Cyberinsurers looking for new risk assessment models
As ransomware attacks increase, a number of difficulties have risen for cyberinsurers that will need to be addressed swiftly.
The ever-increasing number of ransomware attacks has created a quandary for those in the cyberinsurance industry. With premiums skyrocketing, coverage being limited and insurers struggling to earn revenue because of the cost and growing number of claims, something has to give. Due to these factors, organizations are searching for new methods of risk assessment to better evaluate the market for cyberinsurance, per Panaseer’s “2022 Cyber Insurance Market Trends Report”.
Four hundred global insurers were surveyed as part of the report, in order to discover what issues the market is facing and potential solutions to achieve a healthy cyberinsurance market.
“Cybersecurity insurance is an effective way for organizations to transfer their cyber risk and to try and mitigate the impact of threats and vulnerabilities,” said James Graham, VP of marketing at cybersecurity firm RiskLens. “The core exercise in assessing cyber risk for insurance purposes, then, continues to be quantifying the probability and financial impact of cyber threats.”
SEE: Mobile device security policy (TechRepublic Premium)
Issues with the current cyberinsurance model
With many sources citing a year-over-year rise in ransomware attacks, there lies several problems with the ways cyberinsurance works. Organizations in the insurance business are struggling to correctly assess the risks surrounding their clients and usually have restricted access to their customer’s data.
Some of the reasons premiums have grown over the years specifically were:
- Increasing sophistication of cyber threat actors
- Increasing cost of ransomware attacks (e.g. higher ransoms)
- Inability to accurately understand a customer’s security posture
Because of these factors, the price of coverage continues to soar. According to the survey, 82% expect cyberinsurance premiums to continue rising over the next two years. In 2020 alone, 66.9% of the top 20 insurers saw loss ratios, with the rate of attacks only growing as one of the side effects of the COVID-19 pandemic. The areas submitting the most cyber claims were in the fields of manufacturing, financial services and healthcare, signaling a need for change quickly in order to support these three critical infrastructure components.
The good news, despite the monetary losses suffered by the top cyberinsurance providers, is that those in the industry believe that the existing risk models are sound. Nearly every respondent in the survey (91%) said they have faith in their underwriting process, but changes are still necessary to make sense from a financial perspective.
Solutions for cyberinsurance problems
One potential fix for the industry as a whole proposed in the report was transforming the way security posture is measured during the underwriting process. According to Panaseer’s findings, 87% believe it’s important for the industry to develop a consistent approach to analyzing a customer’s cyber risk using accurate security metrics and measures.
Another potential answer is granting insurers greater access to their client’s information. A majority (89%) of companies surveyed said they believe it would be valuable to have direct access to customer metrics and measures proving the status of their security controls.
Graham suggests that companies should more widely adopt RiskLens’ Factor Analysis of Information Risk (FAIR) model, in order to provide greater clarity into the costs associated with cyberinsurance. Through this model, organizations would view enterprise cyber risk in totality and challenge and defend cyber risk decisions using an advanced risk model.
“The FAIR cyber risk quantification model was designed to provide visibility into the costs of cyber risk, information which should be at the heart of any insurance assessment or purchase,” Graham said. “In fact, organizations across the globe are already using FAIR to assess their cyber risk in practical terms, and making security decisions – including insurance coverage – based on the business terms delivered through FAIR assessments.”