Cybercrime permeates all areas of our daily lives. Technological progress alone does not seem to be able to stop it from spreading further. That's why safety experts are increasingly turning to traditional solutions to a very modern problem. Keyword cyber insurance.
We insure just about everything – houses, cars, our lives. At first glance, therefore, it may seem surprising that most companies don't insure against something as potentially devastating as cybercrime. Recent research by specialist insurer Hiscox even found that one fifth of companies in the US and Europe were at risk of insolvency as a direct result of a cyber attack. Insurance should possibly be able to alleviate the fears regarding these consequences – or maybe not after all?
However, the recent past has shown that it is not so easy to transfer traditional insurance models to the cybersphere. Countless factors influence the likelihood of a cyberattack occurring and are hard to justify. Especially when compared to the decades-old metrics by which insurance premiums for home, car or life are measured. Reliably assessing the risks and forecasting the extent to which a company is actually at risk is difficult.
Accordingly, cybersecurity experts disagree about the future of cyber insurance. Some consider them essential coverage, especially for small businesses. But even more consider the practical obstacles almost impossible to overcome. No matter which way you look at it, it is undeniable that the industry has to deal with a number of problems.
At the turn of the millennium, the insurance company Lloyds of London took out the first modern cyber insurance policy. Alone, success failed to materialize. A conservative estimate from 2002 predicted the global cyber insurance market would be worth about $2.5 billion by 2005. This estimate turned out in retrospect to be five times higher compared even with the market volume of 2008. The market for cyber insurance shrank rather in relation to the overall internet economy.
Even if the disappointing beginnings seem to be overcome – the market was in 2020 to 7.36 billion and is expected to grow to 27 billion by 2026.Grow $83 billion -, cyber insurance is still struggling to find its place. By 2020, only 13% of all SMEs had cyber insurance at all. Research by GlobalData even found that 29% of UK SMEs cancelled their policy in 2021.
Since 2018, the German Insurance Association (GDV) has also been using a Forsa survey to determine how IT security is faring at German companies.
A key finding of this year's May survey: "Although one in four SMEs has already fallen victim to cybercriminals, two-thirds do not see a high risk for their own company. This also contradicts the general risk assessment. As three-quarters of respondents believe SMEs are at high risk of falling victim to a cyberattack."The implementation of the 10 basic protection measures, which largely correspond to the GDV model conditions for cyber insurance, are also declining, according to the survey. Conversely, all those who have insured themselves against the consequences of cyber-attacks risk their insurance coverage in this way.
Security experts have long since ceased to regard cyberattacks merely as a risk, but as inevitable. With this in mind, the statistics on cyber insurance adoption make little sense. But what exactly is standing in the way of the industry's success?
Types of insurance such as home or other property insurance have extensive data archives and decades of experience. This is what an effective, sustainable business model is based on. Compared to this, the cyber insurance sector is in its infancy. Corresponding data and insights are missing.
Alan Radford, Regional CTO at One Identity
The overriding problem of the industry is cost. Some cyber insurance premiums have skyrocketed dramatically recently. The premiums collected in 2021 by the largest US insurance companies have increased by 92% compared to the previous year. For an industry that also prefers to cater to smaller businesses with more manageable budgets, rising premiums are a real handicap. In insurance logic, the increases make sense: the premiums climb upwards as the probability of occurrence of the claim increases. With the number of attacks on the rise and premiums skyrocketing, many people are wondering how much sense it makes to take out cyber insurance.
More problems arise when comparing cyber insurance to traditional lines of insurance. Traditional types of insurance, such as home or other property insurance, have extensive archives of data and decades of experience. This is what an effective, sustainable business model is based on. Compared to this, cyber insurance is still in its infancy. Appropriate data and insights are lacking.
For example, consider the factors that determine the amount of a homeowner's policy. This includes the crime rate in the respective residential area, the quality of the installed security measures, the value of the property and so on. All factors that are relatively easy to quantify and are largely static. Cyber insurance is a different story altogether. The questionnaires used to determine costs provide little information about a company's real safety or exposure situation. This is especially true for small businesses, because in-depth safety inspections are not cost-effective for a provider to conduct.
Insurance professionals are well aware of this. Quotes like this are not an isolated case: "Of course we ask a lot of questions and work out an insurance-related justification. But if we are completely honest, we are merely scratching the surface in this technical assessment."
Premium calculation is further complicated by insufficient standardization. Minimum requirements for security measures and best practices are poorly defined and vary from provider to provider. This not only makes it more difficult to quantify risk factors and calculate premiums. It also tempts customers to opt for policies with less stringent requirements. If the trend continues, cyber insurance would not prove beneficial to cybersecurity in general. Rather the opposite. Despite all this, cyber insurance is anything but a "pipe dream." The industry is still young, and there's plenty of time to weed out weaknesses.
Basically, cyber insurance has the potential to revolutionize the cybersecurity landscape. Whether they save SMEs from imminent bankruptcy or help to strengthen the security position of the overall economy.
Insufficient standardization is currently one of the biggest obstacles on the road to success. But standardization is also the industry's greatest asset. Providers should agree on best practices and minimum requirements for security measures as part of risk assessments. For insurers, a good starting point to make risk factors measurable and to define basic steps on how companies can improve their security situation.
A collaborative culture fixes many of the problems cyberinsurers face. There's no getting around sharing data if you want to close the knowledge gap between cyber insurance and traditional industry products. An expanded data pool that aggregates threat information, incident and claims data provides a solid foundation for underwriting and modeling cyber risks.
A free pre-contract vulnerability assessment would also give insurers unprecedented insight into a company's security posture. Policyholders benefit from this as well. A free vulnerability analysis upgrades the insurance policy and provides usable information on how to lower the premium amount – which again promotes overall acceptance of the line of business.
A collaborative culture fixes many of the problems cyberinsurers face. You can't avoid sharing data if you want to close the knowledge gap between cyber insurance and traditional industry products.
Alan Radford, Regional CTO at One Identity
For all its problems, cyber insurance certainly seems to have a future. Keep in mind that the industry is still in its infancy – compared to traditional offerings and models. With the right approach, cyber insurance has the potential to have a fundamentally positive impact on the security landscape.