Cyber insurance was once seen as a bright spot for the commercial insurance industry, with lower loss ratios and higher profitability than other major areas of commercial coverage. Fast forward a few years and Fitch Ratings is reporting 2020’s direct loss ratio for standalone cyber at a staggering 73%.
Ransomware’s the main culprit. And there’s a cyber security and risk transfer chasm that requires insurers’ and the industry’s attention. A more strategic approach is needed to stem the rise of ransomware loss and damage. Here are six ways to do that:
1Infosec loss prevention and mitigation
Progress on incident actuarial data has been slow, but infosec statistics around threat and vulnerability dimensions have improved. Reports from leading vendors agree the most popular attack vectors and sources of ransomware incidents are remote desktop protocol, email phishing, spam and unpatched vulnerabilities. If insurers can incentivize basic ‘blocking and tackling’ at client companies, including business continuity practices such as restorable backup technologies, they can significantly decrease risk exposures.
2 Risk management coordination
Good security hygiene must be intertwined with meaningful security metrics. A start would be to have underwriters, brokers and infosec professionals coordinate security risk metrics with controls and outcomes. This can better align risk optics, lower information asymmetries, and scale victimology beyond the current ad hoc dynamics.
How can insurers take up risk management coordination? At end of the spectrum, simply requiring policyholders to assist in providing or verifying fundamentals and technographics would bring about more accurate cyber risk assessment. At the other, incentivizing insureds to share internal security telematics could add the missing link in cyber risk assessment and measurement.
3 Ransomware disclosure regulation
Since federal regulation, litigation, and laws that require reporting and disclosure of data breaches are the foundation on which data breach underwriting and coverage is anchored, it bears asking if we need a similar enforcement function to adapt to ransomware risk.
Regulatory fines, reporting requirements and breach costs have made data breach losses tangible. It’s unknown whether existing disclosure requirements will be sufficient for robust underwriting of ransomware risk. Government is uniquely situated to be a forcing function for awareness of the breadth of the problem.
4 Controls failure reporting
Standard components of digital forensics and incident response reporting include information about attack vectors and controls failure: how attackers were able to access company networks, and what technical or administrative safeguards were deficient.
Insurers documenting and sharing controls failure data would mark a significant step toward being able to quantify the end-to-end relationships between threats, security compliance and incident outcomes.
5 Data-driven predictive models
Because ransomware is a dynamic threat whose prevalence is unknown, and because it operates within interconnected target landscapes, knowledge of yesterday’s attacks can’t inform us about tomorrow’s outcomes. Foresight in cyber insurance can come through predictive models which incorporate both historical data and expert knowledge. Such predictive models can, in turn, drive more robust and reliable risk selection, pricing and risk-informed underwriting guidelines.
6 Extortion payment policy reform
Cryptocurrency is driving ransomware’s growth. Government interventions around ransomware and extortion payments stand to reason. Options range from an outright prohibition of ransomware pay-outs, to aiming to improve attribution and enforcement against bad actors. The insurance industry should consider how best to support or even lead these types of interventions.
Erin Kenneally, a former portfolio manager with the Cyber Security Division at the U.S. Department of Homeland Security, is now director of cyber risk strategy at Guidewire, a leading technology provider to the P&C insurance industry.
This article is adapted from one that appeared in the November issue of Canadian Underwriter.