Underwriting Cyber Risk Part 1: Focus on Cyber Hygiene

cyber insurance hygiene

Cyber risk uncertainty is growing. Despite massive spending worldwide to the tune of $173 billion, cyber attacks keep occurring. Ransomware attacks—a type of cyberattack that encrypts an organization's network or locks users out of their devices and requires a ransom before restoring access—are costing companies 20 days of downtime on average. Within the next few years, nearly half of companies worldwide will experience cyber attacks on their software supply chains. And threats like malware and botnets (such as the recent Emotet re-emergence) are wreaking havoc on companies worldwide.

It comes as no surprise that cyber insurance claims are exploding. As companies worldwide scramble for coverage, insurers are experiencing significant losses and rethinking their underwriting decisions. The result? Stricter underwriting standards, which take longer to evaluate. 

So how do cyber insurers determine which organizations are going to be a risk worth taking? It depends on an organization’s overall cyber hygiene and their ability to effectively respond to new attacks and vulnerabilities. It’s more important than ever to continue underwriting good and opportunistic risks, while not overcorrecting for the high loss ratios the industry is seeing. Insureds need to answer two questions: what is good cyber hygiene and how do you measure it? In this blog, I will tackle the first of these questions. Insurers have to first understand the current cyber insurance landscape and how it impacts cyber hygiene.

The link between ransomware and cyber insurance

Before unpacking cyber hygiene, first consider how ransomware is impacting the cyber insurance landscape. Traditional insurance, such as auto or home insurance, provides coverage for high impact, low frequency events. This type of insurance covers events that likely won’t happen, but could be very costly if they did. Organizations seek insurance coverage for these risks because it’s impractical to mitigate or avoid them. With the explosion of ransomware, companies suddenly experience high impact and high frequency incidents—making cyber insurance more expensive and harder to get, yet more necessary than ever.

Ransomware has been a threat for a long time. In 2016, Bitsight published an article to draw attention to the problem. Since then, ransomware and other similar threats are only continuing to explode. Nowadays, attackers use cryptocurrencies to monetize ransomware attacks in a way that’s easier to get payment and avoid tracking. Plus, the rapid speed of digital transformation in the last few years means that the attack surface has never been bigger for attackers to find areas of weakness.

What does this mean for cyber insurance carriers? They need to maintain the right balance of risk by offering valuable policies that pay claims when covered losses occur, while being careful not to encourage risky behavior with overly broad policy coverage. The underwriter has to determine which organizations are doing enough to prevent frequent claims to be eligible for the specific coverage they offer. 

Most notably, frequent ransomware claims drive a lot of the chaos in the cyber insurance market. Ransomware usually exploits common, known vulnerabilities in insecure services and software. But a strong cybersecurity program will be able to manage vulnerabilities, protect endpoints, and monitor the effectiveness of security controls so that they can be improved over time. From an insurer’s perspective, knowing if a company can effectively perform these functions is a good way to start understanding their cyber hygiene.

What is (good) cyber hygiene?

Cyber hygiene is a set of essential practices and tasks a company uses to keep systems, data, and users secure. Strong cyber hygiene enhances overall cybersecurity through activities like regular assessments, improvements, patching, control implementation, and secure configuration. Regular processes like these give companies insight to determine if their security controls work effectively and ways to improve them over time. Good cyber hygiene significantly lowers the chance of ransomware and other cyber attacks. 

Effective cyber hygiene begins with an understanding of best practices for improving security and reducing risk, such as those identified in the NIST Cybersecurity Framework or other cybersecurity standard or framework. By mapping existing security practices to a framework, security teams can evaluate their current level of cyber hygiene and take steps to improve it. Organizations should continuously monitor their efforts on each of these tasks and alert security teams to lapses in best practices. 

Additionally, underwriters should focus on the concept of cyber maturity, not just cyber controls, so that security information can be inferred quickly when underwriting particularly complex organizations. For example, asking an organization to explain their process for identifying and remediating new vulnerabilities provides a slew of insights, and gives the underwriter a sense of how they would handle zero-day vulnerabilities. Asking intelligent questions during the insurance application process guides the understanding of a company’s cyber maturity, and in turn, their cyber hygiene.

Cyber hygiene proves to insurers that an applicant is invested in cybersecurity

The likelihood of an applicant experiencing a successful ransomware attack begins with understanding their cyber hygiene. And the best applicants know that good cyber hygiene proves to cyber insurers that they are actively invested in their security posture, which makes them better risks to write. Now that we’ve established a baseline for why cyber hygiene is important, the next blog in this series will cover how an insurer can tell whether an organization has good cyber hygiene and which metrics to monitor.