Stabilize Global Cyber Risk
Threatonomics

Cyber Resilience Must Do More

A New Approach to Cyber Insurance

by Laura Hiserodt , Staff Writer
Published

A Cyber Resilience approach is needed to manage and transfer cyber risk.

The disconnect between transferring risk through insurance and mitigating risk through security is causing the cyber insurance industry to experience significant price swings. After years of severe loss ratios at 60%-80%, insurers increased premiums by 94% from 2019 to 2022. In 2023, prices have dropped dramatically despite continued strong cybercrime trends from ransomware actors.

This whiplash makes planning for insurance incredibly difficult for organizations and hurts cyber insurance as a risk transfer tool. At Resilience, we’re taking a new approach to cyber insurance. Our policies work in conjunction with enhanced cybersecurity visibility, connecting our pricing and coverage to our clients’ unique risk profiles. This approach prioritizes aligning the risk transfer process with the organization’s overall risk management strategy and has helped us achieve loss ratios that are less than 1/3rd of the industry average in 2022.

The Insurance Problem

The cyber insurance industry needs more historical data and is overwhelmed by brilliant threat actors who are constantly changing the threat landscape. This has made it an incredible challenge to predict risk, leading to volatility in the cost of incidents. In 2020, ransomware alone cost $416 million. By 2021, it had more than tripled to $1.2 billion. This exponential growth has put immense pressure on cyber insurers to improve their loss ratios and increase their profitability.

The success of cyber insurance relies on data provided by cyber security, and risk mitigation relies on risk transfer to fill in any gaps. However, cybersecurity is losing faith in insurance solutions due to its disconnect from the more technical aspects of cyber risk. The insurance industry largely operates on status-quo benchmarking and fails to recognize the unique risks of organizations, leading to coverage and pricing that does not adequately address the right risks for each company.

A deeper approach has become necessary as cyber risks grow in complexity. Cyber risk modeling is a relatively new field that allows insurers to quantify their clients’ risk exposure. However, for traditional insurers who do not collect client data to feed these models, this can be just as ineffective as benchmarking. “Modeling cyber risk based on enhanced data visibility allows us to really understand which threats matter most,” said Davis Hake, Co-Founder at Resilience. “Our data tells our clients how much loss their organization can handle through their coverage and reserves while sharing prioritized security recommendations to help their organization handle a breach without experiencing business interruption.”

Dynamic Coverage

At Resilience, our access to our proprietary data models helps us offer coverage that addresses specific facets of our clients’ cyber risk. The work we do when underwriting policies is based on enhanced cybersecurity visibility from our expert assessments and analysis. These assessments consider the specific risk mitigation solutions that our clients have implemented to strengthen their risk posture. Referencing these controls on the front end and throughout our client’s policy periods allows our policies to respond to changes in the client’s risk profile. As our clients improve their controls and overall cyber hygiene, our underwriters continuously reference this data to offer coverage that aligns with their changing environment.

Most cyber insurance policies are issued after a one-time consultation with a risk manager, with questions answered by a security director and pricing based on industry benchmarking. Resilience takes a continuous approach to underwriting to adjust coverage based on improvements in the client’s security infrastructure. This process requires a partnership approach between our experts across insurance underwriting, claims, cybersecurity, risk quantification, etc. Our teams of experts are available to offer incident response support, connections for consultations around notification requirements, and 24/7 claims expertise to help our clients recover from an incident without impacting their ability to deliver value.

Through this partnership approach, we have seen dramatic results; out of our client base that opted into Resilience’s risk management solution with continuous engagement from our security team, none of the ransomware victims elected to pay any extortion in 2022. By providing this cross-departmental expertise, Resilience understands our clients’ risk profiles better than any traditional cyber insurance provider in the market, providing stability to our clients and a real partnership for managing cyber risk together.

You might also like

Five Predictions on the State of Cyber Claims in 2024

Unravel the complexities of cyber risk with the 2023 Mid-Year Claims Report by Resilience. Dive into our analysis and predictions for the cyber insurance industry in 2024, including the pivotal role of AI and regulatory changes.

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the […]

Top Three Trends on Cyber Resilience from The World Economic Forum

With generative AI dominating the conversation at the World Economic Forum’s annual meeting in Davos this year – a massive 32 sessions in total – it’s easy to overlook another topic that was the focus of WEF’s 2024 Global Cybersecurity Outlook: Cyber Resilience.  The term has taken on a new importance in 2024 as enterprise […]

Do you Need Human Brains to make AI Useful in Cybersecurity?

As the world advances with data processing and artificial intelligence (AI) capabilities at a mind-boggling pace, we might feel as if humans are becoming obsolete. This is certainly the question of an endless series of articles that have clogged our inboxes since the release of ChatGPT publicly in late 2022. Maybe this development is a […]

Mastering Cyber Resilience

Cyber Resilience 101, 202, and accompanying Cyber Resilience Workshops are designed to teach brokers the fundamentals of proactive cyber risk management

Best of Threatonomics Year-End Review

As 2023 comes to an end, we are looking back on our top five most popular blog posts that helped shape our understanding of what it means to be cyber-resilient. 1. Moneyballing Cyber Resilience  Chief Cyber Resilience Officer Richard Seiersen wrote “Moneyballing Cyber Resilience” as a follow-up to  his first webinar, “Superforecasting.” The book, Moneyball, […]