In insurance, a hard market is when the capacity of insurance decreases along with a rise in premiums. As anyone that has tried to purchase or renew cyber insurance in 2022 knows, cyber insurance has gone from hard, to brittle, to the point of breaking.

Cyber Insurance Supply Side Contraction

The combined ratio for the cyber market accelerated in just three short years from barely over 60 percent in 2017 to just shy of 100 percent in 2020—meaning insurers are in danger of failing to turn an underwriting profit on what had three years prior been an exceedingly profitable product.

In response, insurers have been hiking premiums and cherry-picking customers with mature enough cyber defenses to practically eliminate cyber claims and stem the bleeding before cyber ceases to be profitable. Some insurers have simply exited the cyber insurance market entirely, while others are decreasing coverage, imposing sublimits, and lowering overall limits entirely. Meanwhile, premiums continue to increase with average increases at 25 percent year-over-year—and some customers’ premium hikes doubling or even tripling over previous years.

Many underwriters have insufficient experience to properly rate and understand the nuance of cybersecurity “in the wild,” causing significant confusion for both insurer and insured. It’s unclear when they will, due to the rapidly changing nature of cyber insurance compared to traditional property and casualty coverage. In cyber, there are no decades of loss data and tried and true predictive models that can be used to establish profitable bases for underwriting. If loss-based models are created, they may likely be worthless in a few years as threats evolve and threat actors change tactics.

Underwriting applications can also be far too rigid, with traditional insurers relying on paper and PDF applications with blanket questions about a potential customer’s cyber risk. This utilizes the same approach as if the underwriter were evaluating a building's potential risk of hail damage to a roof.

An example of one of these blanket questions is the all-too familiar “Do all your accounts have Multi-Factor Authentication (MFA)?” This leaves no room for nuance or explanation, such as in the case of legacy or service accounts where a customer may use other defense in depth protections. Customers that select “No” to a single critical question are denied coverage, while customers that select “Yes” better be certain that their answer was true and honest without any nuance or room for interpretation.

Finally, there is the growing risk that the existence of cyber insurance itself is adding fuel to the fire of ransomware by incentivizing threat actors to continue to attack bigger targets with higher insurance coverage, knowing that the target will simply have their insurer payout. This threat, an extension of the moral hazard principle of insurance—where an insured is less cautious because they “bought the insurance”—is decreasing the online safety for everyone because of the increased profitability of cybercrime. The trend undoubtedly has led to the carving out of ransomware clauses or diminishing limits for ransomware payouts in an effort by insurers to stem the bleeding.

Several newer entrants into the market, however, are starting to evaluate cyber risk in a way that cybersecurity professionals know would be more reliable: by using vulnerability scans, penetration tests, and real-world, actionable data to evaluate real-time risk. If insurance is all about using data to predict risk, then cyber professionals know that this can’t be properly evaluated using a form with simple checkboxes instead of real-time vulnerability scanning and threat intelligence. The future will be in cyber insurers that utilize cybersecurity tools to acquire data to predict risk, tied to risk mitigation tools that protect the customer in the first place.

Claims and Risk Mitigation

The biggest pitfall on the claims side is customer perception of the process and result. A cyber insurance claim is not the same thing as an incident response plan, though every incident response plan should consider the claims process because they need to occur in tandem. 

Cyber insurance is more focused on what happened, rather than what is happening or will happen. This contrasts with an insured’s need to recover systems and mitigate active breaches, to say nothing of preventing future attacks. In fact, the cyber claims process is designed around third-party liability, arguably the bigger cost for the insurer, with first-party damages taking a backseat.

In addition, insurers are increasingly re-evaluating their Acts of War clauses and how these relate to foreign threat actors. The 2017 NotPetya ransomware resulted in two different claim denials based on these clauses, with the resulting lawsuits only just now being decided by the courts. Earlier this year, in Merck v. Ace, et al, the New Jersey court ruled in favor of the insured, saying that the Acts of War clause did not apply, while the Illinois case Mondelez v. Zurich case remains pending.

While the above cases dealt with customers, just this past August Lloyd’s of London required its insurers to exempt coverage for nation-state based cyberattacks in future policy language. This signal to the industry indicates that the pendulum may shift back towards favoring the insurer [6]. In a few years, these new exemptions could be a serious vulnerability for cyber insurance customers because nation-state threat actors continue to escalate their cyber activities.

Finally, in a nod to the rigid PDF coverage applications above, Travelers filed suit against Illinois-based International Control Services (ICS) requesting the court rescind its insurance policy this past July. ICS had indicated on its insurance application that it used MFA for administrative or privileged access. After ICS’ May ransomware event, Travelers’ investigation revealed that several critical systems were not protected by MFA and said the application answer was a material misrepresentation. This case, the first of its kind, could further shake the insurance world by leaving more customers uninsured.

What Should You Do?

Cyber insurance remains a valuable tool for cyber risk managers, but it cannot be the only tool. Purchasing cyber insurance is fraught with claim denials, problems with applications, and skyrocketing costs. Newer insurers are entering the market that provide better tools to assess risk, coupled with better risk management tools, and are thus more likely to survive the continually hardening market while shifting us all to a better product in the next 10 years.

In the meantime, customers must face the choice they are given: invest larger amounts in harder to get coverage, or use at least some of those funds to better protect themselves from attacks in the first place. Cyber insurance is a supplement to good cyber defense and hygiene, but a very poor alternative.

Kevin Sesock, CISSP, is chief information officer of the Oklahoma Municipal Assurance Group, Oklahoma’s premier municipal insurance risk pool for property insurance, general liability insurance, automotive insurance, and workers compensation. Sesock has more than 21 years in specialized information technology fields, including cybersecurity, development, data warehousing, IT audits, and quality assurance.