This article is by Keiron Holyome, VP UK&I and Middle East, BlackBerry, and it looks at how complex the cyber risks are, and how insurers can place the emphasis on prevention, rather than waiting for cyber claims.
“In this world, nothing is certain except death and taxes,” said Benjamin Franklin in 1789. To bring us into the 21st Century, just add cyberattacks. Because, when it comes to cyberthreats, no industry or company is immune.
When attack is virtually inevitable and resulting costs can run high, how can insurers offer a viable cyber insurance product that is affordable to all sizes of business?
The real cybersecurity threat landscape
In the BlackBerry 2022 Threat Report, our research noted that small and mid-sized businesses (SMBs) are currently experiencing 11-13 attacks per day, per device. Meanwhile, the increase in connected endpoints, working from home, and continued digital transformation of businesses makes the threat surface broader and more complex by the day.
The most widely publicised cyber events of late involved sophisticated ransomware attacks on critical infrastructure and technology companies. The ransomware threat group REvil attacked Acer, JBS Foods, and others, while DarkSide crippled Colonial Pipeline and Avaddon infiltrated AXA. Governments responded to the attacks, with G7 countries and NATO allies putting cybersecurity at the top of the public policy agenda.
But what of the smaller businesses comprising 99% of the economy? These companies are facing a relentless barrage of attacks using a range of less sophisticated, but no less effective tools including phishing, denial of service, data theft and malware. Emerging cybercriminal tactics such as ‘ransomware-as-a-service’ (RaaS) means smaller, even niche, organisations are viable targets with a low-cost, scattergun approach.
Weighing risk versus cost of insurance
The impact of a cyberattack can be devastating. One day it’s business as usual; the next, the organisation can’t process card payments, restock shelves or perform even the simplest of automated tasks. Customers, partners and suppliers could all be victim in the chaos that follows.
Many industries today are highly connected both internally and amongst suppliers, and an attack just needs a poorly protected endpoint, smartphone app, point of sale (POS) system or digital connection somewhere along the supply chain. The IoT-enabled warehouse, supply chain software, or even the electric delivery van are all possible entry points of entry. It’s a cybercriminal’s playground and a lack of security comes at a price.
Most companies – regardless of size and sector – are not prepared for cyberattack, even though the aftermath of costs can run high in terms of remediation, loss of business and impact on reputation. SMBs are typically worst affected with 60% closing down within six months of attack.
Yet, in the UK 29% of SMBs cancelled their cyber insurance cover in 2021 citing the rising cost of insurance premiums. When weighing up the risk versus cost of cover, almost a third of businesses opted to take the risk.
Pricing businesses – and insurers – out of cybersecurity protection
The risk of cyberattack is increasing and the cost of remediation is rising, creating an untenable market for cyber insurance provision. Insurers are tightening their underwriting standards and exclusions, while raising premiums to cover escalating risk and potential remediation costs.
Furthermore, authorities piling on the pressure against paying ransomware so as not to incentivise the activity is also putting pressure on insurers to consider their provisions for cover.
Commenting on the European insurance sector in 2022, analyst firm Forrester predicted that at least one major insurance provider would exit the cyber insurance market altogether. In fact, last year, AXA France – France’s largest general insurer – announced that it would no longer cover the cost of ransomware payments.
The result is a gap in the market for affordable insurance for the very real cyber risks facing businesses today.
Creating a sustainable marketplace for cyber insurance
In the Netherlands, a cybersecurity software provider is set to launch its own cyber insurance product. Having been granted a permit from the Netherlands Authority for the Financial Markets (AFM), the company could now offer insurance to businesses against the risk of cyberattack. But what of the provisions it might set? From conditions of the cybersecurity software selection to limitations on endpoints and locking the customer into deals, this scenario is fraught with conflict.
Far from being the start of a new model in cyber insurance, this is a clear conflict of interest created by a growing chasm between economic forces – demand and supply – and regulatory objectives.
Being a supplier of cybersecurity software and cybersecurity insurance are two very different specialties. Do surgeons insure their own operations? Would you trust them if they did? I suspect not!
The two specialisms of cybersecurity protection and insurance should remain distinctly separate, not only to avoid conflict of interest, but to avoid an artificial foundation where premiums are related to specific provisions for security rather than an informed, actuarial view of risk exposure.
An alternative – and, we would argue, better – solution is to tackle the rising risk (and cost) of attack that is driving up premiums, and thereby create a more sustainable market in which insurance providers are able and willing to participate.
Prevention is better than cure
Creating a more sustainable future for cyber insurance means balancing the perceived risk to businesses with the premiums that are being charged, and the actual marketplace cyber risk with the exposure that insurance companies are willing to accept.
Adopting a prevention first approach to cybersecurity across industries and businesses paves the way for this balance to be achieved.
Businesses can no longer apply an outdated detection and response approach to cybersecurity, which rely heavily on detection of known threats. This still exposes businesses – and insurers – to all of the chaos that data hacks, malware programmes and ransomware can reap. Instead, a prevention first approach stops threat actors at the door using artificial intelligence (AI) powered machine learning models to determine a threat before it’s run, and before it’s known.
For companies with limited in-house IT resources – particularly vulnerable SMEs – managed services support can also help by adding security specialist resources on a monthly subscription plan. Coupled with the prevention first approach, managed services support can augment a company’s ability to detect, monitor, respond to and prevent security breaches to maximise operational uptime and reduce risk of exposure to attack.
Preventing breaches before they happen would pave the way for a dampening effect on the rise of premiums for cybersecurity insurance more effectively and over the long term. The result would be a more affordable product for a greater pool of companies that choose to cover their cyber risk and a more attractive, sustainable market for insurers.