Keeping a lid on cyber insurance costs
Cyber incident insurance is becoming expensive – a lot more expensive. In 2021, jumps in cyber insurance premiums vastly outpaced other sectors: 25.5%, compared to 17.4% for umbrella insurance and 8.3% average across all premium classes (Council of Insurance Agents & Brokers).
Coverage for cyber incidents is still a relatively young practice, extending to the 1990s and only starting to cover cyber crime in the early 2000s. Thus, premium growth could be part of normalisation in the market. At least, that assumption would hold up if the cyber market was stable. But it's not, and if companies don't understand why premiums are rising so sharply, they can incur unnecessary costs, explains CyberArk’s David Higgins, Technical Director EMEA: "There are several reasons why cyber insurance premiums are going up rapidly, and I don't expect them to fall any time soon. Risk and exposure are going up for insurance houses and they are passing those costs to customers. But it's not a matter of passing the buck – insurance customers still make many mistakes that prompt the market to protect itself. If companies are more aware of those mistakes, they could reduce their premiums and ensure that cyber insurance is a worthwhile form of risk mitigation."
SA's state of security
As reflected in the latest Allianz Risk Barometer reports, South African companies routinely place cyber incidents as a top risk. That is not just a perception: Accenture identified South Africa as one of the top global targets for cyber criminals, and Interpol's African Cyberthreat Assessment Report 2021 notes that the country attracts the majority of attacks on the continent.
Insurance is a proven lever for business risk mitigation. Balancing premiums with risks is a corporate art, yet the old insurance playbook does not cover the needs of the cyber market. Higgins notes that while the situation has steadily become worse, the past two to three years significantly raised the pressure:
"First, ransomware emerged as a very effective yet simple way to attack companies and extort money, often with few remediation choices. Even paying the ransom to decrypt captured data is no guarantee that you'd get back what's yours. Then remote working added significant threats as employees began operating at large outside of the relative safety of corporate networks. We've seen not only more ransomware attacks as a consequence, which only exacerbates existing issues around social engineering, phishing and malware."
These factors conspire to drive higher premium costs. But greater risk profiles are not the only problem. The highest costs of a cyber attack don't result from reputational damage or lost digital assets. Numerous reports, including IBM's Cost of a Data Breach Report 2021, note that fixing the damage of a breach is by far the most expensive concern.
"Fixing a breach can incur heavy costs," Higgins agrees. "You are likely to bring in new partners and technologies to fix issues, you will need to address and rebuild parts of your cyber infrastructure, you have to account for business downtime, and there are downstream costs such as lawsuits and regulatory fines. If you really take in the cost of a breach, insurance almost seems cheap!"
How to lower insurance costs
Fine, then use insurance. Yet there is no such thing as a blanket cyber insurance product to cover any degree of liability. On the contrary, insurance houses have been turning the screws, expecting companies to demonstrate sufficient diligence and security investments. A household insurer won't cover a burglary if you left your doors open and keys in the locks. Likewise, cyber insurers want to see companies do their utmost to prevent and mitigate cyber attacks.
Here it becomes tricky, Higgins points out: "Cyber security is complicated, requiring many layers to cover a multitude of user accounts and digital assets. Trying to secure everything at the same level is like trying to boil the ocean. It's futile and expensive."
Yet if companies can identify their different levels of cyber risks, they can determine the best coverage for respective assets. A substantial part of that process is to audit and manage user accounts.
"For every staff member a business employs, there are upwards of 30 associated applications and accounts, according to the CyberArk Identity Security Threat Landscape report. Analysing these multiple digital identities will reveal a lot about security posture. Compromising the credentials associated with these digital identities is a prime target for an attacker, so understanding if there are issues such as re-used passwords or access conditions that should be revoked – such as when an employee left – is an important component. How well your user accounts understood and managed allows you to close common security gaps and helps you decide selectively what needs to be insured and your level of exposure to risk. You can demonstrate your strategy to an insurer and potentially negotiate better premiums."
Cyber insurance premiums are not coming down, and a blanket insurance approach to cyber security is costly and quite likely futile. But the better you can demonstrate a sound risk-based cyber security strategy guided by user account management and analytics, the more you can keep a lid on cyber insurance costs.