The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs. In 2022, Russia invaded Ukraine with the potential for more serious and more costly global nation state cyberattacks - and Lloyds of London announced a stronger and more clear war exclusions clause. Higher premiums and wider exclusions are the primary methods for insurance to balance its books - and it is already having to use both. One thing is certain: a mainstream, funds rich business like insurance will not easily relinquish a market from which it can profit. "Looking ahead," continued Wolff, "I think insurers and their policyholders are going to find themselves mired in a lot of fights about attribution and how to define what makes a cyberattack state-sponsored or catastrophic or uninsurable." Two things are certain: security defenders will have increased questions over the cost/return value of cyberinsurance, while insurers will be seeking new ways to ensure their market doesn't disappear. The insurers have one major advantage: insurance has been a staple part of business for centuries, and business leaders don't seem inclined to exclude it from security. Joseph Carson, chief security scientist and advisory CISO at Delinea, notes that his own firm's survey reveals 33% of IT decision makers applied for cyberinsurance due to a requirement from their board and executive management. He also notes that 80% had subsequently called upon that insurance with more than half doing so more than once. "As a result of more cyber insurance policies being introduced, and ultimately many businesses needing to use them," he comments, "The cost of cyber insurance is continuing to rise at alarming rates. I expect to see this continue in 2023.". "A very likely outcome of this," he continued, "Is that more companies will fall below the cybersecurity poverty line. With inflation currently over 8% - measuring 4x higher than the central bank's target rate of 2% - companies who hadn't planned for increased costs will find themselves with less money to spend on cyber, thus falling further below the CPL and finding themselves facing the hard decision on where to spend their next investment dollar." Firms will increasingly need to choose between cybersecurity mitigations or cyberinsurance - and neither of these options on their own will benefit the insurance industry. One option would be to become more granular in the cover it offers. This would allow coverage to be more tightly defined with fewer if any exclusions. Further, suggests Chris Gray, AVP of security strategy at Deepwatch, it would "Allow basic risk management into services while providing the ability to charge increased premiums for more upscale/impactful attacks." The Food Liability Insurance Program provides Insurance designed for small food businesses with gross annual receipts under $500,000. The Forward Contract Insurance Protection plan is a supplemental insurance that provides an indemnity for farmers unable to deliver contracted volumes. "Government intervention in the form of sanction insurance programs - a la TRIP, FLIP, FCIP, etcetera - is likely to evolve, with a significant discussion regarding coverage areas and their impact on national security," suggests Gray. One of the strongest likelihoods over the coming years is the growth of cybersecurity requirement impositions; that is, insurers will decline coverage unless the insured conforms to a specified security posture. Chris Denbigh-White, cybersecurity strategist at Next DLP, argues, "The notion of 'insuring away cyber risk' will become somewhat unrealistic. Insurance premiums, prerequisites and policy exclusions will no doubt continue to increase in 2023 which will have the effect of narrowing the actual scope of what is really covered as well as increasing the overall cost." The industry recognized that standard business insurance didn't explicitly cover against cyber risks, and cyberinsurance evolved to fill that gap. Comments Scott Sutherland, VP of research at NetSPI, "Insurance company security testing standards will evolve." It's been done before, and PCIDSS is the classic example. The payment card industry, explains Sutherland, "Observed the personal/business risk associated with insufficient security controls and the key stakeholders combined forces to build policies, standards, and testing procedures that could help reduce that risk in a manageable way for their respective industries." He continued, "My guess and hope for 2023, is that the major cyber insurance companies start talking about developing a unified standard for qualifying for cyber insurance. Hopefully, that will bring more qualified security testers into that market which can help drive down the price of assessments and reduce the guesswork/risk being taken on by the cyber insurance companies. While there are undoubtedly more cyber insurance companies than card brands, I think it would work in the best interest of the major players to start serious discussions around the issue and potential solutions." Mike McLellan, director of intelligence at Secureworks, adds, "The requirements on organizations wishing to obtain cyber insurance will become more and more stringent, and organizations that are unable or unwilling to comply will find coverage is declined." To even reach the stage of a defined cyberinsurance standard, the insurance industry will either have to get into bed with existing security vendors or become a cybersecurity company itself. The former is worrying - depending on the closeness of the relationship and the degree to which the vendor seeks to satisfy the insurance industry rather than its own customers - while the latter is doomed to failure. The more mature security vendors have been working for more than two decades on eliminating cyber threats with varying but ultimately little success. Whether or not a full cyberinsurance security standard emerges, there will be increasing cooperation if not collaboration between insurers and security vendors in 2023. "The borderless nature of networks, coupled with a threat landscape that is less predictable, necessitates the need for true risk quantification of companies' security controls now more than ever. With that, I expect to see more investment into quantifying cyber risk. This will drive better collaboration and data sharing between security companies," explains Jason Rebholz, CISO at Corvus Insurance. "Cyber insurance carriers will lean into partnerships with technology companies to fuse security data with insurance and risk modeling insights. The net result is more accurate risk quantification, which will in turn help keep policyholders safer." Breaches will continue and will continue to rise in cost and severity - and the insurance industry will continue to balance its books through increasing premiums, exclusions, and insurance refusals. The best that can be hoped for from insurers increasing security requirements is that, as Norman Kromberg, MD at NetSPI suggests, "Cyber Insurance will become a leading driver for investment in security and IT controls." An interesting comment comes from Jennifer Mulvihill, business development head of cyberinsurance and legal at BlueVoyant: "The underwriting process and the completion of an underwriting application are excellent ways to self-assess and consider the protection of assets from a cyber perspective. The information gleaned from these exercises is valuable information, not only for the CISO, but for the Board and CFO, and augments financial investments and regulatory compliance." Insurers could charge for the right to apply for insurance, but if a prospective customer must pay, that customer could simply pay a cybersecurity consultant for the same service and ignore insurance altogether. It is unlikely that the insurance industry will be able to balance its books through raising premiums and reducing payouts through increasing exclusions, nor yet eliminate claims through a required cybersecurity standard. "The bigger your business grows, the more challenging it will be to meet these requirements. More and more organizations were being dropped by providers throughout the last year, and going into 2023 there will likely be a trend of organizations being unable to receive coverage." "Will Cyber insurance become an expensive 'tick in a box' or will it deliver real value?" asks Denbigh-White. "Will it even remain a viable offering from insurance companies in 2023? While carrying cyber insurance is rapidly becoming a 'security prerequisite' for many organizations, its benefit in relation to cost and cover remain uncertain as we move into 2023.". "Insurance always wins!" Insurance will get more expensive, more difficult to get, and less likely to pay out. "As a result, more organizations may decide not to take out insurance at all, instead focusing on ploughing resources into protection. If this happens, we can expect to see insurance companies partnering with big consulting firms to offer joined up services." "Pointless it may be, if insurers are never going to pay out but buying cyber insurance may simply become a necessary cost of doing business - a box that must be ticked to demonstrate to shareholders that all steps are being taken to protect the business and ensure resilience and continuity."
This Cyber News was published on www.securityweek.com. Publication date: Wed, 01 Feb 2023 11:27:02 +0000