T
he U.S. cyber insurance market is at a standoff. As coverage demand continues to accelerate into early 2022, coverage supply has put on the brakes. On the demand side are organizations of all sizes, across all industry classes. They are looking to make an initial coverage purchase, increase their existing coverage or simply renew within budget.
Author: Greg Tomchick, CEO, C|CISO
As the world continues to digitally transform, the frequency, severity and sophistication of cyber incidents are increasing along with the dependency on technologies to operate. Vulnerabilities and exposures are multiplying due to greater interconnectivity, creating systemic risks that are vast, growing and not easy to detect or control. Combining these systemic risk dimensions with potentially severe and widespread consequences creates the possibility for a cyber catastrophe.
Similar to pandemics, cyber incidents can cause losses that are not limited by time or geography. It’s no longer theoretical, cyber criminals have already demonstrated their ability to disrupt supply chains for businesses around the world and cripple critical infrastructure, as with the recent attack that resulted in Colonial Pipeline shutting down its lines supplying fuel to the east coast of the U.S. With recent cyber incidents causing billions of dollars in economic losses, it’s not difficult to imagine a catastrophic attack that could test the balance sheet capacity of the insurance industry. Unlike previous sudden catastrophe events, we are witnessing the continuous escalation of cyber risks. This advance notice provides an opportunity to build cyber defenses and economic safeguards before a catastrophe occurs.
A More Risk Informed Path Forward
Despite organizations being more aware of cyber risk and its consequences, cyber incidents and threats are only increasing and evolving. All the while, cyber insurance is clearly playing an increasingly important role in managing the cyber exposure for organizations, the ability of insurers to absorb the total loss potential long term is less certain.
The increase in both frequency and severity of cyber incidents is causing insurers to reevaluate their pricing and terms and conditions. Providing a stable market for cyber insurance while accounting for the potential scale of catastrophic risk will require new solutions, such as a partnership with the government, as well as in the product offerings of individual insurers. For the insurance industry, the challenge becomes how to craft policies that offer coverage certainty, provide meaningful protection, and help manage both attritional and catastrophic cyber events for clients and insurers.
With cyber exposures continually increasing, either through the nature of operations and IT environments, failure of common infrastructure, or bad actors exploiting vulnerabilities, it’s more critical than ever for organizations to improve preparations for a potential cyber catastrophe. A great place to start is:
- Understanding the specific exposures each organization may face through the lens of the potential catastrophic cyber events outlined,
- Identifying and socializing potential risk mitigating actions, and
- Then committing necessary resources to improving cyber defenses and resilience.
Next Steps and Closing
With growing leadership recognition of relevant supply chain risks, shared IT vendors represent a significant systemic risk to organizations, so extensive due diligence should be conducted on these vendors and redundancy and resiliency should be built around them, in addition to examining the indemnity language in contracts to assess how risk is being transferred.
Organizations should also take full advantage of the expertise offered by their insurance broker or agent and their cyber insurance carrier. While IT, risk management, and business continuity teams may have confidence in their cyber protection and incident response measures, no organization can ever be fully protected from all potential cyber incidents, especially wide-spread, catastrophic ones.
Many insurance carriers and advisory partners offer a range of pre-incident services to help organizations improve their cybersecurity posture, such as incident readiness assessments, security effectiveness benchmarking, network vulnerability testing, and common attack simulations.
Organizations also should be prepared to respond when a cyber incident occurs. An insurer’s incident response team of experts can help contain the damage from such events and help restore an organization to full operations as soon as possible. These services could make the difference between merely surviving a major cyber event and moving forward with confidence.
We hope this ValorInsight has provided you with the necessary information that you need regarding the cyber insurance landscape as we continue through 2022.
We are passionate about ensuring our partners have appropriate coverage in place. Request a meeting with our team if you have any questions.