A new report released this week from Perception Point and Osterman Research found that, on average, companies pay $1,197 per employee each year to address cybersecurity incidents — which can add up quickly the larger an organization is.
Sandeep Pattathil, a Senior Analyst at the IT advisory firm, Everest Group, told VentureBeat that a major challenge still ahead will be quantum computing’s algorithmic advances — not speed.
Organizations are leveraging IT security services to improve their security postures and prepare for challenges such as ransomware attacks and business disruptions. The COVID-19 pandemic, the shortage of cybersecurity talent, and rising CAPEX and OPEX in maintaining in-house security teams, especially during the Great Resignation, have further accelerated the adoption of security services. The US federal government has taken a serious stance against cybercriminals and has been proactively making laws on a range of security challenges, such as Operational Technology (OT) security and data privacy laws, such as the California Consumer Privacy Act (CCPA). All these factors combined have surged IT security services demand across North America.
Examine the profiles of 27 IT security service providers in North America
Study each provider’s strengths and weaknesses
Evaluate enterprise sourcing considerations
In this research, we present an assessment of 27 IT security service providers in North America.
Geography: North America
Industries: all industries
Services: IT security services
The assessment is based on Everest Group’s annual RFI process for the calendar year 2022, interactions with leading IT security service providers, client reference checks, and an ongoing analysis of the IT security services market
The PEAK Matrix® provides an objective, data-driven assessment of service and technology providers based on their overall capability and market impact across different global services markets, classifying them into three categories: Leaders, Major Contenders, and Aspirants.
With increased cyber attacks and data breaches post-pandemic, cyber insurance to protect against the rising digital threats is growing in demand. Cyber insurers can benefit by partnering with service providers to seize opportunities for growth and profitability in this fast-growing market. Read on to learn how.
Cybersecurity continues to be a top priority for enterprises across all industries, primarily driven by increased cyber attacks and data breaches in the wake of COVID-19. Enterprises are increasingly strengthening firm-wide cyber defenses and turning to cyber insurance as a mitigating measure to counter the rising threats in today’s increasingly digitized world.
In particular, the pandemic has accelerated the severity, frequency, and complexity of ransomware attacks. Data from the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) suggests the total value of suspicious activity reported in ransomware-related incidents during the first six months of 2021 was US$590 million, more than the US$416 million reported for all of 2020. The frequency has also gone up, with 658 ransomware-related suspicious incidents being reported during the first six months of 2021, representing a 30% increase from the total reports filed for 2020.
Costs associated with cyber attacks also are rising. According to the IBM Cost of a Data Breach Report, the average data breach costs rose from US$3.86 million to US$4.24 million in 2021.
All of these factors have led to a substantial increase in cyber insurance pricing across the world. An analysis by Marsh shows US cyber insurance pricing increased 96% year-over-year during the third quarter of 2021, which also represented a 40 percentage point increase from the second quarter of the year.
Image 1: US insurance market pricing change – overall commercial vs cyber insurance segments
US cyber insurance market provides significant growth opportunities
Direct premiums for US-domiciled insurers stood at US$2.75 billion in 2020 – less than 1% of the overall direct written premium in the US property and casualty (P&C) insurance market – reflecting the runaway growth in cyber insurance. This segment has also grown at a decent pace over the last five years, registering a compound annual growth rate (CAGR) of 13.3% during that period.
Standalone cyber insurance policies are gaining prominence and have seen faster adoption than packaged policies sold as add-ons to other insurance products/policies. This can be attributed to enterprises’ need for broader coverage and a better understanding of policy terms and costs.
While most carriers have mainly serviced corporate clients, they are now starting to focus on the retail segment by providing standalone cyber insurance products that have typically been sold as add-ons to homeowners insurance. For example, Chubb recently launched Blink, a new personal cyber protection offering that covers expenses related to identity theft, fraudulent wire transfer, cyberbullying, and ransomware extortion.
Insurers are also offering joint go-to-market (GTM) products to provide comprehensive cyber risk management solutions to enterprises. In 2021, Allianz and Munich Re partnered with Google Cloud to launch a solution for Google Cloud customers that combines the risk-transfer expertise of Allianz and Munich Re with Google’s security capabilities to provide clients tailored coverage.
Advent of insurtechs in the cyber insurance market segment
The insurtech space has recently witnessed increased activity where most newcomers are catering to specific segments like small to medium enterprises. Insurtechs are leveraging their tech capabilities to make the underwriting process more streamlined and automated while incumbents continue to face legacy issues.
However, insurtechs lack the capital resources of their traditional counterparts and hence are forming alliances with traditional insurers to combine their respective capabilities. Some insurtechs are also offering coverage on behalf of incumbents through the Managing General Agent (MGA) model.
Cowbell Cyber, a full-stack insurer providing cyber coverage to SMEs, raised US$100 million this March to expand its go-to-market channels and increase investments in data science, underwriting, risk engineering, and claims management
At-Bay, a cyber insurtech MGA, announced a partnership in September 2021 with Microsoft to offer data-driven cyber insurance coverage to Microsoft 365 customers
Challenges for insurers in a hardening cyber market
While cyber insurers have experienced significant top-line growth, profitability remains a major concern as payouts have outstripped premium growth. The increased payouts have led to higher loss ratios. The loss ratio for US cyber insurers increased from a 42% average during 2015-19 to 73% by 2020. Insurers are responding by narrowing the cyber coverage scope and limiting cyber capacity. They also are imposing sublimits for ransomware coverage and adding coinsurance requirements to cyber policies.
How can cyber insurers benefit from BPS partnerships?
Partnering with Business Process Services (BPS) providers can help cyber insurers in the following ways:
Providing underwriting talent: As the adoption of cyber insurance grows, it will also lead to higher volumes for carriers. Service providers can provide support by standardizing parts of the underwriting process to enable carriers to handle increased work volumes. This can include deploying straight-through processing by standardizing the intake process and applying rule-based engines for low-premium policies to free up time for underwriters to focus on larger policies. They can also take over non-core pre- and post-underwriting work and help create scalable Centers of Excellence (CoEs) at profitable locations.
Enabling technology: As carriers tighten their underwriting requirements with an increased focus on analyzing enterprises’ history of ransomware incidents and cyber breaches, they will heavily rely on third-party tools and public data sources to evaluate the insureds’ level of risk. This provides an opportunity for service providers to work with carriers to provide such tools and applications to help them assess risks associated with a particular firm.
Ensuring compliance: Amid the ever-evolving cyber threat landscape, governments and regulators across the globe are introducing new cybersecurity-focused legislation. The US Congress passed a new cybersecurity law in March mandating critical infrastructure entities to report cybersecurity incidents and ransomware payments to the relevant authority within 72 and 24 hours, respectively. Service providers can support carriers on various compliance-related matters. While some providers have compliance-specific expertise in licensing and filings, others have dedicated teams for compliance review and obligations. Third-party BPS providers can leverage these resources and work with carriers to ensure compliance.
Partnerships critical to the cyber insurance market’s future
As carriers seek growth in the cyber insurance market, they will need to strike the right balance to also achieve profitability. At the same time, service providers will have to keep up with the evolving market and appropriately build their cyber capabilities.
By working together, carriers and service providers can address some of the current market challenges and capitalize on the opportunities in the cyber insurance space to achieve sustainable growth.
We’ve all seen the headlines. Cybersecurity attacks are on the rise and often cause massive disruption – from financial loss and supply chain issues to corporate reputation damage. Enterprise leaders know they must take action, making cybersecurity a significant area of focus.
But with the rapid pace of change and push toward digital adoption, enterprises are struggling to identify the right vendors, determine the right price, and keep up with evolving operating models. Do you know the price you should be paying for the right level of cybersecurity?
Join this webinar as our experts explore:
How to select the right cybersecurity vendors
How to ensure that you are paying the right price for cybersecurity services
How to structure cybersecurity in your organization
Why cybersecurity is a top priority for enterprises and what the cybersecurity market size and future growth look like
Sharing sensitive data with outsourcing providers in today’s interconnected digital world has increased organizations’ vulnerability to cyberattacks, making it more important than ever to have an effective supplier cyber risk management strategy. To protect against threats, read on to learn the best practices for supplier cyber risk management.
In today’s risky and interconnected environment, it has become essential for organizations to have a supplier cyber risk management strategy to identify, protect, detect, respond, and recover from supply chain cyberattacks.
The critical importance of relationships with outsourcing service providers has been amplified by the pandemic and recent geopolitical turmoil due to the Ukraine-Russia crisis. Outsourcing suppliers now play a vital role in running business operations, and these partnerships have grown more sophisticated.
With data sharing between the two parties increasing multifold, organizations have greater exposure to ransomware attacks, phishing, denial-of-service, and other cyberattacks.
Depending on the sensitivity of data shared with suppliers, the potential risk of data loss can impact an organization’s business operations – making it essential to develop a supply chain cyber risk management plan to protect from significant financial and operational impacts.
Not having a formal supplier cyber risk management strategy can cause compliance issues. With scrutiny on global supply chains intensifying, a lack of supplier insights can lead to government regulation violations, resulting in financial losses and tarnishing an organization’s brand.
As suppliers have access to sensitive and business-critical information, managing permissions and protecting data from unauthorized access, misuse, and data loss become crucial.
Further, many other risks exist from a supplier’s operational perspective, including issues related to geopolitics, bankruptcy, and macro risks. Organizations should have complete supply chain visibility to rapidly respond to susceptibilities and disruptions at the supplier’s end.
All of these factors can have a long-lasting impact on an organization’s image and reputation, potentially deteriorating customer loyalty and trust. Hence, having a resilient supplier cyber risk management strategy that includes visibility, transparency, clear communication, and collaboration has become non-negotiable for organizations.
The Everest Group risk management matrix
Let’s take a look at the different risk scenarios and their remedial measures below:
Best practices for developing a supplier cyber risk management strategy
Developing a Supply Chain Risk Management (SCRM) program is indispensable for organizations as they become increasingly vulnerable to supply chain attacks.
Currently, the risk management focus in outsourcing is limited to compliance requirements such as the Sarbanes-Oxley Act (SOX), Service Organization Control (SOC) certifications, industry-specific compliances such as Health Insurance Portability and Accountability Act (HIPAA) and Health Information Trust Alliance (HITRUST), and criminal background verifications.
Other vital factors such as geopolitical and offshoring risks have not yet become key executive priorities. Further, as more companies lean on service providers to drive digitalization and corresponding transformation in their outsourced processes, organizations rarely try to identify potential risks and establish associated mitigation/contingency plans.
Some industry best practices such as ISO/IEC 27036:2013 and the NIST Cybersecurity Framework have been updated to include information security for supplier relationships, highlighting the importance of SCRM in corporate security. In terms of cyber security, this involves:
Defining cyber security requirements and measures that apply to suppliers based on their risk category
Enforcing these requirements via formal agreements (e.g., contracts) to ensure suppliers enter a binding commitment
Verifying and validating communication and access from and to suppliers
Ensuring effective implementation of cyber security requirements
Managing and supervising the above activities periodically
To optimally engage with and manage suppliers, the entire supplier life cycle should be organized into these three phases:
Before and during the contracting phase – Screening suppliers before onboarding is essential for organizations to assess financial, operational, and reputational aspects. Procurement heads need to carry out background checks to ensure suppliers’ compliance status and performance viability. An exhaustive contract with legally binding responsibilities related to cyber security for both the organization and its suppliers should be created. This contract should define fundamental and high-level security requirements and privacy-based controls for supplier relationships at every point in the life cycle
During the ongoing relationship – Once suppliers are onboarded, organizations must track all assets suppliers can gain entry to in a central repository. Customers should categorize suppliers into different risk classes based on how critical the information is to further define appropriate cybersecurity controls. These controls should be continuously evaluated to ensure adherence
After the termination of the relationship – Offboarding a supplier requires disabling its logical and physical access, removing access to any data, and destructing it to ensure the supplier doesn’t hold any sensitive data. This phase also requires ensuring no severity incidents are pending and facilitating proper handoff between suppliers
Prevalence of risk management processes in the supplier life cycle
How common is it for organizations to have established risk management processes in each of the third-party life cycle steps? Our polling results show while most organizations have these safeguards in the first stage, fewer use them in later phases, as illustrated below:
The supply chain for almost any organizational procurement activity can be the target of cyberattacks, either by going after the supply chain or the supplier’s/organization’s systems, once they are integrated.
More complex and sophisticated attacks are often left undiagnosed or unreported, making them potentially more disastrous for enterprises. At different points in the supplier management life cycle, stakeholders across organizations will have the primary responsibility for establishing and maintaining effective supplier cyber security controls.
Vigorous governance is required to ensure relevant stakeholders are responsible at the right time to guarantee optimal and best efforts are made to combat any cyber threats. To complement this governance, a strong collaborative culture across different departments is needed to drive continuous improvement.
Given the meteoritic rise in ransomware attacks during the pandemic and persistent cybersecurity challenges, the need for effective measures to protect sensitive data and IT environments from rising assaults is greater than ever. While zero-trust security architecture offers many potential benefits, adoption of this long-talked-about framework has been slow for various reasons. But with even the White House hitting the gas on zero trust, the timing could be right for more widespread implementation. Read on to learn about how your enterprise can overcome the hurdles and move to zero trust.
Zero trust, a framework for the design and implementation of IT security systems, has been in the market for quite some time now. First coined by Forrester, it gained popularity when Google announced the implementation of the zero-trust network through BeyondCorp after a series of cyber-attacks in 2009. Ever since the National Institute of Standards and Technology (NIST) formalized the approach in late 2020, the computer security approach has become mainstream.
But despite the entire industry being widely familiar with the terminology and underlying principles and architecture, why has enterprise-level adoption lagged when the benefits outweigh the investment? Before we dive deep into the reasons behind this reluctance in the market, let’s explore the core tenets of a zero-trust security approach.
The guiding principle for zero trust is “never trust but always verify” and is built upon the following assertions:
Every part of the network is potentially hostile
Both external and internal threats always exist on the network
Every device, user, and network flow must be authenticated and authorized and should not be trusted by default
Limiting excessive user privileges should be the fundamental motto
Micro perimeters/micro segmentation should be created around critical data, applications, and services
The key tenets of zero-trust security can be summarized as follows:
Why hasn’t zero trust been fully embraced?
Even though security leaders across product vendors as well as analyst firms have been preaching the benefits of a zero-trust security approach across enterprise cybersecurity, adoption hasn’t picked up. Among the key enterprise challenges and the apprehensions by security leaders surrounding its wide-scale adoption are:
Misconception of zero trust as another technology solution: The most common problem that we have seen in enterprise cybersecurity teams is their belief that any new challenge can be best solved by implementing a new technology or solution. The love for a new solution is so strong that enterprise leaders often forget that zero trust is a concept that does not have a single solution. Enterprises are often lured by the marketing gimmicks of product vendors that provide some aspect of zero-trust security through the solution. This results in either lower or no effect of the promises made by the zero-trust security approach
Challenges of network micro segmentation: One of the key aspects of zero-trust security is focused on protecting the networks and the associated recommendations in the network architecture by breaking down the erstwhile monolithic perimeters into micro perimeters to concentrate on granular security controls and access. Given a large number of applications, their dependencies, services, and the users involved, it becomes challenging to implement and maintain micro perimeters. Enterprises with disparate security controls and network products are subsequently unable to provide end-to-end visibility
Complexity in brownfield implementations: There is no doubt that zero trust can be best adopted in greenfield security projects, given the existing IT landscapes are so vast and complex. But a single change can cause great havoc and a ripple effect across the enterprise systems if not implemented correctly. While enterprises are expected to take a step-by-step approach rather than a rip-and-replace approach, many organizations that started this journey were left devastated in their approach to rebuild the network by undertaking a massive one-shot effort. The challenge also comes in integrating existing capabilities with new solutions to implement new capabilities to extend zero trust across the enterprise IT
Myth that zero trust is for on-premises: Enterprises have been grappling with a long-running myth that the entire concept of zero-trust security is centered around the building blocks of enterprise IT if they are located within enterprise distributed control systems (DCS) as most of the existing research talks about not trusting everything within their corporate networks. Also, some enterprises still do not think of cloud security as a shared responsibility model with the hyperscalers and hence do not plan to extend the zero-trust security approach to the cloud, thus leaving their assets on cloud and multi-cloud architectures at risk
Six Key Considerations for Enterprises Moving Ahead in the Zero Trust Journey
Zero trust can offer many benefits beyond improved data protection and greater compliance, including greater visibility across the enterprise, security for the growing remote workforce post-pandemic, and an improved end-user experience.
Here are some recommendations for moving ahead:
Take a step-by-step approach for a long journey: While zero trust adoption can lead to a significant business transformation, framework adoption does not necessarily translate into a radical overhaul of existing cyber capabilities. Enterprises must understand that zero trust needs to be thought of as a journey to implement the strategic changes
Establish the current baseline: Just like other security implementations, understanding what and why is of the utmost importance to see the benefits of following this path. Start by identifying the crown jewels – data and workloads – and create a security policy and control framework. The idea is not to give hackers an opportunity to start an attack
Leverage the existing cybersecurity stack: Reuse the existing investments made for threat detection, identity and access management, network, endpoint, and data security to integrate with the zero-trust security approach. Focus on preventing any cloud misconfigurations and put an end to visibility of data, policy, and communication between apps, infrastructure, network, and other components in the environment
Understand that trust is never guaranteed: Enterprises must understand that trust is not guaranteed by any solution but needs to be verified at policy enforcement points before access is provided
Combine zero trust with the broader digital transformation umbrella: Enterprises can combine zero trust transformation along with their IT digital transformation initiatives (including cloud and data center migration) to extract significant synergies and remove the hurdles of adopting zero trust in brownfield implementations
Embrace the change: The entire journey will only be successful if all the stakeholders in the organization are ready to embrace the new ways of working in a dynamic and adaptive cyber organization with close collaboration between business and technology stakeholders
If the right cybersecurity measures are not implemented, attacks will only become more frequent and successful. Enterprises should put faith in zero trust as a security model that can provide greater protection in today’s high-risk environment.
As enterprises have worked harder to protect their IT systems throughout COVID-19, saboteurs have gotten more aggressive in their attacks, going after a trusted piece of hardware or software and hijacking an entire supply chain. What steps can you take to prevent these full enterprise cyber assaults? Read on to learn more about why IT supply chain attacks are on the rise and how to take action.
The COVID-19 pandemic opened enterprises’ eyes to the need to secure their IT systems from malicious threat actors, cyberattacks, and ransomware. With a renewed vision on hardening security controls and perimeters, applying least privilege access controls, and transitioning to improved threat detection tools and technologies, the usual entry points for bad actors have become non-existent.
But threat actors haven’t gone away. With the easier routes shut down, they are now targeting entry points like third-party software and hardware that are beyond most enterprise’s scope and control.
If enterprises only needed to think about thwarting attacks by looking at the firewalls, endpoint security solutions, and Identity Access Management (IAM), the task would be much easier. But since enterprise systems are interconnected, the extended enterprise needs to be considered – and defended.
Understanding the supply chain attack ecosystem
A supply chain attack is defined as an attack that occurs when an attacker/malicious threat vector infiltrates the system through an outside partner or provider that has access to critical data and systems.
The key supply chain attacks can be classified across these six broad categories based on the nature of their origination in the software/hardware supply chain shown below:
Why are supply chain attacks becoming lucrative?
While supply chain attacks have been prevalent for some time, they have been gaining tremendous traction, especially post-pandemic when vendors lost control and a view of key critical vulnerabilities in their existing products.
Among the key reasons for the prevalence of attacks are:
Economies of scale: It is important to understand that a supply chain attack is not directly targeted towards a particular organization. The goal is to infect source codes and legitimate apps/firmware and gain entry within an enterprise to potentially access all enterprises using it. With one placed intrusion, cybercriminals create a springboard to the network of suppliers’ customers. It is rewarding for attackers to have continuous access to new targets without investing in a new tool until the threat is revealed
Enterprise trust: Improvements in the enterprise security mechanisms have contributed to the increase in supply chain attacks. Enterprises have put strong defense mechanisms in place that cut off the easy routes to infections, thus pushing attackers to find different ways to infiltrate soft targets. Limited security awareness and non-implementation of security best practices have resulted in enterprises blindly trusting their vendors, third-party applications, and open-source codes. Attackers leverage this blind trust to make their way inside enterprises as this offers a path of least resistance
Hard to detect: Most of the supply chain attacks that we have heard of involve adding a backdoor to a legitimate certified software or firmware update that is nearly impossible to detect by existing tools and methodologies. Also, detection at the vendor’s end is difficult as they do not anticipate that the code could be targeted during the development stage. By the time the vendor detects an attack at the end of the cycle and quietly fixes it with their next update, the damage is already done
Best practices to mitigate supply chain attacks
As with other cybersecurity attacks, the old saying, “The broader question now is not about if the organization will get hacked but when it will get hacked,” still holds. As supply chain attacks do not directly infiltrate the enterprise environment, detecting them brings many challenges for enterprises, especially smaller ones with limited awareness and investments.
Here are best practices enterprises can adopt that can potentially mitigate some of these attacks:
Understand the enterprise IT supply chain – The first step for any successful attack mitigation strategy should start with a comprehensive and holistic understanding of the supply chain. It should provide a view of the vendors, open-source projects, IT and cloud services, inventory of all third-party tools and services, and software dependencies hiding inside an organization and their security and licensing issues
Trust no one – Similar to the zero trust principles that urge enterprises not to trust but verify; enterprises should stop blindly trusting their third-party vendors. Enterprises need to understand that the severity and diversity of threats challenging them to apply equally to vendors as well. Any small error on the vendor’s part can be devastating for the enterprise not only in financial drains but also on the reputation and trust of stakeholders
Limit access to sensitive data – Enterprises must have a properly detailed mapping of data being shared with third-party systems, the privileged users, uses of the data, and key security controls. Limiting access to privileged resources, including access to core data, reduces the chances of the impact from attacks originating at the vendor’s end
Ensure vendor assessment and controls – When choosing vendors, enterprises need to conduct a detailed evaluation and due diligence of the existing cybersecurity framework and adjust accordingly what data needs to be shared, with whom, and the communication mechanism. Apart from rigorous assessments, enterprises should implement strong perimeter controls for vendor access such as multi-factor identification and network segmentation, and ensure that the access of data and systems is there until it is required
Focus on development pipeline risks – Developer workstations with rights to create, modify, and commit code have been key targets for attackers. Enterprises need to think about shifting the security left, securing their continuous integration and continuous delivery pipelines, and using Endpoint Detection and Response (EDR) to detect endpoint anomalies. By bringing security into the development lifecycle earlier, developers can detect and fix vulnerabilities, thereby ensuring that security is baked into the product rather than being a bolt-on
Protect from insider threats – Shadow IT has been a key cause of concern for most enterprises. Not only do enterprises lack a view of the unauthorized software and tools used by enterprises, but they also don’t have proper control mechanisms to check the usage. Employees also represent a significant insider threat to security and, as a result, targeted phishing or social engineering campaigns have become widespread. Thus, enterprises need to put in appropriate controls to mitigate the risk from insider threats
Plan your incident response – Taking initiatives to prevent supply chain attacks does not negate the possibility of them occurring. Threat actors can permeate enterprise systems through paths and backdoors that often get unnoticed and undetected, making it necessary for enterprises to also focus on response and remediation. By planning for the worst, enterprises can understand what is happening during a breach, how to engage with suppliers, and work together to mitigate the damage faster
Follow this space for more blogs on cybersecurity. Meanwhile, please feel free to reach out to [email protected] or [email protected] to share your experiences and ask any questions.
The intensity and severity of cyber events has accelerated during the COVID-19 pandemic as more and more people are working remotely and from home. This increasing frequency of cyberattacks has brought volatility to the already spiking claims losses causing many to wonder how enterprises and insurers can manage cyber risks in this new era. Our three-part blog series will explore this as well as initiatives to deal with cyber insurance challenges and what the future may hold for the cyber insurance market and its impact on enterprises.
The global cyber insurance market currently stands at nearly US$7.8 billion and is expected to grow at more than 20 percent CAGR over 2020-25, driven by the increasing number of cyber-attacks, the increasing need for IT compliance and regulations, and massive financial and non-financial losses (such as reputational loss system downtime, reduced efficiency, etc.). McAfee has reported that in 2020 these losses reached nearly US$1 trillion, increasing about 50 percent from 2018. To put this in perspective, the losses account for nearly 16 percent of the global insurance premium volume.
Pandemic forces change
The pandemic has forced enterprises to rapidly shift to a remote/work-from-home format, compelling them to re-think their cybersecurity strategies, reassess their cyber threat exposures, and develop cyber policy plans that can adequately manage any potential threats.
Enterprises are not alone. Insurers have been significantly impacted by the rapid growth of cyber-attacks and burdened with the dramatic increase in claims losses from the policies sold. In 2020, the insurance industry is estimated to have faced more than a 27 percent increase in the number of claims, primarily driven by the increasing intensity of ransomware and phishing attacks, according to a report by insurance company Allianz. As these threats evolve and their severity increases, insurers are constantly facing the challenge of controlling these claims losses.
While the global pandemic has accelerated technology adoption, at the same time, it exposed cyber vulnerabilities and under-preparedness in enterprises, an analysis of the World Economic Forum’s Global Risks Report 2021 found. As the adoption of complex technologies such as AI/ML (artificial intelligence/machine learning) tools, IoT (Internet of Things) devices, and cloud infrastructure has increased, so too has the complexity of cyber-attacks. While cyber-threats such as phishing, ransomware, trojans, and botnets have remained prevalent, risks exist for more evolved and unknown strikes such as industrialized social engineering attacks.
With the growing sophistication of cyber-attacks, the average cost per attack for firms has also gone up. According to a survey conducted by McAfee, 67 percent of the surveyed companies reported that the average cost per attack was more than US$500k. Addressing the threat of cyber risk and plugging these losses is a critical priority for business leaders. However, efforts to back up IT resources and data and set broader cyber response plans have been limited due to a lack of expertise.
Cyber risk measurement and analytics needed
Today, we are observing an increase in demand for cyber risk measurement and analytics capabilities as organizations look for the right cybersecurity talent and technologies to help address these challenges. Insurers are trying to provide enterprises with the right cyber insurance policies to help curb these losses. However, they face their own set of challenges, including the underwriting of cyber insurance policies. A lack of historical data limiting their ability to accurately model risks, drive precision in pricing risks, and create coverage loss limits. Some cyber events go unreported, challenging insurers to get adequate information on cyber-attacks. Without an accurate cyber risk assessment, these policies may be ineffective, exposing insurers to significant losses in a major cyber event.
Another key challenge for insurers while underwriting cyber risk is ‘accumulation risk.’ While dealing with cyber risk, insurers must be aware of the increasing interconnectedness within networks that lead to dependent vulnerabilities of the commonly used systems that may translate into an untargeted spread of the attack to the adjacent networks. This adds a layer of complexity to underwriting, taking into consideration an unplanned impact on a larger number of clients.
Mounting claim losses raises concern
Growing claims losses due to increasing frequency and severity of attacks is another key concern for insurers. In mid-2020, an American GPS and fitness tracking company was a victim of a ransomware attack where a demand was made for US$10 million to get its systems back online. Similarly, in other cases companies have faced large monetary and non-monetary losses that translated into an increasing loss ratio for insurers. In the US, the average loss ratio for the top 20 insurers (who offer standalone cyber insurance policies) by Direct Written Premium in 2019 increased to 48.2 percent from 34.5 percent the prior year, according to a report on the US cybersecurity insurance market. For 2020, these loss ratios are expected to shoot up dramatically, given that the industry has already started calling 2020 a loss-making year for cyber coverages.
Managing cybersecurity risk is all about anticipating loss and building a sound strategy and plan to both prevent and quickly respond to threats by taking these actions:
Enterprises must beef up cybersecurity capabilities and invest in the right set of technology and talent levers to bolster cyber risk assessment capabilities
Insurers must identify the full set of dependencies to assess the complete severity of the attack
Failure to embrace cyber risk management could have severe consequences and leave organizations so far behind that they may be unable to catch up. To address these challenges, enterprises and insurers must proactively work together to mitigate cybersecurity risk.
Next in this three-part series is Cyber Insurance Market Dynamics, where we will discuss the measures taken by both enterprises and insurers to address these challenges. While enterprises are investing in Identity and Access Management (IAM) software, endpoint encryption, and other technologies, insurers are putting their money into bolstering underwriting efforts to model cyber risks more accurately.