Cybersecurity in a rapidly evolving world
It is a rapidly evolving world and one in which there is heightened risk to corporate security, particularly cybersecurity. Cyber attacks are becoming increasingly sophisticated, ransoms are becoming more costly and, according to a recent Harvard Business Review article, there is an additional issue: as companies look to cyber insurance as insulation from these risks, there may not be enough money in the emerging sector to cover business needs.
2020 brought a reckoning of sorts for the industry. It was a new era, wrought with cyberattacks that hit a fever pitch just as the world was turning with increasing urgency to functioning in a cyber landscape.
“Although there have been decades of viruses, breaches, and other forms of attack, last year saw increased bad actor sophistication, a propensity to pay in ransomware cases, and a broad swath of geopolitical uncertainty — conditions that hackers have found favorable,” according to the article.
The result was that ransoms hit five-figures, with $10 million reportedly relinquished by Garmin. Some ransoms started significantly higher before skillful negotiation.
“All of which is further escalation of a worrisome trend: A recent report by Hiscox shows insured cyber losses of $1.8 billion in 2019, up an eye-popping 50% year over year,” according to the article.
C-suites have been turning to cyber insurance, out of fear of significant financial fallout from an attack. As insurers issue more policies, the protection amounts available are also increasing, with the global insurance community seeing the first cyber insurance program to exceed $1 billion.
Yet is that momentum ending?
It seems to have plateaued. Budgets shrunk with the pandemic and cybersecurity insurance is currently not being viewed as a necessity, despite the prevalence of attacks.
However, if attacks increase and demand is stimulated, this could generate an issue with supply, making insurers wary of providing cover and “reinsurers (who provide insurance for insurance providers) less interested in backing cyber liabilities.”
Another added layer of unpredictability is the sector’s short history and resulting lack of historical data to help insurers/reinsurers assess risk.
Still, as Tom Johansmeyer notes in his article, this can all be boiled down to one solid point: there is not enough money in cyber insurance. The sector remains delicate in its infancy, particularly in light of losses, threat volatility and a “nascent commitment that could be reduced or withdrawn by insurers in the space.”
Cybersecurity is an evolving sector and with that comes its own set of challenges which could leave major and mid-sized companies vulnerable.
A wave of attacks could make the insurance industry a little more leery of insuring in the cyber world and this could, in turn, limit threat mitigation for boards and C-suites.
According to Johansmeyer, the best approach to companies interested in cyber insurance is to plan, particularly since claims are increasing and historical data is lacking to develop analytics that are more custom in other mature sectors of business.
A solid approach, he explained, to “build up a sufficient amount of cyber insurance, early purchases of smaller amounts with increases over time can help prime the market to grow with the needs of the companies it supports.”
This will help the market grow, while also helping companies mitigate risk, but they should also be focused on other ways to cover potential exposure, “including self-insurance mechanisms that range from simply carrying additional capital to address future cyber attacks through the creation of specific risk-financing activities that function like insurers.”