A survey of 400 global insurers finds the cyber insurance business “isn’t working for insurers, brokers or their customers.” According to the survey report, insurers are raising cyber insurance premiums, reducing coverage limits, requiring increasingly burdensome technical questionnaires from customers -- and in the end, over half of the firms surveyed still reported being only “somewhat confident’ or “not at all confident” in their underwriting process.
Read the survey: 2022 Cyber Insurance Market Trends Report, sponsored by Panaseer, a vendor of controls monitoring software.
Why is the industry that invented the concept of “risk” in such a state over cyber risk?
The report offers some well-used explanations: “In cybersecurity, the past is not a good predictor of the future, as adversaries are innovating to find new and improved returns on their investment. What makes this especially challenging is that insurers don’t have access to accurate data regarding customers’ assets or security controls. Not only is this critical information not currently collected, it changes daily.”
Now, accurate data on security controls is an important measure of success for security teams – but a controls-focused approach to cyber risk assumes that more and better controls equal less risk, it doesn’t measure risk directly. It doesn’t inform decision makers either on the seller or buyer end of the insurance transaction about risk in the financial terms of cost vs. benefit that they require. Remember, it’s the CFO who makes the decision to buy cyber insurance not the security team.
Increasingly, insurance buyers and sellers are making those decisions informed by quantitative risk analysis of loss exposure in dollar terms using FAIR™ (Factor Analysis of Information Risk), the international standard for cyber risk quantification. RiskLens enables organization to run FAIR analysis themselves on a SaaS platform or with a managed service, RiskLens Pro.
RiskLens has solved for the old objection that “the past is not a good predictor” because you can’t get “accurate data.” Our data science team has developed industry-specific data based on authoritative sources for frequency and cost of cyber loss events, that can be augmented with a client’s internal information to yield highly accurate data for FAIR analysis.
RiskLens analysis for an insurance decision
FAIR quantitative risk analysis on the RiskLens platform quickly shows an organization’s top risks for loss exposure and identifies the key components of loss exposure, two critical types of information for insurance purchase decisions. The platform also offers multiple ways to aggregate reporting on loss exposure, for instance, to make the case to an insurer that the organization is a good risk.
The study found that 95% of the US-based insurance companies surveyed “believe it’s important for the industry to develop a consistent approach to analyzing a customer's cyber risk.” The study authors predict that insurance companies will begin to demand more data from clients and that insurance buyers will cooperate in exchange for lower premiums.
“If the industry can seize this opportunity for a data-driven approach to security and risk assessment, it can overcome many of the challenges it faces today and enable organizations to get the coverage they need,” the study concludes. Risk assessment with quantitative cyber risk analysis based on an accepted standard, FAIR, is the opportunity the cyber insurance marketplace is looking for.