The challenge of Underwriting Cyber Insurance
Customer data is now a company’s most indispensable asset when it comes to their business growth strategy and the regulatory penalties and consequences for not protecting this data have grown significantly larger in recent times, the consequence of a critical data breach will potentially put a company out of business.
Insurance has existed in one form or another for a millennium and because of the guarded nature of the business the industry has historically been somewhat slow to change its modus operandi, but the risks to businesses from cyber-attacks have forced the insurance industry to react by designing cyber-related products.
Cyber Security and Insurance are similar in that the only time you are glad you invested in either, is right after you have had an incident that may cost you considerably.
If an individual is injured while under your care, you probably have an insurance policy in place to cover any potential liability. Shouldn’t the same be in place for your company if your customer’s data has been compromised?
Cyber Crime has created a new market for insurers as traditional cybersecurity solutions do not always stop cybercriminals (or nation-states) from delivering their more complex and targeted attacks.
The GuardYoo lab can verify that Malware such as NotPetya and WannaCry are behind the most recent destructive attacks.
These ransomware incidents have led to significant claims against cyber insurance policies.
The challenge for insurers is that they can’t be sure if their policyholders were breached before the policy was issued and therefore cyber insurance is very hard to underwrite.
For insurers, costs relating to a major cyber incident can extend into the hundreds of millions.
“Cyber incidents are one of the primary threats to the connected economy,” says Artem Mykhailov, Product Director at GuardYoo. "Because all modern devices are now connected, any data contained on these devices is vulnerable to theft, while the network itself is exposed to possible disruption, and in some cases in industry, the failure of entire production lines and supply chains,”. “The monitory costs of major cyber-attacks will easily exceed losses incurred by traditional physical theft”, says Mykhailov.
Insurance companies are forced to manage their risks with comparatively low caps and broad exclusions. A policy holder’s remediation and notification costs may be covered but what’s more concerning to the client will be their reputational damage, loss of IP or the costs of post-breach forensics.
Cyber insurers are simply not able to underwrite every situation because they cannot access data to help them understand the potential risks involved, so it’s not surprising that cyber insurance is not as easily obtainable as you might expect.
It’s estimated that only a third of U.S. organisations have been issued with some type of cyber insurance.
One positive to emerge from the increase in the necessity for cyber insurance is the requirement for organisations to undertake a Compromise Assessment audit prior to a policy being issued.
Having an independent Compromise Assessment audit will help determine existing vulnerabilities and identify weak cyber policies.
"Insurance is no substitute for having robust cybersecurity policies and insurers are entitled to refuse to cover vulnerabilities that are highlighted in the Compromise Assessment audit," says Darren Sexton CEO of GuardYoo.
"The upside of being asked to undertake a Compromise Assessment audit by the insurance company is that the organisation gains an accurate picture of their true cybersecurity posture and can use the information to eliminate these vulnerabilities and thus help reduce the cost of their cyber insurance premium" adds Sexton.
The GuardYoo Compromise Assessment platform is ideal for Insurance companies who are currently being asked for Cyber Insurance but are not sure of the risk involved.
With the aid of the GuardYoo platform, insurance companies can have potential clients carry out a Compromise Assessment audit of their network to determine the risk exposure and thus be able to offer the best value
The insurance company can become more than just an insurance provider, they can become a trusted cybersecurity advisor to their clients by helping them manage their ongoing security risks.
GuardYoo can work with insurance companies to create a scoring mechanism to help establish baseline policy premiums.
For more information please contact us at dsexton@GuardYoo.com