Is the cyber insurance industry on the brink of collapse?
The cyber insurance industry, battered by a seemingly unending onslaught of claims, is reaching a breaking point. According to the FBI’s latest Internet Crime Report, cyber-related complaints have increased by more than 180% over the last 5 years, resulting in $18.7 billion in losses.
Last year, some carriers ended up paying out more in claims than they received from premiums. As a result, the industry is now demanding that customers reduce their exposure or face steep price increases or quite possibly cancellations.
In an effort to shore up the industry, some insurance providers are taking a more hands-on approach in an effort to reduce their client’s risk. At the forefront is an attempt to mitigate human error, the crux of the problem. According to a 2021 Data Breach Investigations Report from Verizon, accidental clicks or other mistakes make up 85% of successful hacks. This has led insurers in search of cybersecurity training programs that have been independently verified to actually change human behavior.
No longer optional
Survival of the cyber insurance industry is paramount. According to the National Cyber Security Alliance, 60% of small to medium businesses (SMBs) fold within six months of a cyberattack. The irony is that while SMBs cannot afford to go without cyber insurance, many soon won’t be able to afford the insurance itself.
Business owners and CEOs are feeling the seriousness of the situation when their renewal letters arrive. Premiums – which increased by as much as 300% in 2021, according to a report by Risk Placement Services Inc. – are expected to escalate at an even more dramatic pace moving forward. At the same time, insurers are adding exclusions, limiting coverage, and some are even exiting the market entirely.
“For some underwriters, the risk in offering cybersecurity coverage is simply too great at this point in time,” noted Mark Weir, who has spent over 30 years in the insurance industry and is now managing director of LCM Solutions, a Canadian consulting firm. “In spite of the fact that taking risks is their business, insurance is an industry that doesn’t like uncertainty.”
In the early days of cyber insurance, the one thing guaranteed was hefty profits. Insurance companies were eager to get into the market because demand was high and the perceived risk was low.
“Initially, companies were offering cyber insurance thinking they would never actually have a claim,” explains Jeremy Harris, CEO of Mindshare IT, a managed service provider offering both IT and cybersecurity services. “Now they find themselves in a sticky situation and are looking for solutions.”
In the past, almost all incidents were covered regardless of fault. Today, if a company fails to properly train employees or demonstrates poor security hygiene and gets hacked, its claim may be denied and future access to coverage could also be in jeopardy.
Dramatic rise in attacks
The cyber insurance industry may have become a victim of its own success. As insurers began to offer more coverage, businesses may not have felt the need to be as vigilant in their defenses. Often, they would quickly pay ransomware assuming they would be reimbursed. As a result, cybercriminals may have become incentivized to target companies with cyber insurance policies in place.
Now, with escalating attacks and shrinking coverage, insurers are trying to actuate companies to be more vigorous in reducing risk. Of note is the push for more stringent employee education on cybersecurity issues.
Many experts feel training is crucial in order to slow down successful phishing breaches, which account for an overwhelming majority of attacks. Phishing, along with other forms, like vishing – over the phone, smishing – via text, and pharming – visiting fraudulent websites, often leads to the deployment of malicious software, like ransomware.
A growing number of new regulations now require a number of industries to add ongoing education to their security programs, but some top executives question whether these generic training programs work as advertised.
“Our view is training that does not impact risky behaviors is a waste of time and money for our clients,” says Kirsten Bay, CEO of Cysurance – a US-based cyber insurance company that writes policies to protect against privacy breaches, identity theft, system damage, and other cybercrimes.
Bay says that Cysurance was looking for a training platform that took into account how different personality types perceive and respond to risks, such as an email with a link or attachment. The platform would then target those specific people with consistent, ongoing training materials that would evoke a change in one’s actions.
“For us, the goal is to find proven ways to detect and prevent harm which then lowers the risk of both a security event for our clients and also a future claim,” explains Bay. “Our partnership with cyberconIQ accomplishes that.”
Based in York, PA, cyberconIQ pioneered the merging of psychology and technology to measure and manage cybersecurity risk. The company’s assessment, training and education have been proven to reduce the risk of a successful attack by 45-90%.
“I think what you're seeing with the better security training companies out there is that they really focus on the individual’s personality and train them accordingly,” says Harris. “Those that have metrics proving a reduction in potential breaches are rising to the top.”
Personalized behavioral training
Some personalized training programs have demonstrated they greatly reduce the rate of phishing failures. For example, cyberconIQ has been verified to cut failures from a national average rate of 15% - 18%, to fewer than 2% after just 30 days.
In their program, CyberconIQ uses a 40-question assessment, akin to a Myers-Briggs personality test, to assess the susceptibility of each employee. Then, by utilizing machine learning to develop a customized approach, they can correct key motivating factors that drive underlying online behavior and measurably lower their vulnerability to fraud.
“What we look for is to develop a ‘culture of compliance,” remarked Weir. “However, what helps one person, may not be helpful to another. So, this idea of first evaluating the psychology of the individual and then educating that person based on their natural propensity is a game-changer. I think it is going to be what keeps the cyber insurance industry afloat.”
By partnering with a cyber training company that provides verified proof of reducing claims, insurance companies can greatly minimize their risks and therefore reduce the costs of their coverages.
“I give a lot of credit to those insurance companies who are smart enough to realize they have to help their clients mitigate risk,” concludes Harris. “It’s for the good of these small companies as well as the overall health of the cyber insurance industry.”
Stephen Moramarco is an Arizona-based freelance writer with more than 20 years of experience writing about technology and the cybersecurity industry.