Cyber is still something of a mystery for many of us in the insurance sector. The sudden viral attacks, ransom demands or loss of systems access, it’s all a bit James Bond sometimes. But this piece by Pete Bowers, COO at NormCyber helps shed some light on the true risks, plus how to help clients with advice on systems security, data handling and more.
Cyber insurance is no longer deemed a nice-to-have accessory for businesses. In 2023, its importance will only increase, as coverage becomes a seal of approval, indicating the organisation’s strong cyber security posture to customers, partners and peers. However, to attain coverage, businesses need to demonstrate good ‘cyber health’ credentials in the first place – creating a vicious cycle where neither goal can be reached without achieving the other.
But what is ‘good’ cyber health anyway? This is the dilemma both insurers and businesses will grapple with in 2023. The solution won’t come from either side, but somewhere else entirely: managed security service providers (MSSPs).
Cyber insurance trends: pressures, perplexity and precaution
The UK cyber insurance market is rife with complexity. On the one hand, UK businesses face a plethora of pressures from rising cyber insurance premiums – an increase of 66 percent year-on-year by 2022 Q3 – and shrinking coverage. For example, Lloyds of London announced in August 2022 that it would no longer cover losses as a result of nation state attacks. But perhaps the most impactful change in the market is one that high-risk industries such as construction have long-been warned about: with cyber insurance no longer seen as a mere risk-mitigation tool, it falls to businesses to reduce cyber risk internally before applying for cyber insurance.
On the other hand, insurers can only do so much to help businesses get their house in order. The common trend among UK insurers today is to look at what controls businesses have in place and how responsive they might be in the event of a cyberattack. The problem is that they need much more information than is currently available to them, something akin to the wealth of empirical data health and car insurers can benchmark against.
‘Cyber health’ is not the only unquantifiable factor in the cyber space – risk is similarly elusive. This is why, for example, insurers are treading with trepidation around building reputational damage into business and cyber packages. In other industries, reputational damage tends to occur in the aftermath of one-off events – such as natural disasters – and can often be predicted to some extent. By contrast, in a cybersecurity context, attacks can have a snowball effect, with stolen data sold and circulating on the dark web for years. It is virtually impossible to quantify the risk.
The need for an outside perspective
The strength of cyber insurers lies in providing excellent incident response (IR) and offering support when clients need it the most. This is the nature of their relationship – but it is not an exclusive one, since they usually don’t work alone. When attacks strike, insurers call on IR experts to verify whether the client legitimately had all the protective measures in place they said they did when applying for coverage.
This outside perspective is invaluable to them in the aftermath of an attack – now, amidst soaring demand for coverage, insurers should look to enlist similar expert help to demystify cyber risk, even before the worst comes to pass. Managed security service providers (MSSPs) can do this for them, and in 2023, their role will become more pronounced.
Helping businesses qualify for coverage
MSSPs can support insurers first and foremost by helping businesses qualify for cyber insurance more easily. MSSPs understand what insurers are looking for when evaluating candidates and they can work with them to proactively plug any cyber security weak spots. They can ask the right questions, carry out assessments or penetration testing, as well as guide businesses to reach the required level of cyber resilience faster.
Crucially, they can manage a continuous testing and improvement programme affordably. By contrast, a standard business impact assessment can set a business back many thousands of pounds, putting them out of pocket before they can get any true value for their money. MSSPs prove their worth by running comprehensive assessments over organisations’ people, processes and technology controls, leaving no stone unturned.
Helping insurers assess cyber health and risk
Beyond preparing businesses for cyber insurance, MSSPs can also help insurers in a more direct way. By acting as a ‘black box’ within businesses, they can enable the notion of ‘cyber health’ to be viewed on a more empirical basis than before. MSSPs can score organisations’ cyber resilience based on the effectiveness of their security and data protection processes, the behaviour of their employees and the robustness of their technology infrastructures. For example, on a scale from one to 100, scores of 75 or over may be considered best practice, though in tightly-regulated or high-risk industries, the benchmarks would differ.
Such a cyber resilience score then gives insurers a clear metric to assess candidates and clients by. With all the data and scores at their disposal, insurers are able to quantify their own risk, too, and make better-informed decisions as they navigate the increased demand for their services.
Resolve the cyber insurance dilemma in 2023
Cyber insurance may seem like uncharted territory, as threats are hard to anticipate and risk remains elevated. Such issues will persist moving into 2023, but MSSPs can offer the resources required to give insurers greater peace of mind, bring more clarity and speed into operations, and help businesses qualify for the coverage of their choice faster.
As risk becomes easier to quantify, insurers may feel more confident to offer lower premiums over time, which may attract more businesses to seek coverage over the longer term. Businesses will similarly feel the benefits of MSSPs’ involvement in the process of seeking cyber insurance, as they will have a reason to work harder to improve their overall cyber resilience, and do so against clear benchmarks. As the practice proliferates, it’s not only individual businesses, but also the wider industry which is set to reap the rewards in 2023 and beyond.