Cyber Insurance Isn't Enough?
Stepping in to address the consequences of poor InfoSec strategy and performance, insurance groups have seized the opportunity to offer cyber liability insurance. As businesses host critical data in off premises clouds, the industry has seen 20% growth every year. The multi-billion dollar cyber liability industry, valued at $7.8B in 2020 is predicted to reach $20.4B in value by 2025. This is largely in part due to the increasing frequency of ransomware and data breaches affecting organizations with easily exploitable security methods.
Despite growth, several factors have caused some insurers to pull out of the market, including but not limited to: a general inability to accurately assess threat volatility, a dwindling pool of capital to fund losses, systemic risk potential which could affect multiple policyholders simultaneously, and a loss environment caused by substantial ransomware payouts – a confluence of events affecting profitability. What could be more frightening to insurers than poor predictive ability? The bad actors who get access to their databases, focusing their attention on specific businesses carrying the largest cyber insurance policies, increasing the value and likelihood of payouts after gaining access. As the digital landscape undergoes rapid changes, predators evolve new weapons and hunting tactics. In response, global InfoSec strategy must grow a thicker hide. Data and business execution must be treated with utmost security across all business verticals.
The consequences of insufficient security vision, relaxing posture, can lead to debilitating events the scope of which could greatly outstrip a liability policy. No insurer can provide coverage for: a loss of reputation within the industry, the intangible loss of consumer confidence and their data, or viability after an IP leak — there are catastrophic downsides to weak InfoSec strategy. Evolving risk vectors demand agile and innovative change; with thoughtful and thorough cybersecurity reinforced by solid ethical, financial, and technological vision, the growing sophistication of cyberthreats can be mitigated. This should be untenable given the inadequate coverage offered at the moment by insurers — it is a false sense of security. The best way to truly protect business-critical networks – put them inside of an air gap.
By segmenting, internal servers holding sensitive data separately from external collaboration servers connected to the internet, security compliance audits are much more simply performed. Insurers should be able to generate an easily underwritten policy, because regardless of the scale and value of the IT asset, it is isolated. If there is no threat surface, accounting for risk is simple. Despite this, only some insurers have been able to overcome methodological and informational gaps to assess cyberthreat risk. As a result, some are able to tailor a policy while others still have more rudimentary modeling and pricing structures. As threat modeling methodology becomes more sophisticated, hopefully insurers design premiums to positively reinforce the costs, expertise, and care taken to deploy secure infrastructure. In the future it would not be surprising to see insurers championing on premise private clouds as best practice to secure IT assets.