The world should be bracing for an increase in cybercrime, with the global cost of cyberattacks expected to surge over the next few years from $9.22 trillion in 2024 to $13.82 trillion by 2028, equivalent to over half the U.S.’ gross domestic product (GDP).
Over the last five years, companies have continued to increase their investment in cyber tools, yet fewer than 25% of organizations say they are "extremely confident" in their ability to respond to a cybersecurity event. This raises alarm bells for the future of cybersecurity and our collective ability to insure its risks.
In 2023, over 60,000 emails from U.S. State Department accounts were stolen when Chinese hackers breached Microsoft’s cloud-based Exchange email platform. Recently, Clorox suffered over $350 million in damages. In December 2023, genetic-testing company 23andMe admitted that nearly seven million people’s information was accessed by threat actors.
Adding UnitedHealthcare’s recent breach to the list, operational disruptions are replacing mere data loss in cybercrime, and traditional exclusion language in riders is not proving to be as useful in the cyber domain as it has been in the property and casualty domains. We are in a new era.
For the last five years, increasing cyber insurance premiums and more rigorous attention to the presence and maturity of key cyber risk reduction measures at companies – such as regular tabletops and implementation of controls such as the NIST Cyber Security Framework (NIST-CSF) or the CIS Critical Security Controls (CIS-CSC) – have proved sufficient for insurers to improve their underwriting and profitability. It may feel like we are in equilibrium, but we really are just in the calm before the next storm.
Why? Because like so many times in the past, all we have been doing so far is to ask, “Are you doing the right things?” We have not been asking the crucial question: “Are they effective?”
The new era in cyber risks and their management, and those who underwrite and insure them, calls for us to take all defenses to that last step – to underwrite not just on the paper confirmations about the presence, maturity and tabletop practice of company controls and cyber response and restoration procedures, but now to focus on (i) how effective they can actually be in practice and (ii) whether that effectiveness is being regularly determined using the actual defensive tools under realistic, severe event circumstances.
Underwriting using effectiveness criteria is called Efficacy-Based Underwriting (EBU), and this is how more underwriters can take advantage of the kinds of information an increasing number of companies can now provide.
Large swaths of companies around the world have learned how to efficacy test their financial controls over financial reporting in the wake of the passage of Sarbanes-Oxley. CFOs led the way. In the wake of new regulation in cyber, DORA in the E.U., as well as the new SEC Cyber Rules in the U.S, CISOs are leading the way in regularly testing and showing the efficacy of their cyber controls. This is the key new lever for underwriters to use as they confront this new era of operationally disruptive cyber risk.
See also: How to Build a Solid Cybersecurity Program
Contextualizing the financial risks of cybercrime
Cyber insurance, or cyber liability insurance, tries to protect businesses and people from the financial consequences of cyber incidents. The global average cost of a data breach stands at $4.5 million, an increase of 15% over the last three years. As the cost of cybercrime balloons and cyberattacks become bigger threats to a company’s infrastructure, cyber insurance and a comprehensive view of actual and residual risk exposures in cyber are no longer a luxury.
Recent research indicates that only 19% of companies claim to have coverage for cyber events beyond $600,000, with just 55% having some form of insurance coverage at all. An even larger hurdle, however, is that ineffective underwriting models continue to lessen businesses’ appetite for cyber insurance and for insurance companies to provide it.
An acute lack of corporate comprehension of a company’s ability to withstand severe cyber incidents highlights why boards are unsure as to whether they cover those cyber risks and underlines why premiums can be so expensive. If the industry demands to use a data-driven, efficacy-based approach to know where that line exists in cyber, it gives a more adequate option to companies and insurers alike.
Weaknesses in legacy underwriting models
Contemporary cybersecurity underwriting remains reliant on inputs from paper-based assessments. There have been improvements in recent years, including more available data on large losses, which has enabled underwriting models to cater more accurately to industry and company characteristics. Using extensive datasets detailing escalating losses significantly enhances the precision of risk evaluations, thereby advancing comprehension of how companies can manage and alleviate cyber threats. This advancement is illustrated by the NIST Cybersecurity Framework 2.0 and the Critical Security Controls outlined by the Center for Internet Security (CIS), which have collectively refined the conventional approach.
Nevertheless, despite the implementation of more exhaustive risk management frameworks, insurance underwriting models persist in primarily using paper-based evaluations of "control maturities" and generic risk exposure models. These serve as substitutes for assessing how efficiently an organization can deploy security measures or restoration protocols during a significant cyber event.
The expanding repository of material losses underscores the limitations of relying on paper-based assessments as practical performance indicators. Recent incidents, like the contentious settlement of Merck's $1.4 billion cyber insurance claim, underscore that exclusionary provisions are inadequate solutions for the rapidly evolving nature of cyber threats, along with their increasingly diverse methods of causing financial harm to companies.
The efficacy-based underwriting model
By changing the cyber underwriting process to center on the consistently evaluated effectiveness of a company's cybersecurity measures rather than solely relying on paper evaluations, insurers can establish the necessary threshold for accurate underwriting. By rigorously stress testing your systems in real time, insured enterprises will also have more incentives to take more of these preventative stances based on efficacy and proficiency, ready for when a real cyberattack hits your business.
What’s encouraging is that numerous companies in the U.S. and worldwide have been conducting efficacy testing and refining their cyber controls over the last few years. From optimizing tech stacks to subjecting systems to stress tests, these methods bolster an organization's security posture across their people, process and technology. This strategy entails maintaining high-fidelity replicas of the organization's networks and subjecting them to regular attacks, ranging from minor to severe cyber threat, until failure occurs. This approach enables companies to verify that their teams, tools and procedures remain effective even against the most serious cyber threats. The objective is to continuously assess the effectiveness of individual components as well as the collective efficiency of all of a company’s controls. Consequently, metrics-based efficacy testing in cybersecurity can be, and indeed is already being, implemented.
This approach can be seen in the airline industry. Flight crews regularly practice their responses to severe engine outages and hydraulic and other systems failures in high-fidelity simulations of the Airbus or Boeing planes they fly. They are allowed to fail in this environment and often do. The data collected from such exercises points out where responses are correct and goes a long way in ensuring pilots are proficient and prepared to handle such events during real-life commercial flights. This analogy demonstrates the effectiveness and necessity of testing out-of-production networks, allowing companies to understand their flaws in a simulation rather than the real world.
See also: The Weak Point in Cyber Security
The sum of all parts
Cyber underwriters are no longer constrained to evaluating companies solely on theoretical effectiveness. Now, companies can furnish evidence of their effectiveness against a comprehensive array of the latest potentially significant cyber threats, enabling insurers to readily leverage this evidence.
For insured organizations, this means quarterly insights into how well their people, process and technology can perform against the most severe cyber threats. The granular efficacy data collected allows them to fine-tune the performance of their defenders and their defenses, as well as perfect and provide visibility into their cyber risk exposures. In turn, companies can be rewarded with lower cyber insurance premiums.
Cyber insurers that switch their underwriting models to ones based on proven efficacy will better understand the extent to which risk and event exposures can be contained, with minimum damage and disruption. This will speed the organization's ability to get back to business as usual post incident. This approach will also enable smaller companies, which are currently priced out of having any cyber insurance at all, to (re)access coverage.
Efficacy-driven underwriting provides a mutually beneficial arrangement for both insurers and the insured. Insurers are able to offer lower premiums to entities that truly merit them. Consequently, businesses will be motivated to integrate cybersecurity best practices into the foundation of their operations. This eliminates the disparity between paper reports boasting effectiveness and actual severe cyberattacks revealing the contrary. Both the insured parties and their insurers will have assurance in their capacity to withstand such events in advance, leading to improved outcomes for all.