Cyber insurers have a significant role in helping to improve cyber resilience for organisations across the global economy argues a new report by the World Economic Forum (WEF).
In a new blog, titled “How Cyber Insurers can Raise the game in Cyber Resilience”, WEF argues that organisations need to adopt a “digital flax jacket” to become more resilient to cybersecurity.
The blog goes onto the argue that given the significant demand for cyber insurance, cyber insurers are uniquely positioned to use their influence to improve cyber resilience standards as a part of a risk management overhaul, as organisations grapple with these new and powerful risks.
Yet, insurers are held back by a lack of a standardised cyber framework focused on measuring and improving cyber resilience.
So, the report argues that Cyber insurers can help achieve this in three key ways:
Collaboration and Shared Intelligence
Monitoring and Quality Assurance.
In the last few years, the top 20 cyber insurers have all posted record high loss ratios due to a large proliferation of cyberattacks, which spiked during the COVID-19 pandemic. So, as WEF points out, cyber insurers are financially invested in mitigating society’s cyber risk across all industries, with their balance sheet “intrinsically linked” to the cybersecurity success of all firms.
Therefore, cyber insurers need to start collaborating with governments, regulators and organisations to improve and prioritise actions based on current exposures.
A key way to achieve this is through shared intelligence, as many providers have access to data on their client’s security incidents, breaches and claims, many of which have not been made public. The authors of the blog argue that providers could inform regulators and cybersecurity advisors of more proactive practices and responses, thus building up cyber resilience.
This is already occurring in some capacity, with Indicators of Compromise (IoCs) routinely shared among ISACS (Information Sharing and Analysis Centres) in the US, Europe and Asia, to help aid the collective resilience of industries and sectors such as oil and gas, financial services or retail/hospitality.
Providers typically perform an assessment of an organisation’s security posture to define premiums and contracts, which as we have noted gives them access to confidential internal cyber information.
Yet, as the authors of the WEF argue, there is no reason why cyber insurers cannot define improvement objectives to help incentive positive security actions that help minimise the risk of future cyber-attacks.
In this scenario, clients have an incentive to improve their cyber resilience or face paying a large premium.
Many insurers have already adopted this approach before offering coverage. For example, AIG have implemented 25 detailed questions on a client’s security measures in order to judge whether to provide coverage or not.
Finally, cyber insurers should adopt a more continuous underwriting approach to cyber risk and adopt tools such as security ratings in order to regularly monitor a client’s risk posture.
Using this approach, cyber insurers can be more preventative in taking steps to reduce risk and can be more proactive in helping their clients build cyber resilience, thus improving the client-insured relationship.
Furthermore, the authors suggest that by aggregating and anonymising the analytics of claims data, this could help to highlight any strong correlations between indicators, patterns and emerging trends. All of which can be fed into premium negotiations with the client too.
Through a data-driven approach, cyber insurers will be able to help their insureds improve their controls and improve their cybersecurity risk ratings and resilience in today’s connected world.