Recent cyberattacks on everyone from SolarWinds to Colonial Pipeline to JBS have proven that no one is truly safe from a motivated threat actor. Technology, artificial intelligence (AI) and a whole host of other cybersecurity measures can help protect businesses, but it’s nearly impossible to block every threat that’s out there. One potential safety net stepping into the void to help protect companies financially is cybersecurity insurance.
But while cybersecurity insurance may look good on paper – why not pay a relatively small price if it can protect you against a multimillion-dollar ransomware threat? – it’s not so cut and dried, says Jim Cook, COO for Velta Technology. Before opening the checkbook to purchase a new policy, it’s important to understand the benefits and drawbacks and to ensure that your policy covers the risks specific to your industry.
The evolution of cybersecurity insurance
According to Cook, cyber insurance was initially sold very cheap, making it an easy a business decision. In fact, it was much cheaper to buy insurance than it was to actually fix the problems. Many companies simply bought an insurance policy and washed their hands of their cybersecurity responsibilities.
“The insurance company can tell you what’s the likelihood that you’re going to die, what’s the likelihood there’s going to be a car crash, what’s the likelihood of a fire,” Cook said. “They’ve got numbers on that. Back then, when they started selling [cybersecurity insurance], and until even today, they don’t have the right math behind it to say, ‘What’s the likelihood?’
“So this went on for a decade or more from when they started selling. They set those rates the same way that bookies set the line for football games. How much is coming in? How much is going out? So now they’ve created this cycle where it’s cheaper to buy the insurance than it is to fix the problem. Eventually, the bad guys caught up while everyone stood still. And now, the chickens are coming home to roost.”
As cyberattacks became more frequent and more damaging, this began causing problems for both insurance carriers (who were paying more in claims) and clients (who saw their rates go up while coverage went down). Many policyholders assumed they were covered only to find their trusted insurance companies suddenly denying coverage. In this case, lawyers often got involved, and claims could take years before they were satisfactorily resolved.
When it comes to operational technology (OT), the impact can be even bigger for insurance carriers. It’s no longer just about the digital impact of data compromise. In the case of a cyber physical compromise, companies also have to deal with reputational damage, human safety, potential fines and more.
“They’ve sold cyber insurance policies that now are affecting their commercial property and their DNO and other liability insurance, and they’re feeling the pain,” Cook said. “It’s because of the physical nature of those compromises that are causing the increase in claims, and the insurance companies are now … just starting to realize they’ve got bigger exposures that they don’t understand.”
A changing insurance market
One way insurance companies are protecting themselves and their bottom line is by increasing their requirements. Some are now asking for attestations that companies are doing basic cybersecurity practices like multifactor authentication, segmentation and vulnerability and patch management. But many companies don’t understand that OT operates by completely different rules. So, for example, if a company answers that it is doing basic patching, but hasn’t patched an OT device because they didn’t know it was necessary, that can provide a loophole allowing insurance companies to deny coverage.
“What we’re seeing is this language is evolving, even this year,” Cook said. “It might be different than it was three months ago. As these companies are trying to understand, they’re making changes. The language and clauses are changing. They’re adding exclusions into those policies. As an example, war exclusions are going in, so pay attention to that. What happens if a particular threat or compromise comes through and impacts you, and it’s considered a state-sponsored threat? Can they say, ‘Well, that’s a war exclusion, and your insurance doesn’t cover you?’”
For cybersecurity insurance to work for both sides, Cook said it’s important to bring together experts from all disciplines to think strategically about the market. Is it the risk transfer that it’s supposed to be, now that rates are going up, coverage is going down and these new exclusions are in place?
“Companies need to start evaluating whether or not this could be the time that we really have to start protecting ourselves, because we can’t necessarily rely on the cyber insurance to cover the exposures that we think that we have,” Cook said.
It’s important to remember that insurance is not a silver bullet. It should be part of a multilayered cybersecurity strategy, not a substitute for a robust defense. Cyber insurance is a business, and their goal is to make money. So while it can be a valuable asset, a good policy doesn’t mean you can ignore your cyber hygiene.
“If you don’t have cybersecurity capabilities in place in information technology (IT) and OT, you need to get it in place now,” Cook said. “This is what most organizations should have in place as a continuous improvement. We need to look at cyber securities, continuous improvement, risk reduction. They need to have that program in place. That’s going to take years to mature. I haven’t seen anyone that has that optimized.”
For now, insurance companies are still adjusting, leaving the market in continuous flux. For every Colonial or SolarWinds, they are attempting to determine their true risk and limit their exposure. They’re trying to set a standard and figure out what measurements need to be put in place, so that they can reasonably evaluate risk and companies can reasonably secure their environment.
“There’s a lot of money to be made in insurance,” Cook said. “It’s much like gambling, right? You ever see that house always wins. Insurance is always going to win. The one thing I know, it’s different than it was from just a couple years ago in the cyber insurance space. They’re learning. They’re adjusting. I think we’re still going to continue to see change within 2022. They’re building their understanding of what the true impact is from this and what’s their true exposure.”
Watch for Part 2 of our interview with Velta Technology’s Jim Cook in the coming weeks, where he will discuss the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) known exploited vulnerabilities log and how organizations can use it for risk management.