Is It Time for an Industry-Wide Cyber Insurance Standard?

As organizations struggle with the rising threat of cyber attacks and data breaches, the cyber insurance market has skyrocketed. But with significant payouts being made regularly, many insurers are reluctant to continue offering comprehensive cyber insurance coverage.

A report by the credit rating firm Fitch Ratings found that the cyber insurance market grew by 74% last year, with more than $4.8 billion being paid out.

These funds are used to cover the costs of the immediate disruption caused by a security incident and the ongoing efforts to restore systems and meet regulatory requirements. This can add up to $4.35 million on average, according to IBM’s Cost of a Data Breach study.

Given these astronomical sums, it’s clear why organizations are eager to purchase a cyber insurance policy – they are a fraction of the average premium, which AdvisorSmith estimates is $1,589. But by that same token, you can see why insurance providers are worried.

The problem is compounded by the increasing volume of cyber attacks, which means premiums are being paid out more often.

Moreover, the cost of each incident is growing rapidly too, thanks in part to the uptick in ransomware.

A Palo Alto Networks report found that the average ransom demand rose 144% last year to $2.2 million, while the average payment increased 78% to $5410,010.

Meanwhile, the threat of nation-state cyber attacks has added to insurers’ uncertainty. Lloyd’s of London recently confirmed that it will no longer cover losses resulting from certain nation-state attacks or acts of war.

In a memo to the organization’s insurance syndicates last month, Underwriting Director Tony Chaudhry said that such policies could “expose the market to systemic risks that syndicates could struggle to manage.”

He highlighted the particular risk posed by government-backed hackers, whose attacks are usually for political gain.

It follows a spate of nation-state attacks amid the war in Ukraine, with Russian hackers disrupting Ukrainian networks and systems to support ground operations.

The only way to reverse the upward trajectory of cyber attacks and associated costs is for organizations to invest more heavily in defenses. However, doing so exposes them to less risk and therefore makes cyber insurance a less enticing option.

So what should the next step be for the cyber insurance industry? According to Presidio CISO Dave Trader, we need an industry-wide cyber insurance standard.

How a cyber insurance standard would work

Writing in Security Magazine, Trader said that an industry-wide cyber insurance standard would create a baseline of cybersecurity that organizations must adopt to be eligible for cyber insurance.

“As the cyber insurance industry continues to evolve, an industry-standard framework will serve as a critical guiding light for companies and insurance providers,” he wrote.

“It provides clear guidelines of what companies need to do to be insured and serves as a checklist for insurance providers to evaluate potential customers.”

Trader proposed that NIST (National Institute of Standards Technology) Cybersecurity Framework could be the baseline that’s used for cyber insurance.

The voluntary framework is primarily designed to help critical infrastructure organizations manage cybersecurity risk, and is based on existing standards, guidelines, and practices.

Trader notes that it’s more easily attainable than other complex frameworks, and that by using it as an industry standard, “those who need insurance can get it or take the steps required to get it without sacrificing the necessary safeguards to interact in today’s cyber environment.”

He added: “Having a requirement for cyber insurance will also force complacent companies to act. Even in today’s environment of constant attacks, some organizations refuse to make the necessary investments to protect themselves.

“Mandating cyber insurance will require these organizations to at least have a solid baseline of security controls to improve overall cyber hygiene. These late adopters represent sustained risk which affects the verticals and taxonomies they represent.”

Will this actually happen?

Whether you believe that an industry-wide cyber insurance standard is a positive thing or not, it’s unlikely that we will see it any time soon. The U.S. government has been reluctant to regulate cybersecurity on a federal level, with less overarching suggestions than this being rejected.

However, Trader’s comments do demonstrate the value of the NIST Cybersecurity Framework. Although it’s designed for critical infrastructure firms, it is flexible enough to be adopted by organizations in a variety of sectors.

Another benefit of the framework is that it is a living document, recognizing that continual improvement is necessary to adapt to changing industry needs.

You can learn more by reading Implementing Cybersecurity – The case for the NIST CSF.

This free guide describes the main components of the framework and how they fit together.

It also explains how the framework can strengthen your organization’s security measures and help you comply with U.S. and international cybersecurity laws.