Risk Management April 24, 2023
By Sue Poremba 4 min read

When cyber insurance first became available in the 1990s, there wasn’t much need for it — or at least, so people thought. The internet as we know it today was still in its infancy, and most organizations didn’t see the point of cyber insurance. The original policies were to cover liability around software and media concerns.

As we moved into the 21st century, the internet became entrenched in everyday business operations and blurred the boundaries between personal and corporate. As a result, the need for cyber insurance took on greater urgency. Data breaches, DDoS attacks, ransomware — virtually any cyber incident that compromised sensitive data or put an organization at risk for lost business made investing in cyber insurance policies look more appealing. But how has the rise of cyber insurance impacted cybersecurity as a whole?

Are you eligible for cyber insurance?

Normally you purchase insurance to protect yourself, your property or your business interests in case something bad happens. Car insurance, for example, is a requirement to own and operate a vehicle, but you don’t have to really do much more than purchase it to obtain coverage. A life insurance policy might require a physical, but for most people, that’s not an issue. Some policies, like flood insurance, do have contingencies before the purchase can be made, but those are predetermined — such as living in an area prone to flooding.

Cyber insurance is different. You can’t just call an agent and request cyber insurance to cover your losses if your network is breached. Being eligible for cyber insurance requires your cybersecurity program to meet certain standards. In addition, you must maintain those standards to continue coverage.

Attackers change tactics

These standards alone have been the push that some organizations needed to improve their overall cybersecurity posture. That in itself has impacted cybersecurity overall. But over time, as defense against attacks became more complicated, too many organizations have become lazy. Premiums are increasing, but at the same time, insurance providers are becoming more selective in what they will pay.

“While ransomware continues to be a dominant risk, we are seeing tactics change, including the rise of other forms of extortion as well as funds transfer fraud,” Jason Rebholz, chief information security officer at Corvus Insurance, said in a prepared statement.

Cybersecurity has become more fluid, Rebholz added, and attackers are shifting their methods. This makes it harder for organizations to put the best protections in place, which impacts cyber insurance in turn.

How cyber insurance improves your security systems

Cyber insurance was still relatively new in the early days of the Obama Administration. However, that didn’t stop members of the Department of Homeland Security from touting its value. One point that jumps out is cyber insurance’s advantage over governmental regulation as a means to improve your cybersecurity program.

“Governmental regulation results in an emphasis on meeting basic minimum standards, whereas insurance results in companies striving to adopt — and improve upon — best practices,” a government white paper declared.

“Fear of legal sanctions can force companies to maintain a set of minimum standards, as cyber insurance does, but unlike cyber insurance, it does not provide any incentive to do better,” the white paper also stated, adding that the widespread adoption of cyber insurance will produce better security.

Examine your risk levels

So the idea of using cyber insurance to improve your security posture has been out there for a long time. With almost two decades of hindsight, we can see that cyber insurance hasn’t replaced the need for government regulations. However, it did put the process into place.

Again, you can’t simply decide to purchase cyber insurance and sign a check to an agent. It is a process that will examine your organization’s risk levels and tolerance, looking in-depth at areas that include:

  • Your business industry. Industries like finance and banking will have different security issues to cover than healthcare or retail, for example.
  • The type of information your company stores and transmits.
  • Your formal cybersecurity program, controls and tools.
  • Auditing procedures.
  • Backup and data loss protection policies.
  • Compliance regulations and how well you meet them.
  • Security history, including data breaches and other cyber incidents, and the corporate response.

Because premium dollars can add up, organizations will be selective in the areas they decide to cover. Again, this benefits overall cybersecurity efforts because it forces organizations to be better aware of everything within their network. This especially applies to where they store sensitive data, how they use it and where they are most vulnerable to threats. A lack of visibility into systems has always been one of the biggest threats to data and networks. Cyber insurance forces organizations to have a better idea of their risk posture and the steps needed to improve.

Rethinking the approach to ransomware

Many organizations relied on cyber insurance to cover the costs of a ransomware attack, primarily reimbursing the ransom. That’s changed. According to the National Association of Insurance Commissioners (NAIC), the premiums for ransomware policies have increased substantially over the past few years, as have the number of claims for ransom and extortion. The FBI has advised against paying the ransom since that doesn’t guarantee the data will be released, and that has played into some cyber insurance companies’ decision to rethink their ransomware coverage.

With the increase in premium costs and the decrease in the number of insurance policies available, ransomware has taken on a new level of liability for organizations. This means companies need to revamp their internal approach to how their internal cybersecurity policies and programs address ransomware attacks. Policies may explicitly state if the company will pay a ransom and the investment in data loss prevention (DLP) and recovery tools.

Cyber insurance has been a godsend to many organizations that would have otherwise struggled to survive after a serious cyber incident. But no one wants to deal with insurance claims in the first place. Instead, cyber insurance has changed the way organizations should build and structure their cybersecurity programs. The more prepared you are to be approved for an insurance claim, the better prepared you are to avoid a cyber disaster overall.

 |  | 
Sue Poremba

More from Risk Management
September 21, 2023

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging.We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically.For this reason, 75% of organizations seek to…

September 20, 2023

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

September 18, 2023

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

September 7, 2023

Why consumer drones represent a special cybersecurity risk

3 min read - Cybersecurity staff at an East Coast financial services company last summer detected unusual activity on its internal Atlassian Confluence page originating inside the company’s network. The MAC address used locally belonged to an employee known to be currently using the same MAC address remotely, according to a security specialist named Greg Linares, who had secondhand information about the attack. So, the team used a Fluke AirCheck Wi-Fi Tester device to identify the device logged in, which led the team to…

© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature