The future of cyber insurance is HRM

After being pushed to the brink of collapse by a post-pandemic wave of ransomware, the cyber insurance industry has experimented with raising premiums, expanding limits, and shrinking coverage to keep its head above water.

But it takes two to tango: businesses must do their share to prevent catastrophic data breaches. That starts with up-skilling employees and strengthening the human layer.

Every cyber insurance policy requires a security awareness program, like this checklist from AIG shows. Some insurers have selected preferred phishing test and training vendors. And there's growing buzz that companies must show material results from their awareness and phishing training programs to be approved for insurance policies.

The role of human risk management (HRM) platforms, alongside security awareness training (SAT), is becoming increasingly vital. Collaboration between cyber insurers, businesses, and HRM platforms promises a future of lower premiums, broader coverage, and fewer breaches.

What is Human Risk Management and why does it matter for cyber insurance?

Human Risk Management Platforms focus on measuring and mitigating cyber risks caused by human behaviors that leave organizations vulnerable to data breaches. The greatest source of data breach risk, according to the Verizon DBIR, is the human element. Social engineering and phishing is present in most ransomware attacks, which have in recent years pushed cyber insurance to the brink of implosion.

The Change Healthcare ransomware attack resulted in a $22M extortion. The ransom is dwarfed by the estimated $2.2B total cost that the breach is expected to exact from the UnitedHealth-owned insurance provider, which processes billing and insurance for hundreds of thousands of hospitals, pharmacies and medical practices across the U.S..

By correcting risky human behaviors like email and MFA use in real-time, HRM reduces the risk of breaches. And by plugging human threat intelligence (threat reports) into the security stack, HRM augments and accelerates incident detection and response.

HRM was officially enshrined in 2024 as its own category by analysts, who recognize it as a necessary evolution of the traditional SAT model. Where SAT offers compliance, HRM delivers outcome-driven metrics (ODM).

The emphasis on measurable behavior change strengthens security posture at scale, which will stabilize the cyber insurance market by:

• Reducing breaches and, accordingly, insurance payouts
• Reducing premiums
• Improving transparency with ODMs to enable greater predictive models for insurers

A brief history of post-pandemic cyber insurance (2019-2024)

The cyber insurance market grew from $7 billion in 2020 to approximately $14B in 2023, and will soar to $29B by 2027 according to insurer, Munich Re. That growth is driven by the evolving threat landscape.

The shift to remote work during the pandemic increased the already-largest attack surface: people and their devices. The ensuing surge in ransomware, phishing, and business email compromise (BEC) attacks led in 2021 to soaring premiums and shrinking coverage. Here's a breakdown:

• Insurance payouts in 2021 exceeded 70% of premiums
• Insurance rates increased 200%-300%
• Coverage shrank by 2/3. Cyber limits shrank to 1/5 those of the year before (e.g. $5M to $1M)
• The loss ratio for 2020 for the top 20 insurance groups averaged 66.9%, up from 44.6% in 2019
• Lloyds of London and other insurance giants stopped insuring new businesses.

As a result, cyber insurance shifted from being a luxury to a necessity. By 2023, ransomware claims had risen dramatically.

• Insurance premiums rose 50% in 2022
• Ransomware events are up 1,281% over the past 5 years (AON)

• 214% increase in ransomware activity Q4 2023 YOY (AON)
• 65% Increase in US cyber claims overall, 2023 YOY (AON)
• Ransomware-related insurance claims rose by 27% in the first half of 2023.
• The average ransomware claim increased to $365,000, up from $227,000 in 2022.

‍A June, 2024 report by cyber insurer Marsh disclosed that “cyber criminals grew bolder” in 2023:

• In 2022, the median extortion payment dropped from $822,000 in 2021 to $335,000.
• In 2023 the median payment increased from $335,000 to $6.5 million
• In 2023, the median demand increased from $1.4 million to $20 million
• In 2023, the percentage of the median demand paid increased from 24% in 2022 to 32% in 2023.

The Impact of the Evolving Threat Landscape

Ransomware and phishing attacks have become increasingly sophisticated and costly, with organized criminals targeting people with AI-enabled cybercrime-as-a-service models. As such, businesses need to shift left and precent or respond much more quickly and effectively to the 68-95% of breaches originating with the human element.

To stay economically viable and to create fair and profitable premiums, insurance companies need more visibility into their customers’ risk posture and their HRM programs’ progress and results.

HRM platforms address the human layer of security vulnerabilities, mitigating the majority of breaches that originate from phishing and social engineering attacks.

The focus on the human element, driven by insurance and business alike, might be having an effect on global risk posture. A 2024 Reuters article reported that, "Cyber insurance premiums are falling globally as businesses become more adept in curbing their losses from cyber crime, even as ransomware attacks are rising, broker Howden said in a report on Monday."

"MFA is the most basic thing you can do, it's like locking the door when you leave the house," Sarah Neild, head of UK cyber retail at Howden, told Reuters.

Lessons from Car and Health Insurance

Cyber is a young line of business in the insurance industry. It's been tricky figuring out what to cover, and how to incentivize customers to be less risky and more transparent. The car and health insurance industries offer insights into how HRM can reshape cyber insurance.

Telematics data in car insurance helps insurers reward safe driving behaviors with lower premiums. Age, gender, driver record, credit score, marital status, vehicle type and color, location, education level, and occupation all play a role in car insurance. 

Similar to how health insurers and businesses incentivize healthy behaviors via corporate wellness partnerships for greater productivity, and to lower healthcare costs, insurers can incentive businesses to have better cyber wellness via training and HRM.

Organizations that demonstrate high security awareness and proactive threat reporting, for example, could receive premium discounts. By analyzing employee behaviors—such as click rates on phishing emails or reporting times, or safe data storage and consistent use of MFA—insurers can better assess risk and adjust premiums accordingly.

The future of cyber insurance: integrating HRM

To future-proof the cyber insurance industry, a more integrated approach between insurers and HRM vendors is needed. By working together, they can create more accurate risk assessments, provide customized training, and continuously monitor employee behavior. This collaboration would lead to:

• Enhanced Risk Assessment: HRM platforms collect behavioral data to assess an organization's security posture. This data allows insurers to offer personalized premiums based on the actual security behaviors of employees, such as phishing simulation performance.
• Improved Security Posture: HRM platforms continuously improve employee awareness through regular phishing simulations and training, ensuring organizations are resilient against evolving threats.
• Reduced Claims and Costs: Fewer successful attacks result in fewer claims, stabilizing costs for insurers and offering more affordable coverage for clients. Preventive measures, such as phishing simulations, are more cost-effective than dealing with the fallout of a breach.
• Incentives for Proactive Security: Just as health insurance offers premium discounts for healthy behaviors, cyber insurance can reward organizations that invest in advanced security measures, SAT, and regular training simulations. Coverage for preventive measures like security audits should also be incentivized.

‍

The future

The future of cyber insurance lies in embracing human risk management. By learning from the insurance models of other industries, cyber insurers can better understand and influence user behavior, offering fairer premiums and improved risk management strategies. Through the integration of SAT and HRM platforms, insurers can provide more comprehensive coverage, leading to a more resilient and secure global cyber landscape.

‍