes the actual allocation and setting aside of funds, and is not simply an implicit decision made to pay for any losses out of a current year’s revenue.
Beyond the financial tools that one can use to manage risk, organizations can work on improving their control posture. This is a crucial phase shift in the insurance underwriting process.
By way of analogy, if one wanted to purchase a US$1 million life insurance policy, they would need to undergo a biometric screening. A third party would take their blood and record their weight and height. They would compute the individual’s body mass index (BMI) and screen their blood for drugs and disease. However, if an organization wanted US$30 million worth of cyberinsurance, it would need to fill out a questionnaire and prove that it had good security controls. I expect this business model to shift in the future.
One key change I anticipate is an increase in the use of third parties to validate control postures. This includes the use of standardized methodologies and ratings for assessing organizational security and loss potential. Such cyberratings will become one of the key metrics by which not only underwriters, but also investors and third-party risk management teams, will evaluate an organization’s loss potential. In response to this, some leading organizations have established cyberreputation management groups within their organizations to manage their ratings and respond to third-party requests for cyberinformation. This is an important complement to third-party risk management teams that review client requests and provide them assurances as to their control environment. In the future, an increasing number of organizations will have this role on their cyberrisk teams.
While premiums are leveling off, the hardening of the cyberinsurance market is ongoing and will impact how policies are underwritten. In the meantime, organizations can benefit from improving their security and control postures with the goal of reducing insurance costs.
Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, NACD.DC
Is a vice president and head of cyberrisk methodology for BitSight, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee and the recipient of the ISACA® 2018 John W. Lainhart IV Common Body of Knowledge Award.