Optimizing Risk Transfer for Systematic Cyberresilience

In today's hyperconnected world, where digital technologies shape every aspect of our lives, cyberthreats are an obstacle faced by virtually everyone. Cyberthreats continue to become more sophisticated, posing significant challenges for individuals, organizations and entire nations. As security professionals navigate the present cyberthreat horizon, it is crucial to understand the emerging dangers and fortify digital defenses with cyberinsurance to ensure a secure digital future.

Cyberthreats in Review

Ransomware remains a formidable cyberthreat that has wreaked havoc across industries. The recent surge in high-profile ransomware attacks highlights the escalating danger,¹ with criminals targeting critical infrastructure, healthcare institutions, and large enterprises.

Nation-state cyberoperations also present a growing concern.² State-sponsored threat actors engage in sophisticated and well-funded cyberespionage, intellectual property theft and disruptive attacks targeting critical infrastructure. These attacks can have severe geopolitical implications and pose significant threats to national security.

In addition, the proliferation of network-connected operational technology (OT) and Internet of Things (IoT) devices has introduced a multitude of vulnerabilities into connected environments. Insecurely designed and poorly configured OT devices are attractive targets for cybercriminals. By exploiting these vulnerabilities, hackers can compromise networks, invade privacy, and launch large-scale business interruption resulting in significant losses in production and major physical loss of properties.

Supply chain attacks also have gained prominence as cybercriminals target trusted vendors and suppliers to gain unauthorized access to target networks. Breaching a single supplier can provide a pathway to infiltrate numerous organizations. Managing aggregation of supply chain risk is a major challenge for large organizations.

Consider Cyberinsurance

As cyberthreats loom large, enterprises of all sizes are increasingly recognizing the need for cyberinsurance. Cyberinsurance offers financial protection and support in the event of cyberattacks or data breaches. It is predicted that by 2040, the cyberrisk transfer market will become comparable in size to property insurance.³

However, navigating the cyberinsurance market can be complex and daunting. Understanding the key considerations and making informed decisions are crucial to ensuring adequate coverage and effective risk management.

In recent years, there has been a significant rise in the purchasing of cyberinsurance.⁴ A number of organizations have changed their cyberstrategies and opted to buy cyberinsurance to protect themselves from losses. Cyberinsurance developed as a concept when “silent cyber”⁵ coverage was refused by traditional lines such as property insurance. Cyberinsurance traditionally has been the mainstay of large financial institutions and technology enterprises, but now the public sector and small- and medium-sized enterprises are looking to get insured.

Unfortunately, the same factors that led to this rush to buy cyberinsurance initiated a change in the dynamics of the market. Organizations are targeted regularly by cybercriminals and insurance claims volume has increased. Cyberlosses are expensive, which has resulted in the hardening of the cyberinsurance market in recent years until the end of 2022.⁶ Hardening of the insurance market means radically reduced limits, severe rate increases and narrow covers with numerous restrictions and exclusions. The limited appetite is due to the lack of certainty in the cybermarket.

Cyberinsurance should not be viewed as a standalone solution, but rather as part of a comprehensive risk management strategy. It is important to understand an organization’s risk profile and demonstrate adequate cyberresilience before trying to obtain cyberinsurance coverage.

It is important to understand an organization’s risk profile and demonstrate adequate cyberresilience before trying to obtain cyberinsurance coverage.

Assess Organizational Risk

Before an enterprise delves into the cyberinsurance market, it is essential to assess its unique risk profile. Conducting a comprehensive risk assessment helps identify potential vulnerabilities and areas of exposure. Factors to consider include the nature of business, the sensitivity of data, security measures in place and regulatory requirements. Understanding their risk profiles guides organizations in selecting appropriate coverage and policy limits.

Understand Policy Coverage

Cyberinsurance policies can vary significantly in terms of coverage, exclusions and limits. It is crucial to thoroughly understand the terms and conditions of the policy being considered.

Key elements to review include:

• First-party coverage—Covers direct losses incurred by the organization (e.g., data breach response costs, business interruption, data recovery expenses, public relations efforts)
• Third-party coverage—Covers liabilities arising from claims made by the affected parties (e.g., legal costs, regulatory fines [if insurable under law], customer notification expenses)
• Additional coverage options—May offer extensions for losses arising from reputational damage, social engineering fraud or network extortion (options should be assessed based on specific needs)
• Exclusions and limitations—Policy may not cover all potential circumstances. It is important to review and clearly understand what a policy covers and what it excludes.

Implement Risk Mitigation and Loss Prevention Measures

Insurance providers may require policyholders to implement specific security measures and risk mitigation practices. Proactively investing in robust cybersecurity measures, employee training, incident response planning and regular risk assessments can help lower premiums and demonstrate an enterprise’s commitment to reducing risk.

It is very important to understand the controls on which an insurer focuses. The top key controls that most major insurers look for in 2023 are, in no specific order:

• Endpoint detection and response (EDR)
• Adequate management of privileged accounts across the enterprise (including privileged service accounts)
• Multifactor authentication (MFA) for remote access and privileged access
• Appropriate segmentation to protect crown jewels and prevent lateral movement
• Monitoring and response capabilities (either in-house or outsourced)
• Incident response planning and regular testing
• Emergency patching cadence
• Ransomware-protected and appropriately tested backups
• Adequate user awareness and training
• Secure baseline configuration and malicious code protection
• Adequate encryption for data at rest and in transit

Cyberinsurance carriers look for organizations to demonstrate cyberresilience, not only cybersecurity. Insurers understand that no organization can be 100% incident-proof and that most enterprises are trying to improve their cybermaturity. So, it is important for organizations to demonstrate their unique cybermaturity journeys, not merely the status quo. Providing details about known gaps with a timeline of planned future security programs is a better approach for an insurance submission.

Even with key controls in place, it is not always possible to secure adequate coverage for high-risk industries that are frequently targeted by cybercriminals. These industry classifications vary from country to country and by the insurance carrier’s appetite. The role of a good insurance broker is to help a client to choose an appropriate carrier and decide on the limit of identity and policy coverage.

Evaluate Insurance Providers

Choosing a reputable and reliable insurance provider is critical to obtaining effective cyberinsurance coverage. There are several factors to consider when evaluating insurance providers:

• Expertise and experience—Ideal providers have a solid track record in cyberinsurance and a deep understanding of cyberthreats and how they have changed over time.
• Financial strength—The financial stability and ratings of insurance companies should be assessed to ensure that they can fulfill their obligations in the event of a claim.
• Claims handling process—The claims process should be reviewed including response time, support services and the reputation of the provider in terms of handling cyberclaims.
• Risk management support or pre-breach services—Some insurance providers offer risk management services to help policyholders enhance their cybersecurity postures. Ideal providers offer proactive support and guidance to mitigate risk. Pre-breach cyberservices encompass a range of proactive measures aimed at preventing cyberincidents and improving an organization's overall cybersecurity posture. Insurance companies now offer these services as a value-added proposition alongside traditional insurance policies. By leveraging their expertise and insights, insurance providers collaborate with their clients to assess vulnerabilities, implement preventative measures, and establish robust incident response protocols.

Review and Update Coverage

Cyberthreats are increasing in number and malicious cyberactors continue to develop attack methods, making it crucial to regularly review and update cyberinsurance coverage. Enterprises must stay informed about emerging threats, regulatory changes and industry best practices. Risk profiles should be reassessed and coverage evaluated periodically to ensure that they align with evolving needs. Open communication with insurance providers is encouraged to ensure that any changes or concerns are addressed promptly.

Consider Alternative Risk Transfer Methods

As organizations grapple with the increasing frequency and complexity of cyberattacks, traditional insurance coverage may not provide adequate protection. In this context, alternative risk transfer solutions such as the use of captive fronting⁷ are emerging as crucial tools for managing and transferring cyberrisk. By leveraging a captive solution, enterprises can enhance their cyberresilience, mitigate potential financial losses and navigate cyberinsurance more effectively. Captives help increase the attachment point for the insurance market and act as a solution to cover gaps in the insurance market’s capacity. Insurers are increasingly encouraging the use of captives for cyber.⁸

Conclusion

The impact of increasing cyberthreats on the cyberinsurance market is profound. Insurers are challenged to adapt their policies and underwriting practices to keep pace with emerging risk, while policyholders must carefully evaluate their coverage needs in light of more sophisticated threats. The increasing financial impacts of cyberincidents, the expanding threat horizon, regulatory scrutiny, collaboration and risk mitigation initiatives shape the dynamics of the cyberinsurance market. By embracing these challenges and opportunities, the cyberinsurance industry can play a vital role in helping organizations navigate complex cyberthreats and strengthen their systematic cyberresilience strategies.

Endnotes

¹ Corvus, Corvus Risk Insights Index, 2023
² National Cyber Security Centre, “Heightened Threat of State-Aligned Groups Against Western Critical National Infrastructure,” United Kingdom, 19 April 2023
³ Newman, I.; E. Pocock; J. Hall; Cy-Fi: The Future of Cyber (Re)insurance, Gallagher Re, USA, 2022
⁴ Marsh McLennan, US Cyber Purchasing Trends, USA, 2023
⁵ Hill, A.; “Silent Cyber: What You Need to Know,” WTW, 1 February 2021
⁶ AON, “Buyer-Friendly Cyber and E&O Market: How to Take Advantage,” May 2023
⁷ Captive, “What Is a Fronting Arrangement and Why Do Captive Insurers Use Them?”
⁸ Airmic, “Why and How Cyber Is Increasingly Being Insured by Captives,” 1 August 2022

Arunava Banerjee, CISM, ISO 27001:2013 LI, ITIL v3, PRINCE2

Is the cyberrisk consulting lead for Zurich Resilience Solutions, the risk engineering division of Zurich Insurance. Banerjee is responsible for leading the cyberrisk consultancy in the United Kingdom, providing cyberrisk consulting to help clients improve their cyberresilience and navigate the cyberinsurance market, and offering underwriting for large and complex sources of cyberrisk. He is also the chair of Zurich’s Global Risk Engineering Technical Centre for Cyber. Banerjee has more than 16 years of experience in cyberstrategy, risk management, cyberadvising, cyberinsurance, project management, and IT operations within various industries including insurance, health care, the public sector, and IT consultanting. Banerjee regularly speaks at numerous cyber, risk, insurance, and technology conferences such as the Airmic conference, the ALARM conference, the Scottish Federation of Housing Associations (SFHA) annual conference, Chartered Institute of Public Finance and Accountancy (CIPFA) conferences, the annual Ecrime and Cybersecurity Congress conference, and more.