Cybersecurity awareness training is emerging as a cornerstone in the new age of cyber insurance. In the face of mounting cyberattacks and surging consumer demand, cyber insurance premiums are swelling, coverage is narrowing, and some insurance giants are stopping cyber coverage altogether in the new normal of outrageous cybercrime costs. As a result, insurers are for the first time being very selective with customers and restrictive with coverage.
“Since the pandemic, the conversation about cyber insurance has changed,” said cyber insurance expert, Alexendar Tlili, former Underwriter for Financial Lines PI and Cyber S&P, Zurich Insurance Company. “It used to be about whether you could get a better deal on cyber insurance. Now it’s about whether you can get a deal at all.”
But there’s hope. Social engineers target employees; 90% of breaches contain a human element. The solution will, too. Experts agree that by elevating the global standard of cybersecurity awareness, breaches will decelerate and we can reverse a dangerous trend in cyber insurance and risk management that is leaving companies over-exposed to an increasingly sophisticated threat landscape.
While 2021’s ransomware mega-breaches have grabbed headlines (Kaseya, JBS, and Colonial Pipeline to name a few), the untold story has been that the total financial impact of cybercrime—especially the types that involve employees and can thus be mitigated with better awareness--on insurers has pushed the industry over the brink of profitability. If 2019 to 2020 were to be described as death by a thousand phishing hooks, 2021 multiplied the threat and accelerated the gradual demise of cyber insurance by an order of magnitude.
5 freaky facts about the state of cyber insurance today
A fundamental shift is occurring in cyber insurance. The industry is counterbalancing heavy losses with higher premiums and restrictions, and is no longer working hard to get new business. Demand has outstripped the industry's resources, at least as traditionally practiced. Moreover, insurance comanies themselves have become top targets of cybercriminals for record-breaking ransomware attacks. In March 2021, CNA Financial paid $40 million to cyber criminals after negotiating down from the original $60 million ransom demand to regain control of stolen data and systems encrypted with malware called Phoenix Locker, a variant of Hades ransomware, which was created by the Russian cybercrime syndicate, Evil Corp.
A Nov, 19 Reuters article provided some stark examples and statistics:
- One UK technology company previously bought 130 million pounds of professional indemnity and cyber cover from an insurer for 250,000 pounds. That ratio shifted to 55 million pounds of cover for 500,000 pounds. Nearly one-third the cover for double the price.
- Insurers who issued $5 million cyber liability policies last year have scaled back to limits of between $1 million and $3 million in 2021, a report last month by U.S. broker Risk Placement Services (RPS) found. One-fifth the limits.
- Overall, premium rates have almost doubled in the United States and jumped by 73% in Britain as a result of the frequency and severity of ransomware attacks, according to insurance broker Marsh.
- RPS said rates for some policies had risen by as much as 300%. Rates are tripling,
- Ransomware payments exploded from as low as $600 a few years ago to as high as $50 million today (remember, only a fraction of ransomware payments are reported to the public). Exponential growth ransomware demands and payouts.
Cyber is becoming an endangered species of insurance
Several factors have contributed to the dire cyber risk climate, and insurers have played an unwitting part. Ransomware is today a thriving multi-billion-dollar criminal industry partly because insurers have traditionally payed ransoms so often. Criminals saw the low risk and high reward of cyber extortion and they became more organized. As a result, ransomware attacks, like all other phishing attacks, have become more sophisticated. And with the pandemic-driven shift to remote work and the cloud, there were many more opportunities to attack corporate networks at the people layer.
People, however, aren’t any more prepared than they were before the pandemic. Experts see improved security awareness as key to fixing an overall unhealthy environment for business.
“In the end, we want our clients to not have a cyber-attack at all; this is the goal,” said Tlili. “You don’t do this by filling a check box but by mitigating the risk of a cyberattack. I would recommend to a potential customer to think about what they can do to help their employees mitigate the risks of email and web surfing, and not just look at cybersecurity training as a check mark they have to do to be compliant.”
Experts agree that cybersecurity training will be crucial to obtaining cyber insurance at all, much less at a decent price. Insurers make their money by calculating risk, and that risk equation is off-kilter due to people being unequipped to spot and report a malicious email. Ninety percent of security breaches start with email. Experts say training must go beyond mere check-a-box compliance, motivated by regulatory and liability penalties, and evolve towards actually preventing security breaches at the people layer.
“A lot of companies focus on technical improvement: ‘How can I make sure I have the best IT and detection systems in place?,” said Tlili. “But in the end, they usually forget that the weakest link is an employee.”
2021: The cyber insurance tipping point
In 2021, cyber insurance became officially unprofitable for many insurers. And now, the dominoes are falling. Insurance behemoth Lloyd’s of London is discouraging its syndicate from taking on new cyber business, according to a Nov. 19 Reuters article that also reported a universal halving of cyber coverage in 2021. Likewise, in August, Reuters reported that US insurance giant, AIG tightened its terms and conditions for coverage while raising premiums by over 40%.
"Insurers are changing their appetites, limits, coverage and pricing," Caspar Stops, head of cyber at insurance firm Optio, said. "Limits have halved – where people were offering 10 million pounds ($13.50 million), nearly everyone has reduced to five." – Reuters
The shrinking of coverage comes in the face of surging demand. The National Association of Insurance Commissioners (NAIC) Report on the Cybersecurity Insurance Market, released Oct. 2021, reported that the cyber insurance market in the U.S. grew to roughly $4.1 billion in direct written premiums in 2020, an increase of 29.1% from the prior year. But concurrently, direct payouts for cyberattacks—especially ransomware-- exceeded premiums, with loss ratios of 24.6 % to 114.1% according to a Nov. 9 report in the Insurance Journal.
“Now we are getting into the next phase where it’s getting harder and harder for companies to get insurance coverage,” said Tlili, noting that cyber insurance is a relatively new phenomenon in Switzerland and continental Europe, compared to in the US. “Insurers have been getting much more restrictive. Insurance coverage has been provided much less so than in the previous year.
Lloyd’s also announced on Nov. 30 they would no longer cover cyberattacks that they categorize as fallout from nation-state cyberattacks. Their vague definition of what constitutes nation-state fallout appears arbitrary enough to exempt them from all sorts of sizable payouts.
The decisions by Lloyd’s and AIG are unsurprising given the sate of their industry. The afore-mentioned Nov. 9 report in the Insurance Journal stated that the top players in cyber insurance are uniformly operating in the red. The current situation makes as much business sense as providing drought insurance in Chile’s Mars-like Atacama desert.
“The top 20 groups in the cyber insurance market reported direct loss ratios in the range of 24.6% to 114.1%. The loss ratio for 2020 for the top 20 groups averaged 66.9%, up from 44.6% in 2019… Currently, cyber insurers are seeing their expenditures surpass 70% of premiums paid and thus it should be ‘no surprise that cyber insurance premiums are on the rise,’ the report notes. NAIC said insurers’ price increases are likely to be reflected in the 2022 version of its cyber report.” – Insurance Journal, Nov. 9
Cybersecurity awareness training, risk management, and the future of cyber insurance
These numbers paint a grim picture for the future of cyber risk management, which depends on insurance. Cyber fundamentally differs from traditional insurance, like home or car. Cyber, Tlili explained, is a very new insurance category. Its risks are unusually complex and extremely dynamic and volatile. As technology changes, so too do the security risks associated with its adoption. The mass migration to remote work and the cloud opened multiple security vulnerabilities that attackers have eagerly exploited. Consequently, the cyber insurance landscape has been profoundly disrupted and insurers are scrambling to reimagine it.
The hottest topic in cyberinsurance, affirmed Tlili, is ransomware. US businesses reported $590 million in losses to ransomware in just the first six months of 2021, compared with $416 million for all of 2020. That figure is certain to be higher by orders of magnitude, as only a fraction of ransomware victims do report their attacks; there’s no incentive to do so.
“One of the biggest conversations is about whether insurance companies should continue to pay ransomware payments,” said Tlili. “Since the pandemic, there was a huge increase in cyber incidents and payouts due largely to the rise of ransomware. Insurance companies realized the way they used to do it was not profitable anymore. They needed to change their approach.”
8 things cyber insurance covers today
The direct costs of a ransomware attack are only a part of the whole bill. Companies must pay, for instance, to repair their networks and restore their data while also sometimes shelling out additional millions in PR to mend their brand reputation and reestablish consumer trust. Insurance is critical for helping pay that bill. CSO magazine summarized 8 things that cyber insurance covers as thus:
- Losses resulting from business interruption (lost revenue because of systems being down or encrypted, i.e. via ransomware)
- Contingent business interruption; think, Kaseya (lost revenue because of systems being down due to a third party’s failure, such as an IT vendor)
- Digital asset destruction
- Data retrieval and system restoration costs
- System failure
- Cyber extortion/ransomware
- Breach response and remediation expenses
- Social engineering and cybercrime, and network security and privacy liability
An inflection point
The key to stabilizing cyber risk is for companies and insurers to work together towards the common goal of minimizing breaches.
“We might be getting to an inflection point,” said Tlili. “On the one hand, if clients are not getting enough coverage, they may need to look elsewhere. But on the other, if clients can’t protect themselves better from cyber-attacks, then it may be that insurance companies aren’t profitable. We need improvements on both ends to get to a healthier environment.”
Employees, if properly trained, are the first line of defense. By equipping them with the skills to spot and report malicious emails, companies proactively lower their incidences of breaches and demonstrate to insurers that they are actively taking cyber threats seriously. Insurers take a holistic approach to assessing a company’s cyber risk posture, from the technical to the human layer, and security awareness is a key factor for the overall profile.
Tlili noted that awareness vendors themselves don’t typically factor into an insurance coverage or premium decision. Still, the results of an awareness program are weighed. A weak awareness program that doesn’t keep pace with the evolving threat landscape will confer weak awareness results.
“An ideal insurance customer,” explained Tlili, “shows that they are constantly striving to improve their risk profile, and that they are demonstrating an ability to adapt along with the constantly-evolving threats. Cyber criminals keep changing their tactics each year so as a company, you need to change your strategy as well. You need to adapt as well. You can’t just stay static.”
8 factors insurers examine for coverage decisions with potential customers, with Alexander Tlili
- What is your company’s maturity level in terms of cyber defense and awareness?
- How well protected are you against ransomware, the bane of business and insurance alike?
- What kind of cybersecurity training are you giving employees?
- What has been your progress with your awareness training and your risk? For instance: How have you improved on your benchmark simulation fail rate?
- How are you demonstrating a desire to improve and a willingness to challenge the status quo of cyber risk?
- Is your training static, or does it align with the risks facing your industry? For example, does your training program address the seasonality of your business and when you’re most vulnerable to attacks?
- Has your security budget expanded appropriately?
- Overall, are you mitigating your risk?
Why security awareness training is the answer
At Hoxhunt, we’ve seen dramatic reductions in true risk of a phishing attack breach quickly following the introduction of risk-based (not just compliance-based) awareness training. Even though Hoxhunt threat simulations are designed to get more difficult as employees progress through the training program, fail rates typically fall by 60 – 85% within a few months, dropping from as high as 30% as at IGT, to typically between 2-6%. Check out the case studies.
Read more about cybersecurity awareness training
- Attackers Personalize Phishing – How About Your Training?
- Cybersecurity Awareness Year in Review 2021
- Cybersecurity Awareness Month Webinar With Nixu and Aktia
- ISO/IEC 27001 compliance and cybersecurity awareness training
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt