Cyber Insurance Trends for Small to Medium Enterprises
Jeffrey Smith | March 22, 2019
Tech-based cyber risk solutions and insurance coverage improvements help agents improve close ratios. Unfortunately, while mainly larger organizations are taking advantage of these tactics, smaller firms are less likely to do so … at their peril.
Almost 6 in 10 small and medium-size enterprises (SMEs)—those organizations with under $250 million annual revenue—don't have any type of cyber insurance. 1 For instance, 65 percent of insured businesses said their coverage is combined with other, noncyber coverage. Only 31 percent have stand-alone coverage. 2 Less than 15 percent of SMEs are confident that currently used cyber defenses can detect and respond to cyber attacks, with two-thirds of SMEs reporting a cyber attack during the last 12 months. Despite aggressive pricing and increasing risk, traditional cyber insurance solutions remain a tough pitch for agents.
Good news for agents is that new players are capitalizing on these market realities with new broker-friendly offerings and market coverage improvements to assist agents to close more deals.
I believe cyber insurance is extremely cost efficient and therefore will outpace actual information security spending. As a security professional, it's odd to find myself saying that compliance might be the only thing that keeps companies from focusing entirely on risk transference, because said simply insurance is cheaper most of the time.
Jeremiah Grossman, hacker and founder of WhiteHat Security and BitDiscovery
Engineered Cyber Insurance Solutions
"Engineered" cyber risk solutions are gaining traction in the expanding market for small- to medium-size risks. These products go beyond traditional risk finance and claims services to include the use of security technology to assess risk and also provide ongoing security services historically affordable only to large enterprises.
Offering insurance alone is generally insufficient for agents to achieve acceptable close rates. Agents tell us that peddling fear, uncertainty, and doubt is of limited use, as most SMEs can't relate to megabreaches such as Target, Anthem, and Home Depot.
In our experience, showing prospects the cyber threats that may be present in their own systems can help close the sale. In one case, using "ethical" hackers, we conducted a noninvasive security assessment that identified outstanding software updates and compromised email credentials for a middle-market technology company. A Chinese hyperlink was found parked on the firm's Web portal. Seeing that, the purchase of cyber insurance suddenly made a lot more financial sense. Seeing is believing.
Limitations of Traditional Market Offerings—Underwriting and Servicing
The current market is a land grab characterized by pricing not supported with actuarially sound loss data. As a result, premiums are generally not reflective of the risk. According to a Rand study, 3 existing rate schedules among insurers vary greatly in the sophistication of formulation of premium rates. Most insurers use a very simple, flat-rate pricing with adjustments based on industry class, revenue, limits, and retention levels. Applications provide insight into levels of existing cyber-security hygiene, but the weights assigned to different technologies are inconsistent among insurers. Further, the report suggests, "in some cases, the carrier would appear to guess. It was not unseen for carriers to examine their competitors in order to define rate. In only a few cases were carriers confident in their own experience to develop pricing models."
The three pillars of information security are prevention, detection, and reaction. Traditional market solutions are terrific response vehicles once a cyber event is reported. Coverage forms and vetted claims service providers offer solid value to SME risk. Unfortunately, the traditional cyber underwriting process does not truly quantify exposures or offer risk-specific recommendations to improve the insured's cyber risk profile.
Additionally, most insurers do not offer practical tools to mitigate risk during the policy period. While all insurers provide access to risk prevention tools via risk portals, these tools most often are available only at an additional price or are of limited risk management value. It is not surprising that insurers report single-digit take-up rates for such services.
We underwrite like an adversary. In minutes we are able to understand what technologies a company uses, whether they are vulnerable to exploitation, what security protocols that company has in place, and even what data has been leaked and is being used and traded in criminal forums.
Joshua Motta, cofounder Coalition Insurance
The New Underwriting Model: Hack Yourself First
The term "engineered" cyber insurance refers to new underwriting and service models arriving on the scene beginning in 2017. In lieu of the traditional underwriting applications and manual processing, these markets use the same techniques hackers employ to assess risk. These tools allow insurers to collect thousands of data points relevant to the risk and make underwriting decisions in seconds. The objective is to get to the bottom of the risk and provide assessment findings to insured's to assist in the prevention of cyber events.
Casing the Joint: Research and Reconnaissance
Contrary to popular media references, criminal hackers do not break into a computer with a few keystrokes. Not unlike burglars, hackers case the target using a set of routine procedures to establish a footprint assessment of vulnerabilities. Each additional step is designed to expand gaps in cyber defenses to implement the hack.
Taking a note from criminal hackers, the new breed of underwriters use nonintrusive tools, such as public research and port scanning, to collect data to evaluate the insured's current risk level. This snapshot offers a metric-based estimate of the likelihood of a cyber event.
Searching Dark Web resources, underwriters can determine if the insured or its employees are subject to past breaches. More likely than not, underwriters find employee credentials compromised by past data breaches such as Equifax or LinkedIn currently available for sale on the Dark Web marketplace. Compromised information can include addresses, employers, job titles, phone numbers, social media profiles, and passwords making it easy for criminal hackers to gain entry into corporate accounts or personal email, as well as access to online banking applications.
One technology tool underwriters now use to evaluate risk is port scanning. A port scanner is a simple software tool to identify ports of entry into a computer network. Many free versions are available on the Web. Computer ports are the doors and windows of a computer that accept and transmit signals into the public domain. The port number identifies what type of port it is. For example, port 25 is used for email communications and port 80 is used for Internet traffic.
The scan sends signals to each port to determine where the network is strong or weak. Underwriting scans also detect operating system and other applications used by the insured and search for known vulnerabilities and outstanding software updates (patches) available to close such security flaws.
Risk Assessment Deliverables
Lack of understanding of exposure is a primary obstacle to selling cyber insurance for agents. Risk assessments, included at no extra cost by tech-based insurers, are valuable tools to assist in closing this information gap. Similar to property insurance engineering reports, the insured is provided a risk report containing actionable information as well as recommendations to remediate heightened risks prior to binding coverage.
Typical findings include unprotected ports of entry, outdated software, and compromised employee credentials. In fact, these assessments often uncovered actual hacks in real time. Security engineers are available to assist the insured to remediate such vulnerabilities prior to binding coverage.
Ongoing Protection
Traditional cyber insurers are hesitant to include ongoing cyber-security tools to supplement existing controls employed by the insured. Cyber security is complex, and traditional insurers do not possess a level of in-house expertise to confidentially package prevention and detection tools with a cyber insurance policy. Many insurers cite a concern for creating a higher standard of care resulting in increased liability as well as the added underwriting expense.
Information security engineers, including former government intelligence, white hat hackers, and leading security software providers lead new tech-based insurers. Tools such as 24/7 network threat monitoring that alerts the insured in real time of breach activity are bundled into these offerings. At least one managing general agent includes a security dashboard for the insured that includes threat monitoring, antiransomware software, denial of service website protection, and credential monitoring. Direct access to security engineers is also included in some offerings. These tools are meant to supplement as opposed to replace existing security technology utilized by the insured and are provided at no additional cost to the insured.
Insurance has a key role to play in managing cyber risk, which requires a shift from traditional snapshot underwriting to a year-round risk management partnership.
Rotem Iram, CEO and founder, At-Bay
Coverage Improvements
As cyber risk evolves, so too must coverage terms. It is difficult to keep up, but the latest developments and new innovative coverages now available in the marketplace offer additional value to insureds.
Cyber Crime
Historically, cyber crime coverage was limited to fraudulent funds transfer and traditional phishing exploits. Typical sublimits for cyber crime coverage ranged from $100,000 to $250,000. Several insurers now offer increased fraudulent funds transfer limits as high as $2.5 million for select risks.
A phishing attack is a type of social engineering attack employed to steal user data, including login credentials and credit card numbers. Attackers masquerade as a trusted entity and dupe victims into opening an email, instant message, or text message. Many insurers now expand phishing coverage to include client phishing, also known as invoice manipulation. Criminals create phony invoices in the name of the insured to trick its clients or vendors to make payment to a fraudulent account. This extension covers the insured's direct loss due to the transfer of payments to unintended parties otherwise intended for the insured.
Computer Hardware (Bricking)
Cyber policies historically excluded coverage for damaged computer hardware. Bricking refers to a loss of use or functionality of hardware (such as servers) as a result of a hacking event. While malicious software may be removed, hardware may still be considered untrustworthy and require replacement. This coverage provides for the cost to replace such affected hardware.
Service Fraud (Cryptojacking)
Cryptocurrency mining, or cryptomining, is a process in which transactions for various forms of cryptocurrency are verified and added to the blockchain digital ledger. The process requires computers to solve complicated math puzzles to win currency and requires an inordinate amount of electricity. Cyber criminals have increasingly turned to cryptomining malware as a way to hijack the processing power of large numbers of computers, smartphones, and other electronic devices to generate revenue from cryptocurrency mining. Service fraud coverage reimburses the insured for direct financial loss resulting in being charged for fraudulent use of electricity and other business services.
Contingent Pollution
One insurer is now offering to include contingent pollution coverage. If a hacker gains access to an industrial control system and triggers a system failure that results in a release of pollutants, the policy will cover the costs to defend the insured from third-party liability.
Summary
At some point in the near future, cyber insurance will be a standard component in a business insurance portfolio for SMEs. While the financial consequences are severe, most SMEs have neither the expertise nor budget to protect their networks and systems from increasingly sophisticated threats. Tech-driven solutions combined with improved policy forms create an easier pitch and better close rates for agents.
Sources
- Tara Seals, "Majority of SMEs Lack Confidence in Security Postures," Infosecurity, April 4, 2017.
- Judy Selby, "Expanding Cyber Insurance Coverages," Judy Selby Consulting, December 17, 2018.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
Footnotes
