Making Cyber Risk More Predictable for SMBs
Small and medium businesses (SMBs) are being attacked more and more frequently, and a single significant breach can destroy an SMB. The National Cyber Security Alliance found that “60 percent of small and midsized businesses that are hacked go out of business within six months.” With limited staff and small budgets, SMB security programs are often limited to implementing perimeter protection and anti-phishing training. While beneficial, these steps are inadequate to prevent existential attacks, so SMBs often transfer the risk to cyber insurance.
Of course, cyber insurance vendors have their own challenges. Fitch Ratings, one of the big three credit rating agencies, recently warned that “a higher propensity of cyber incidents, particularly ransomware attacks, are likely to hinder a near-term reversal of claims cost trends.” Translation: insurers will experience pressure on profits driven by the increasing costs of cybersecurity claims, so small and medium businesses should expect the cost of their cyber policies to continue rising
Cyber Insurance Trends
In the early years of cyber insurance, cyber coverage was simply integrated into existing property and casualty (P&C) policies. As the severity and frequency of cyberattacks have risen, though, the number of “directly written premiums” for cyber policies sold, i.e., policies specifically covering standalone cyber risk, are accelerating much faster than policies that bundle cyber coverage. According to Fitch, “Written premiums for standalone cyber coverage increased by 29% for the year , reflecting growing demand for specific cyber protection and insurers interest in reducing ambiguity in coverage relative to cyber risks included in package policies.”
A key parameter in measuring the financial stability of insurers is the “direct loss ratio” that evaluates premiums paid in versus claims paid out. In its infancy, cyber insurance’s low direct loss ratio attracted hundreds of insurers in a “gold rush” to create cyber offerings. In 2020 the direct loss ratio for standalone cyber insurance rose abruptly to 73%, the highest level ever recorded. If costs continue their current upward trend, it may become harder to get cyber coverage, and it will certainly become more expensive. In a report published in early 2021, S&P forecasts that “cyber insurance premiums, which now total about $5 billion annually, will increase 20% to 30% per year on average in the near future.”
Impact on Insurers
SC Magazine neatly summarized the challenge facing insurers and their SMB clients. “The FBI reported that in 2020 because of the pandemic, ransomware attacks skyrocketed 400% over the previous year, with ransom payments moving from thousands to millions of dollars… A single change like this in the threat landscape completely changes the risk equation of any company.”
For years, each cyber insurer has granted policies based on a unique, proprietary risk questionnaire. To make a finer point, every breached company claiming cyber damage had successfully answered their insurer’s risk survey. With the rapid rise in claims paid out, “insurers need to spend time and money developing more accurate risk profiles, so they can offer policies that are profitable for them and useful to customers.”
Based on recent conversations with several leading cyber brokers, insurers are going beyond improving their questionnaires and are beginning to decline coverage for companies unable to prove that they have taken basic measures to prevent attacks. Other innovative practices such as adaptive cyber policies are likely to become mainstream. A recent Forbes article says, “As the industry begins to better understand cyber risk, better data will be available surrounding the connection between preventative behavior, such as implementing better security controls, and the behavior’s impact on companies in the case of a cyber event. This could lead to month-by-month premiums or credit mechanisms for add-on services based on a reevaluation of the risk and rewards for positive behavior.”
Advancing the State of the Art
Increasingly severe and frequent cyberattacks combined with greater demands from insurers for better risk mitigation are forcing SMBs to look for innovative technical solutions. Basic perimeter protection like firewalls and endpoint protection like anti-virus must be kept in place, but those measures alone have not prevented the dramatic rise in debilitating ransomware payouts.
Businesses need new technical solutions that provide more direct relief than the current state of the art. Monitoring suspicious network activity is helpful, but it often generates more work than small IT staff can handle. New layers of technology that immediately neutralize threats are needed to bring a new level of resilience and protection to businesses and a manageable level of risk for cyber insurance underwriters.
There’s no silver bullet solution with cybersecurity; a layered defense is the only viable defense.
James Scott, Sr. Fellow
Institute for Critical Infrastructure Technology
Bob Barker is a contributing author to INTRUSION specializing in the insurance space. He is a strategic partnering and cybersecurity strategist. He is the founder of Partnering Source, as well as a co-founder and chief strategy officer at Cybernance Corporation. He also serves as a strategic advisor to innovative technology companies, includingIntrusion Inc., a public AI-powered cybersecurity company. He has written extensively for numerous business publications, including Westlaw Journal, Directorship (National Association of Corporate Directors), TexasCEO Magazine (The American CEO), Advisen’s Front Page News, and Information Management, and he has been quoted in The Wall Street Journal and Forbes.