By: Jennifer Tiang, Regional Cyber Leader in Asia for WTW
In previous years, the questions around cyber risk insurance were centred around ‘should we or shouldn’t we purchase’? Many boards and risk managers, not entirely sure of the value a cyber risk insurance policy brought, and on the justification of ‘we’ve never needed it before’, viewed cyber risk insurance with a cautious and cynical eye.
Perhaps the misconception of ‘we don’t handle high volumes of personal sensitive information’ was a convenient argument for boards to dismiss this new class of insurance out of hand. Another justification was a high reliance on the organisation’s IT teams: ‘our IT teams have our cyber risk under control. There’s no way we could get hacked. We are completely secure.’
In 2020, when the world got upended by a global pandemic and work routines, operational structures and life in general as we knew it underwent complete upheaval. IT teams globally that were thrust into the mission-critical roles of ensuring (i) availability of systems and (ii) security of environments in a remote working model.
The pandemic coincided with reports of unprecedented increases in reported cybercrime, namely, ransomware. In turn, this stark rise in cyber threats manifesting in real loss events, has had a profound impact on how organisations reframed cyber threats and cyber risks, the true cost of a cyber event occurring to their business, and in turn the cyber risk insurance industry which has collectively reported significant losses due to surges in claims in their cyber portfolios across all geographies and industry segments.
Significantly for organisations across Asia – the need for cyber risk insurance was brought sharply into focus.
What has this growth in demand and shrinkage in supply done for the cyber insurance market?
Based on WTW Cyber portfolio in Asia, we have seen rate increases range from 50% to 200%. This will be after several rounds of lengthy negotiations, thorough remarketing activities to different carriers and scrutinising for coverage changes we could implement to effect premium savings.
One surprising finding has been that when remarketing an account, the alternative pricing has often been quoted with terms more expensive than that of the incumbent insurer’s pricing. Another dimension of the remarketing process is also that the alternative carrier will request a vast set of alternative underwriting information, with each carrier formulating their own cyber risk underwriting due diligence at chief underwriting level.
These are disseminated throughout their regional and local offices with strict oversight and often little room for deviation. The result is that an insured seeking an alternative cyber insurance quotation, is subjected then to an entire new round of scrutiny and cybersecurity ‘audit’ from a fresh set of eyes. The ‘questions fatigue’ facing insured’s IT teams and Chief Information Security Officers may be inevitable and, unfortunately, unavoidable.
One may have thought these mounting hurdles in procuring cyber risk insurance combined with increasing premium levels would serve to dampen demand for cyber risk insurance. However, we have found the opposite to be the case.
The growing realisation of the extensive cost outlay of a cyber event is now sitting uncomfortably for boards, risk managers and finance departments. Costs scale quickly and multifacetedly – across various workstreams – including digital forensics, public relations, legal, and business interruption. The response costs alone can accumulate to several million dollars for a single event.
Organisations are now dealing with ‘active assailants’ in the cyber risk landscape and thus the hallmarks of cyber claims are now both by severity and frequency. Many of the cyber claims we have or are currently dealing with at WTW in Asia exceed the USD1 million-dollar mark in losses. While premiums may be higher than several years ago, it seems that for the majority of organisations, the opportunity cost of not carrying cyber insurance, is far costlier in the long run.
The increasing question facing organisations now therefore isn’t ‘should we or shouldn’t we purchase?’ but ‘can we get it?’.
Organisations must be able to demonstrate adequate baseline cybersecurity controls before insurers will even offer a quotation. In the current market, many insurers will simply decline to provide a quotation where baseline requirements are not met.
So where should we invest? IT security or cyber insurance?
This should not be an either/or question. CrowdStrike, a cybersecurity technology firm, notes aptly: “Cyber insurance is not a substitute for cybersecurity”. A well thought out cyber risk strategy involves the right balance between organisational investment in its people, discipline in its processes, and investment and deployment in the right technologies to monitor threats and mitigate cyber-attacks from manifesting. Once these lines of defence are in place, insurance rounds out the picture as the final layer of defence. Cyber risk insurance is the financial backstop after reasonable investments have been implemented and best efforts deployed to mitigate against attack.
While no two organisations are identical in terms of their network setup and IT environment, insurers have adopted broad baseline security measures which they look for in an organisation, before they deem the organisation ‘insurable’. Just like how a property insurer would not insure a building without locks and sprinklers, cyber insurers would not insure companies that didn’t meet certain baseline IT security controls.
What are these baseline controls?
Cyber Insurer Areas of Focus
- Implementation of multi-factor authentication across your IT estate / environment.
- Deployment of endpoint detection and response solution for all endpoints.
- Backup Management – a multi-tiered strategy that supports effective data security and restoration.
- Encryption of data-at-rest and data-in-transit, supported by a data classification strategy.
- Approach to network defence that includes use of firewalls, web traffic monitoring and email filtering.
- Effective and repeatable patch, change management processes or policies in place.
- Strong approach to workforce cyber awareness and training, includes phishing simulation.
- Implementation of incident response, business continuity and disaster recovery plans – tested in the last 12 months.
- Network segmentation (including data, IT and OT environments etc.) by business and geography.
- Implementation of a formal privileged access management solution.
- All local admin privileges disabled for standard IT users.