Chris Hallenbeck, CISO for the Americas at Tanium, discusses the impact of geopolitical conflict on the cybersecurity insurance market.
In the words of former FBI director, Robert Mueller, “There are only two types of companies: those that have been hacked and those that will be.”
This unavoidable truth, coupled with growing mainstream awareness and the ever-increasing frequency of attacks, has led to a steady uptick in cyber insurance in recent years. In fact, insurance clients opting for cyber coverage rose from 26 percent in 2016 to 47 percent in 2020, according to reporting by the U.S. Government Accounting Office (GAO).
Given the current conflict in Ukraine, the insurance industry is facing increased pressure and concerns that a spike in attacks will lead to a surge in claims. While it’s undeniable that nation-state threat actors have stepped up their game to capitalize on the chaos brought on by the Ukraine-Russia conflict, cyber insurance is not the answer to the growing threat.
Rethinking Cyber Insurance
When cyber insurance entered the scene in the late 1990s, the restrictions were few and the coverage generous, but that trend has shifted in recent years. There is a strong tendency across industries to approach a problem differently as soon as we put the word “cyber” in front of it. Treating “cyber” as different and in some ways wholly detached from traditional fraud obfuscates the fundamentals.
Aspects of the insurance industry initially fell into that trap. However, we’re now seeing a shift back to traditional risk measurement, with underwriters approaching cyber insurance in a manner similar to physical insurance – by assessing where the biggest risks are and determining whether they should exclude certain risks from coverage, as well as establishing a bar to define what constitutes reasonable care. At the same time, we’re seeing coverage premiums skyrocket. By the end of 2020, more than half of cyber insurance policy holders saw the price of their coverage rise by as much as 30 percent, according to GAO.
While the current conflict in Ukraine will likely lead to a rise in cyber insurance purchases, the harsh reality is that most coverage will not protect enterprises from nation-state attacks or even ransomware. In fact, most cyber insurance policies already include clauses to exclude acts of war, and in the aftermath of the current struggle, we’ll likely see further refinement of language and an expansion in the number of coverage exclusions as insurers look to hedge their risks. With insurance companies tightening their purses and attackers doubling down their efforts, what’s the answer for organizations looking to mitigate risk?
Mitigate Risks, Not Threats
The bottom line is that if you’re buying cyber insurance only because you expect to experience a cyberattack and are unsure whether you have adequate controls in place or the right planning around disaster recovery, you aren’t investing as you should be. The first step before buying a cyber insurance policy should be a risk assessment.
You can’t do the math on whether insurance is worth the cost without determining the anticipated impact of a cyber incident – and math requires numbers, which means risk needs to be clearly quantified. An in-depth analytical approach is likely to be the standard moving forward, with insurers themselves completing assessments to determine if they would agree to underwrite a policy.
When Insurance Makes Most Sense
That said, insurance is an important component of risk management. Where a risk might be high impact but low probability that it will happen, insurance makes sense. Intertwine that with the cost of mitigating the risk versus the likelihood that it will happen, and you’ll find high mitigation costs with low likelihood make insurance a smart decision.
For many organizations, there are basic steps they should take to shore up their security – the standard duty of care – which must be addressed. If a risk assessment reveals glaring holes in your security stack, it’s time to get back to basics and improve cyber hygiene. Given that many IT departments are understaffed and under-resourced, it’s important to automate risk monitoring wherever possible to quickly identify and remediate threats continuously and in real-time.
But deploying more point solutions across your organization won’t get the job done unless you can see and control all that technology whenever and wherever. Consider consolidating your security tools where possible to increase visibility across your entire IT estate. Once you have undertaken a thorough risk assessment, established a strong security foundation, and conducted a clear cost-benefit analysis – which requires open communication from the CISO to the CFO and even the board – only then should you consider investing in cyber insurance.
Cyber Insurance Fine Print
As the Russia-Ukraine war wages on and other nation-states and criminals exploit the chaos, we’ll likely continue to see the interest in cyber insurance grow, but I’d wager the companies signing up for policies will be the ones who fail to read the fine print.
Just as we saw a clarification of cyber insurance policies in the wake of NotPetya, the future will usher in more review and rewriting of exclusion clauses. With insurers unlikely to pay out when it comes to ransomware attacks in times of war, organizations must focus instead on proactive cyber hygiene.
Just as you can generally avoid a car accident if you maintain your car and drive safely – by getting a clear picture of your risk and taking steps to address it, you can mitigate the likelihood of a devastating cyberattack. After all, the best insurance against a cyberattack is not a policy, but a strong security foundation