Cybersecurity insurance market: data points and trends, Q2.2019

New cyberattacks and data breaches make the headlines daily. It is easy to get lost in a deluge of news and ignore the early signals indicating change, especially in adjacent markets. Often on the outskirts of cyber incident announcements is the role of cyber insurance. 

One exciting factor about tracking cyber insurance is that it lives at the intersection of a highly technical market (cybersecurity) and a business-oriented one (insurance). Finding new ways for these two giant worlds to collaborate and make our digital world more secure is a fascinating adventure. 

So here are a few data points which surfaced in Q2,2019 and might suggest where cyber insurance is heading and how one can capitalize on this fast-growing market.   

1. Cyber claims grow faster than cyber policies

The recent AM Best report “Cyber Insurers Are Profitable Today but Wary of Tomorrow’s Risks” provides valuable market share information. More important is the new data points showing that claims growth outpaced policies by 24 percent – total claims grew 39 percent while policies grew 15 percent. This might be the first signal that it is time to be more selective on risks to maintain profitability in the long term.

Everybody agrees that data-driven cyber policies make a lot of sense. The challenge is how to get there at a time where insurance providers still need to grab market share and compete on premiums. It seems like automating the distribution and issuance of cyber policies where it makes sense,  is a good place to start. The insurance process has been traditionally paper-driven and slow and has become a roadblock in the industry’s ability to scale distribution.

Total claims grew 39 percent while policies grew 15 percent

2. Office 365 security misconfigurations are under heightened scrutiny

The U.S. Government issued in May 2019 a security warning for Microsoft Office 365. The report details common Office 365 configuration oversights such as poor control of administrative privileges and enforcement of multi-factor authentication (MFA). This is significant given that Office 365 is adopted broadly across all company sizes and email remains one of the primary attack vectors.  

Assessing Office 365 configuration for security should be a requirement during the cyber insurance application process across all segments. Arceo offers an easy way to automatically include adherence to security best practices as part of our scan capabilities. This is what we refer to as getting an “Inside-out view” of applicants. Contact us for a demo.  

(note that Microsoft took action and now requires service providers to use multi-factor authentication. This is an important step but not sufficient to address all current concerns related to Office 365 security configuration). 

In May, U.S. Government issued a security warning for Office 365

3. Ransomware attacks: notifications have more than doubled  

A Beazley report on ransomware highlights a 105% surge in ransomware attack notifications in Q1, 2019. Ransom payments demanded have also gone up almost twofold with the average at $224,871 for the first three months of 2019 compared to $116,324 for 2018. 

Much needs to be revisited on ransomware and whether to pay or not. Paying hackers is controversial because it almost certainly funds subsequent attacks. Paying also does not guarantee that you will actually get your systems and data back. Another cause for pause is that in one of the most recent cases, insurance covered all but $10,000 of the $460,000 ransom.

4. Awareness: broad repercussions of third-party vendor risks incidents 

An incident disclosure at Quest Diagnostic made the news on June 3rd followed by Labcorp the next day with both pointing to a data breach at their common third party vendor, the collection agency AMCA. Five days later, on June 8th, several class-action lawsuits were filed against the three companies. This story is still unfolding but is a good reminder of incidents commonalities:

  • Third-party vendor security is often the weakest link in a company security strategy.

  • Class action lawsuits follow breach disclosure almost immediately.  

  • Most businesses underestimate the cost of a cyber incident disclosure and recovery. In this case, AMCA filed for bankruptcy less than a month after disclosure citing the “enormous expenses” related to the breach, including the required mailing to notify 7 million breach victims. Cost of notifications and legal pursuit would generally be covered by a cyber insurance policy. 

5. Financial impact of cyberattacks on businesses: a public company is downgraded because of a breach

Historically, the perception has been that cyberattacks do not impact businesses in the long-term, including financial outcomes. One of the many reads on the topic includes this October 2018 summary from the New York Times of why it’s so hard to punish companies for data breaches

In Q2 and for the first time, a public company had its financial outlook downgraded because of a cyberattack. Moody's said it's downgrading the outlook for Equifax from stable to negative, citing ongoing fallout from the company's 2018 data breach.

For smaller, private companies, the pain is more acute. While I’ve always found that the statistic showing that 60% of SMEs going out of business within six months of a breach to be quite aggressive, we pursued our own research on the Advisen Data Loss dataset and validated that SMEs are indeed impacted more significantly than the overall market – 3.4% and 0.05% of revenue respectively. 

6. Regulations: the energy sector tightens NERC-CIP regulations

In a first of its kind, the Federal Energy Regulatory Commission (FERC) introduces tighter incident reporting regulations for high- and medium-impact bulk electric systems (BES) requiring “attempt to compromise” not just compromise be reported.

The new rule (CIP 008-6) also calls for better preparedness in various aspects of incident handling procedures and no longer accepts “paper” response plans. It will take effect in December 2020. 

 Reported compromise attempts represent a new type of incident intelligence that has not been tracked before. If, and when made available publicly, this could radically change the quality of data, and early signals used to process risk predictions. 

New NERC-CIP regulation will require “Attempt to compromise” to be reported.

In this first edition of our quarterly summary, I most likely missed many interesting data points, so feel free to share your additional findings.