In cyber insurance, data from high-profile incidents informs premiums, which can influence what protection measures a company installs. Missing in that cycle: Small companies and the cyberattacks against them that fail to make a splash.
Data from a cybersecurity incident, including attack vector, actor, infrastructure, PPI or regulatory violations, are gathered while data from cyberattacks or breaches targeting small- to medium-sized businesses is less available. Some SMBs cannot provide the level of detail an enterprise can during incident response. And yet, insurance companies spend less time with SMBs evaluating individual risk profiles, weakening a piece of the global cyber economy.
If companies fail to report an incident, they cannot contribute data to further inform insurance risk and premium assessments.
"I just question the data that we're getting from the media or from our claims data, because we're not even sure that even all of our insured … are actually reporting this," excluding those that don't even have cyber insurance, said Kelly Castriotta, senior director, global cyber underwriting executive at Markel Corporation, during a conference presented by the University of Connecticut Insurance Law Center and the University of Minnesota Law School on March 12.
Companies with 12 computers or less, without consistent antivirus application, are more likely to be "super targets," according to the 2020 Hiscox Cyber Readiness survey of more than 5,500 global business leaders. Super targets are organizations that were subject to more than 500 events last year.
To Hiscox, an incident is "any event that does not succeed in compromising the confidentiality, integrity or availability of information;" the insurance company defines breach separately.
Reported numbers were influenced by a subset of smaller companies that were super targets. There is also a chance that some respondents over-counted attacks by including phishing attempts.
Half of enterprises with more than 1,000 employees cited at least one cyber incident last year, according to the Hiscox report. Larger companies are "almost certainly" targeted more frequently but have the defenses to thwart malicious attempts.
Smaller organizations also tend to underreport cyber incidents, contributing to weakened defenses. By overlooking SMBs in some aspects, cyber insurers are creating gaps in the security ecosystem.
Insurance companies rely on an SMB's cybersecurity assessment instead of meeting them, whereas larger companies receive a more "high-touch approach," said Shauhin Talesh, law professor at the University of California Irvine School of Law, during the conference.
Larger organizations usually receive application evaluations and meetings with the client to discuss their cybersecurity profile. "Sometimes sophisticated companies are holding competitions among insurers to allow multiple companies to essentially bid," said Talesh.
Insurers are reliant on the tools and data collected from service providers and previous events to determine risk — especially because of the historic difficulty to gather meaningful information. But the collected data may not tell insurers and policyholders all they need. Data cannot explicitly quantify how much multifactor authentication reduces a premium.
"I wonder if more data is always better and have we kind of created this culture of obsessing over data," said Sasha Romanosky, policy researcher at RAND Corporation, during the conference. "Is it kind of fueled by the cheaper collection and creation of data analysis?"
If companies are using the wrong metrics, organizations could be "causing worse outcomes than before," said Romanosky. But balancing the right data and when to apply is a "struggle" to resolve.
Still, the thirst for information is boundless, with the federal government asking for more involvement. The Cyberspace Solarium Commission (CSC) called on Congress last year to create a Bureau of Cyber Statistics to collect statistical data on cybersecurity to inform policymaking.
Without a standard of reference, private industry and insurers are inhibited from sufficiently pricing, modeling and understanding cyber risk.
"Existing data sets are incomplete and provide only a superficial or cursory understanding of evolving trends in cybersecurity and cyberspace," the CSC said. But the Government Accountability Office is still a couple months away from publishing its report on cyber insurance, a spokesperson told Cybersecurity Dive.
"The problem is, and this is really where the policy discussions that I see anyway, break down because people don't really go and think through the flow of how things actually are," said Romanosky. "All of the cyber insurance, and the benefits that we would all enjoy, are predicated on the notion that carriers know what to incentivize firms in order to implement and I don't think they do."
The push
Companies with greater data storage — or more valuable data like healthcare — pay more in premiums. But in Q4 2020, commercial insurance prices increased 22%, according to data from Marsh. Cyber insurance prices increased by 17%, which is the largest hike since 2015 in the U.S.
The higher prices are expected to fall in 2021, though Marsh said some industries will face difficulty in renewals. Organizations in mining, metals, chemical, energy and manufacturing "continued to see a contraction of capacity, and thus faced a difficult environment."
Industries with outdated technologies need the extra attention from insurance providers. Fifty-nine percent of small transport and distribution firms say they do not have someone managing their cybersecurity, according to Hiscox. If a company doesn't know how often they are targeted it could influence their coverage, just as the tools they use can.
"At least for now, cyber insurers are not significantly improving the cybersecurity posture of most insurance," said Talesh. "Once the insurance is issued, most insurers do not monitor the insured's cyber hygiene," he said. The likely outcome of more in-depth and continuous evaluations is managed security service providers.
Earlier this month, Google Cloud entered an alliance with Allianz Global Corporate and Specialty and Munich Re for cyber insurance offerings with customers. Google calls it the "first-of-its-kind partnership" between a CSP and insurers.
Carries consider pre-breach services clients use. Sometimes those tools provide discounts for companies that adopted "pre-vetted vendors services," said Keith Bergin, business development executive at West Monroe. Bergin was previously an SVP, and cyber liability and technology E&O leader at Marsh. "This is a similar approach to what Google and its insurance partners, Munich Re and Allianz, are doing."
Because the insurance companies are well-versed in Google's services now, Google customers are more attractive insurance clients. It essentially gives providers a look under the hood and "aggressively offer terms and competitive pricing," said Bergin. "Google is doing it right by enlisting two insurance companies to run the program."