The Future Of Cybersecurity Insurance: Policies That Follow The Risk
By Jack Kudale, founder and CEO at Cowbell, provider of the industry’s first continuously underwritten AI-powered Cyber Insurance for SMEs.
The stability of the global economy is under attack. While cyberattacks on the Colonial Pipeline, meat supplier JBS and SolarWinds have made big headlines, the truth is no business — from global conglomerates to young entrepreneurs operating out of their garages — is safe from cyberattacks. According to Cybersecurity Ventures, a business, consumer or device is attacked every 11 seconds and it’s only predicted to get worse. By 2031, they anticipate that rate increasing to every two seconds.
The question that needs to be asked: What can we do to better protect these businesses, their owners and the people they employ? One fact that has been proven is that employing cybersecurity measures alone is not enough. While many cybersecurity offerings are prepared to prevent and protect against cyberattacks, we know it’s not realistic to expect every threat to be blocked. Business owners need to be prepared for the worst with sufficient cyber insurance coverage.
Why Consider Cybersecurity Insurance
The benefits of cybersecurity insurance are experienced by both the insurer and the insured. The insurers stay close and informed about the risks they have committed to cover. This makes them ever aware of the cyber exposures faced by policyholders and directly feeds into their risk aggregation modeling.
That knowledge gets passed on to the insured. Now they will get updated risk insights generated out of the continuous assessment process. This allows the insured to proactively work with their security partners to address any new risks as they are identified. The cycle continues as the insured can, in return, contribute to an improved loss ratio for insurers.
In short, cyber insurance provides proactive loss control for insurers and closed-loop risk. Seeking a cyber insurance policy that is right for your organization can be a daunting task, but it doesn’t have to be if you know what practical elements to look for before making a decision.
1. Find a policy aligned with your organization’s unique risk exposures.
We know cyber insurance portfolios underwritten using traditional approaches have become disconnected from the risks covered. Cyber threats are constantly evolving, assessing cyber risk once a year is no longer sufficient and the underwriting process must account for this rapid change of risk covered.
The answer for the industry in these changing times is a new approach called adaptive cyber insurance. What does that mean? It means continuous risk assessment and continuous underwriting, which starts with continuous monitoring and assessment and being aware of cyber risks policyholders face.
Insurers should provide coverage that adapts to the rapidly evolving risks businesses of all sizes face today and will continue to face in the future. A cyber insurer should know what threats policyholders face and share the information with the insured. Now both sides can be secure in knowing the policy covers the appropriate risk exposures.
2. Look for a partner that utilizes dynamic, online insurance applications.
Additionally, when a customer is applying for cyber insurance, they should not be presented with a paper-based application. Those applications cannot capture just how complex an organization’s digital footprint can be. Especially when that footprint is changing by the day and sometimes by the hour.
Traditional insurers who sell cyber policies have been known to require applications for different aspects of cyber threats — a separate application for each of the risk exposures a business faces. Seek out insurers who only require one application that covers all risk exposures. This will simplify the process and get the application process off to a less confusing start.
3. Seek out an insurer who does more than help you get back up and running again.
An insurer should not just help cover the damages and aid the customer in getting their business back open as soon as possible. As highlighted in the New York Department of Financial Services framework for cyber insurers, insurance providers have a role to play in educating policyholders about cyber risk and providing resources to help them understand and manage their risk. A cyber insurer should be there for risk management and to recommend what to do in the wake of a cyber attack, then provide the tools and researchers to help their policyholders stay ahead of any future attacks.
Even if a business owner can resume normal operations for the business, they will likely have to deal with regulatory fines, penalties, lawsuits from vendors and clients and reputation issues for months, if not years after the incident. Make sure your prospective policy covers all of this.
Evolving Protection Against Evolving Threats
Businesses cannot look at cyber risk the same way they look at other risks such as floods and fire. We know how those risks behave. We have decades of data to accurately measure the best way to underwrite those policies. Cyber threats are new, and they evolve, constantly looking for a business’ soft spot. What-if analysis and financial modeling do not apply.
If we are looking for a clear indicator of how serious cyber attacks have become, look no further than Federal Reserve Chairman Jerome Powell’s interview with CBS’ 60 Minutes earlier this year. Powell said his biggest concern is not a repeat of the 2008 financial crisis, it is cyber risk. Insurers and the insured both need to be on constant watch for these threats to ensure the best protection is being provided.