This post serves to gather some of the discussion points, questions, and further resources regarding the topic of cyber insurance discussed at the 2023 Planet Cyber Security Conference in San Diego 12/06/2023.
Bottom Line Up Front: The majority of the group felt that despite the challenges, cyber insurance audits were serving as a positive “forcing function” that enabled maturity in the cyber security program. The corporate insurance discussion occurs at a business level and often requires quantification of risk. Participants also highlighted there was still an issue with different audit formats in different US states, and that the liklihood of giving insuance companies direct access to their environments (e.g. the AWS Cyber Insurance Compentency Program) is low.
These references were gathered for the 2023 Planet Cyber Security Conference Round Table discussion on cyber insurance (12/06/2023). The following references were selected from the ABI-INFORM academic database using the search terms “cyber insurance”. These readings are meant to inform cyber security professionals how cyber insurance is impacting risk management, the amount of time spent responding to information requests, and how the cyber security budget is being spent.
Significant Issues:
- Risk documentation
- Time spent on audits
- Budget decisions being influenced by carriers
Interesting Points from Readings
- In one legal the uninsured sued the broker because a lapse in coveroverage. The required paperwork and application was taking so long, and the policy lapsed (Rundle, 2023).
- In January, 2023 Merck won a legal case, sueing their insurer, who was not paying up on the policy after a Not Petya attack because the insurer was claiming that the attack was an act of war, which didn’t hold up.
- The Insure Cybersecurity Act making its way through the Senate right now (S 513).
- Enter AWS: in an attempt to make getting insurance more expedited, entered an agreement with brokers. AWS’s Cyber Insurance Competency Program, brokers can directly access the Security Hub console
Questions:
Do you know or care if cyber insurance has gotten more costly? Whose budget pays for it?
Do higher security investments ever result in lower premiums?
Do specific aspects of the insurance policy allow you to mark certain risks as “transferred”?
Is it more likely that our response to any given risk is mixed? ( a little bit of acceptance, a little bit of mitigation, and a little bit of transfer?)
(Risk marked as “Accepeted” with a $$ value equal to the estimated amount beyond insurance)
What is the average amount of time spent on the application process?
Have you ever changed security vendors at the encouragement of your insurer?
Is there a benefit from common data sets being requested?
Claims are apparently sky-rocketing. Have any of you made a claim?
Are there lower payout limits, higher premium costs, or more stringent documentation requests?
Could AWS’s approach be applied to all third-party control validation?
References:
Alloway, T., Jones, S., & Kuchler, H. (2014, January 16). Sales of cyber insurance jump: Data security. Financial Times, 18.
Breg, D. (2023, February 10). Quarterly Cyber Insurance Update: February 2023. Wall Street Journal (Online). https://www.proquest.com/abiglobal/docview/2775101663/citation/37BD2362AF7842EDPQ/46
Breg, D. (2023, August 25). Quarterly Cyber Insurance Update: August 2023. Wall Street Journal (Online). https://www.proquest.com/abiglobal/docview/2857087907/citation/37BD2362AF7842EDPQ/45
Deva, S. (2023). Administrative Pitfalls of Cyber Insurance Policies. Rough Notes, 166(4), 70,72.
Greenwald, J., & Veysey, S. (2016). LLOYD’S DEVELOPING CYBER INSURANCE STANDARDS: Common data requirements help policy development. Business Insurance, 50(3), n/a.
Leithauser, T. (2023). Bill Seeks to Bring Clarity to Cyber Insurance Market. Cybersecurity Policy Report, 1.
Mastroeni, L., Mazzoccoli, A., Naldi, M.,. (2023). Cyber Insurance Premium Setting for Multi-Site Companies under Risk Correlation. Risks, 11(10), 167. https://doi.org/10.3390/risks11100167
Mazzoccoli, A. (2023). Optimal Cyber Security Investment in a Mixed Risk Management Framework: Examining the Role of Cyber Insurance and Expenditure Analysis. Risks, 11(9), 154. https://doi.org/10.3390/risks11090154
Rundle, J. (2023, May 18). Radiology Group Sues Broker Over Lapsed Cyber Insurance Policy; Raleigh company alleges cyber insurance expired without its knowledge on the eve of a hack. Wall Street Journal (Online). https://www.proquest.com/abiglobal/docview/2814989302/citation/37BD2362AF7842EDPQ/1
Rundle, J. (2023, November 29). Amazon Debuts Cyber Insurance Program for Speedy Policy Estimates; AWS customers will be able to receive quotes from cyber insurers within two days, cloud provider says. Wall Street Journal (Online). https://www.proquest.com/abiglobal/docview/2895031164/citation/37BD2362AF7842EDPQ/34
Xiaoying, X., Lee, C., & Eling, M. (2020). Cyber insurance offering and performance: An analysis of the U.S. cyber insurance market. Geneva Papers on Risk & Insurance, 45(4), 690–736. https://doi.org/10.1057/s41288-020-00176-5
Increased cyber threats call for measures: Is cyber insurance the answer? (2022). International Financial Law Review. https://www.proquest.com/abiglobal/docview/2759883967/abstract/37BD2362AF7842EDPQ/3