Organizations in every industry are experiencing an increase in cyberattacks and breaches. The evidence suggests companies are not investing enough in defense. 

Companies and governments are starting to view cyber insurance as the catch-all solution for an incident but potentially to the point of desensitizing against a need to increase cybersecurity, said Kelly Castriotta, senior director, global cyber underwriting executive at Markel Corporation, during a conference presented by the University of Connecticut Insurance Law Center and the University of Minnesota Law School on March 12.

Ultimately the risk insurance providers use for underwriting is based on the low hanging fruit within an organization's security posture. Quantifying an organization's risk appetite, the assessment in which premiums depend on, is an imperfect science for providers and customers. 

Companies are conditioned to throw money into cybersecurity and preparedness after an attack or breach. In response to a cyber incident, 45% of companies increased spending on employee training and crisis management, while another 20% purchased or enhanced their cyber insurance, according to the 2020 Hiscox Cyber Readiness Report. The report is based on survey results from 5,569 business leaders in the U.S., U.K., Spain, the Netherlands, Germany, France, Belgium and Ireland. 

There's no clear answer on how much spending is required to improve cyber readiness. Even when risk is calculated, knowing how much to spend is still vague. When evaluating a customer's risk prior to buying cyber insurance, underwriters look at IT "from time to time, but …. there's no direct correlation between IT spend and a truly robust cybersecurity environment," said Castriotta. 

The Hiscox report identifies respondents as "experts" or "novices" in cybersecurity and readiness. The cyber insurance company said experts spent about $4.2 million on average in the last year, while novices spent about $1.3 million. 

Of that spending, it's still difficult for companies to know which security controls, out of thousands that are available, best reduce risk. "I just spend what my budget allows for and I spend what my peers do, and I spend what I think is a reasonable thing," said Sasha Romanosky, policy researcher at RAND Corporation, during the conference, referring to companies' decision-making processes. 

Companies and insurers try to fill the gaps by using data from information security providers. Insurers and brokers then try to translate data from security and software vendors into risk avoidance and cost containment. As insurance firms improve their ability to assess incidents and devise policies, their customers are better off too, said Romanosky. 

"But it also seems to be the case that carriers don't really know what controls are actually most effective," said Romanosky. Insurance customers assume their carriers are well-versed in what incentives companies should prioritize. 

"We may all come up with the best ideas and come up with a list of different controls that we think are useful, and we're all probably right," but there's not enough objective evidence to prove what solutions are better than others, according to Romanosky. 

The uncertainty is part of the ever-changing threat landscape. Security tools are predictably two steps behind sophisticated attackers, making risk perpetually uncertain. The only questions companies can try to answer when calculating risk include:  

• Is the company safer now than it was last year? 
• How does the company's risk posture compare to last year? 
• Is the risk posture improving or worsening? 

"We think if we kind of capture all of this stuff, and mash it together in certain ways, that that will produce some reasonable measure of risk," said Romanosky. The whole process is based on trying to find answers without guarantee. 

Instead, companies supplement these metrics with other presumed risk indicators, including a list of known vulnerabilities in an environment, how many are patched, what is the scope of encryption and so on.