Yayuan: Due to the growing demand for cyber insurance, the cyber insurance market is expanding rapidly worldwide. According to AM Best, the average annual growth rate in premium has been 20% in the past four years. Despite the relatively fast growth of the cyber insurance market, only a small portion of cyber loss is covered by insurance. In 2020, global losses from cybercrime are estimated at $945 billion according to McAfee, and global cyber insurance premiums are around $7.8 billion. This means insurance only covered less than 1% of cyber losses in 2020.

An important factor that determines the development of the future cyber insurance market is the insurability of cyber risk. First, cyber risk is increasingly sophisticated and hard to predict. Without sufficient data and good analysis of data, it is hard for insurers to quantify the likelihood of a cyber event and the costs generated from the event. Second, the potential loss from a cyberattack could be extremely high. The recent hack on Colonial Pipeline in the U.S. resulted in a massive gasoline shut-off and a ransom of $4.4 million. An event like this has a terrorism- and war-like character. We know that systemic or catastrophic risk is generally not insurable for private insurers. Third, as of now, there is also a lack of effective tools for insurers to prevent, detect, and evaluate cyber threats, which makes cyber risk hard to manage.

Without a full understanding of cyber risk yet, many insurers set low limits and various exclusions to cap their liability for cyber risk. For example, many insurers do not cover intellectual property theft or damage to physical assets from a cyber incident. In sum, cyber is a challenging risk for insurers and many are still in the stage of defining their own risk appetite.

Victor: Cyber distortion, ransomware, viruses, malicious breaches, stolen data, fraudulent use and access to accounts, phishing attempts, unintentional as well as unauthorized disclosure of data, attack of industrial controls, and the internet of things (IOT) and cloud computing are all growing cyber exposures—just to name a few. The increasing number of first-party and third-party cyber losses has significantly impacted today’s cyber insurance market.

The insurance industry is making two market adjustments to the increasing cyber claims. The availability of coverage—higher limits—is shrinking, and the pricing of coverage is increasing. This is the classic example of a hardening or hard market depending on how you look at the relatively short-term history of the cyber insurance marketplace. The main insurability challenge is the lack of access to coverage and higher insurance premiums on renewals.

David: Cyber insurance is rapidly becoming more expensive and restrictive due to the high-profile cyberattacks and ransomware demands over the last year. Cyber insurance typically covers two things: data and the network. Data is arguably the most valuable asset for an organization and subject to privacy laws. The network computer system is at risk of being breached, damaged, and held for ransom. What started several years ago as kids in the basement extorting a few hundred dollars has evolved into organized crime and state-sponsored cyberattacks requiring payment of millions in bitcoins. The increasingly sophisticated attacks have led to dramatic increases in loss frequency and severity which causes higher premiums.

Cyber insurance is still relatively new, and insurers are still learning how to model the risk and provide effective loss control. It is the fastest-growing line of insurance, and insurers are struggling to keep up with the evolving threats.

Abhishek: I think there will be a time when cyber insurance is purchased for the individual and not just for organizations. Just like we buy auto and property insurance, the time is going to come when we have to buy our own individual cyber insurance.

The reason being the world has shifted toward the digital platform, especially because of the pandemic. A lot of people and organizations are getting equipped with technology, and with this comes many more cyber threats. The market is definitely going upward, and you may see a lot of insurers coming to this field, as well as an exponential rise in cyber insurance that people and organizations are buying.

With other insurance types, like home or auto, it’s relatively straightforward to price. You have a number of factors that you consider, like driving history, make and model of a car, etc. With cyber insurance, there are some factors that are easy to quantify, like how many attacks have happened in the past, how robust is your infrastructure, etc. But one of the things which is still difficult to assess is the financial value of your data. I believe that is the major challenge.

Another challenge is building the risk assessment model. Your model is only as good as the data you use, and with cyberattacks, past historical data may not be adequate to predict the next risk or cyberattack.

The progression of technology and the fast pace of innovation may also be a challenge. Technology continues to penetrate deeper into infrastructures, meaning the chance of cyber risk is increasing as well. And with hardware getting cheaper, more and more small businesses are able to afford these new technologies, which in turn increases the risk of cyberattacks.

Eugene: I think we may see some exclusions or narrowing of circumstances for ransomware coverage.

The biggest problems right now would appear to be:

1. What are the appropriate best practices to measure to assess risk and set appropriate policy rates?
2. How to deal with the moral hazard issue (e.g., clients change configurations out of expected or indulge in riskier behavior because of the insurance).

Unless insurers can get a handle on these issues it is likely they will not be able to offer broad coverage, or they may not be able to stay in the market.

Michael: The real challenge in insuring data is establishing the value of that data. What may be considered priceless to a small business or organization may not really have the same value to an insurance company.

The other issue is that insurance companies are looking to charge fees based on a risk level that they have established by performing some sort of an audit on the property or valuable. The ability and cost of an insurance company to perform an adequate evaluation of a customer’s level of security may far outweigh what the insurance company will receive from the company in annual fees, etc. Once these two variables become too disparate then the value of the insurance policy to the insurance company becomes less and too much of a risk for the insurance company to take on.

Patricia: The insurability challenge for cyber risks stems from the growing frequency and severity of cyberattacks, as well as the evolving nature or “complexity” of the attacks. If insurers cannot accurately estimate the risk of an attack and the likely consequences of an attack, it is difficult to establish terms of coverage, including the price.

Attacks have become more severe and are encouraging businesses to seek coverage but, at the same time, insurers are still developing expertise with little historical data to work from. The good news is that coverage is generally available, though coverage levels are modest, and prices are increasing.

Clifford: The recent Colonial Pipeline cyberattack caught many by surprise in terms of its disruptive impact, but it also underscored the vulnerability of companies and other organizations to these threats. Cyber insurance premiums have risen significantly over time with AM Best reporting that premiums rose by nearly a third in 2020.

With cyber threats expanding and evolving at an increasing pace, insurers are struggling to understand the likelihood and severity of these risks in a manner that enables them to accurately underwrite and price this risk. Consequently, premiums are likely to continue rising and incorporate some uncertainty factor into their pricing.

Phil: It is getting more expensive and the insurance companies are reducing their exposure by requiring more mature cyber readiness programs.

Levent: The challenge with cyber insurance today is a lack of historical data. If you look at car insurance, for example, insurers can build models based on accident reports and an understanding of what characteristics and types of behavior lead to accidents. Based on that, insurers can manage their risks and come up with a premium. So, for example, if you are driving over the speed limit or are driving drunk, then you have a higher probability of getting into an accident. We may not ever be able to get that kind of historical information about cybersecurity.

The lack of historical data is a big challenge to manage the risks that may happen in the future, let alone the technological difficulties, because technologically, everything is constantly evolving. Programs are updating, computers and hardware are changing, and it is a very dynamic environment. Threat factors are changing, and when threat factors are changing, your risk models that you used to use may not work anymore.

So it is difficult for insurers to write policies in a very clear manner because of the lack of information and the risk models that they are using right now. They may not be able to easily write something that’s going to define every possible outcome. And the other thing is they do not know the unknown unknowns, so they are unable to predict future risks.

As a result, insurers are writing policies in a way that, even if something happens, you may not be able to get the coverage that you were expecting. That lack of language in the policies and not understanding the lack of coverage clearly is causing problems in the industry because people don’t understand what they’re covered for.

But these things are evolving. And there are many pending court decisions that will affect how these policies are written in the future. Aother important thing is the standards that we have for privacy issues, for example, GDPR in Europe and CCPA in California. These regulations help insurance companies and also insurance buyers. Because with those standards, you can define things more clearly. We don’t have any federal level regulations yet, unfortunately, but I believe the federal regulations are going to come.

Kevin: Cyber insurance has been a hot topic for nearly 20 years now and has matured to a point where options are now available for small businesses. Some insurers offer riders for existing policies and others offer standalone cyber insurance options. Each carrier varies in what they cover, when, where, and how much.

It is important to understand the details of the insurance to ensure compliance in case of a claim. Ransomware is a great example of a very common and disruptive attack occurring on small businesses. 71 percent of all ransomware attacks are on small businesses. Why? They are easy targets.

Small business owners don’t really understand what a ransomware attack is or what they should do if it occurs. Should I set up a bitcoin account? Should I pay the ransom? Should I contact law enforcement? Insurance can help after the fact, but it is vital the covered business understand reporting timelines, requirements, and other terms of the in-force policy.

Yayuan: Cyberattacks on small businesses can be the same as large businesses, but small companies do not have the same resources to build a strong cybersecurity system as large corporates and are less likely to survive a severe cyberattack.

Especially after large corporates implement a hard-to-break security system, small firms will be more likely to be the target of cybercrime. In this sense, small businesses should be more concerned about cyber risk.

Victor: Cyber insurance is now necessary coverage for any business, regardless of size, that handles data either on a local network or in the cloud. And, without this coverage, most small businesses can’t handle the devastating financial consequences caused by a cyberattack. These costs include legal fees, recovering and restoring data, and the cost of compliance in notifying customers of a data breach.

David: Absolutely, in fact, they should be more concerned. Large businesses have deeper pockets and the ability to pay significant amounts to rebuild a network, recover data, and pay ransom. Smaller businesses have fewer resources and are therefore less likely to recover from a cyberattack or ransomware. Given that small businesses have less security and experience, they are also an easier target.

Abhishek: I believe, yes. In the past year, there has been a significant increase in cyberattacks on smaller organizations, and small businesses may have very valuable data, like private client data, Social Security numbers, etc. It may also be easier for hackers to target the network infrastructure of small businesses.

A reason cyber risk is even more significant for smaller businesses nowadays is the use of Ransomware as a Service (RaaS). With RaaS, anyone can use ransomware tools, borrow it as a service, and go and maliciously attack organizations and profit from the attack.

Eugene: Definitely. Large business usually have more resources to apply to security, and they also may have large resources to weather a problem; smaller companies could be wiped out, especially in the current economy that is hobbled somewhat by COVID issues.

Michael: There are several differences between small businesses and large businesses when it comes to cybersecurity. Those differences relate primarily to whether the business is a private or publicly traded company, what type of business it is/does, and what type of data it will be storing. Additionally, there are several operational attributes that may also affect how the company approaches its cybersecurity strategy, including what type of business they do, such as healthcare, financial, or services that deal with minors or underaged clients.

Similar to other types of crime, each cybercrime has an MO or method of operation (modus operandi) and also has a motivated attacker that has some purpose or desire to target your specific business. This is important to understand because the more attractive your data is to a cyber criminal, the more vulnerable you become, which, in turn, means that you need to take a more aggressive approach to your cybersecurity strategy. As an example of this, imagine that one business does not store/save credit card information and sells greeting cards, and the other business saves all of its customer data, including credit card number, expiration date, and security code, and sells high-end vehicles. The second business is much more vulnerable because it is a more desirable target.

The answer to the question based on the above is that all businesses should be concerned about cybersecurity and in protecting their data; however, companies that operate in a fashion that makes them a more desirable target should have a more aggressive strategy and a stronger security posture than other organizations that may not be as desirable a target to cyber criminals.

Patricia: Potential losses from cyberattacks can be devastating to any size business. Small businesses have more limited resources to direct toward cybersecurity when compared to larger businesses, which can make them an easier target. A large business may be able to absorb the costs associated with a cyberattack, but a small business may want to consider a cyber insurance policy that will help the business stay afloat if it experiences a cyberattack.

Ragib: Small businesses should definitely be concerned about cyber risk. While the media covers large scale attacks on big businesses, there are hundreds of small businesses that are getting attacked. The cybercriminals have figured out that they can extort money from halfway across the world by capturing the cyber resources of businesses. This has become an organized (criminal) business for these criminals. No business—big or small—is immune from being a target of these criminals.

Clifford: Every organization, large or small, should be on guard for cyber risk. Attacks seem oriented toward larger entities for the most part due to potential payoffs from ransom or the sale of stolen personal or corporate information, for example.

Nevertheless, cyber risk vulnerable companies create a path of least resistance for hackers to break into a system at relatively low cost for them. Small businesses are less likely to have the resources to invest in capabilities to mitigate their cyber risk exposure and thus make an easier target for would-be hackers.

Phil: Cyber risk exists for all businesses. A small business may have less “attack surface” but by its nature has often less sophisticated cybersecurity infrastructure. The adversary is looking to minimize the cost to monetize its tools and time. This makes small businesses an ideal target.

In the past several days, a number of critical vulnerabilities have been identified in popular operating systems. Small businesses may not have the staff or time to assess the risk, test the patches, and install on all organizational machines. Adversaries are actively scanning the internet for these vulnerabilities with armies of compromised computers—bots—executing the search.

This is not unique to today, cyber crime has been estimated to have increased 350% (reported by the UN) during the pandemic. This makes all businesses at greater risk and those not prepared to engage in the on-going nature of maintaining currency at greater risk.

Levent: Based on my experience, cybersecurity for everybody. Everybody has to take care of the security issues related to their business or their personal information.

For example, my local dentist is a small business, but they have health care information, which is very private information and requires different ways of providing security to that information. Although they maybe have only 200 people’s information, that data is still important and private, and any disclosure of that information could provide some difficulties for the business and for the customer. That’s why you need to protect your information, and it doesn’t matter whether you are a big company with data on 200 million people or a small business with information on just 200 people.

Kevin: Yes. Small businesses don’t have as much information to protect as large businesses, but any security or privacy issue can be devastating given the reality that small businesses lack the funding or knowledge to thwart attacks.

Further, most small businesses connect to suppliers, banks, partners, etc. The sharing of data puts the entire supply chain at risk. Paying employees electronically can be attacked or compromised. Most small businesses do not have large capital reserves and do their best to keep their doors open and employees paid.

Cyberattacks on all businesses, but particularly small to medium-sized businesses, are becoming more frequent, targeted, and complex. A recent survey entitled Accenture’s Cost of Cybercrime Study reveals that 43 percent of cyberattacks target small businesses, with only 14 percent prepared to defend themselves.

One cyber issue can disrupt business to the point that the small business needs to close its doors. Cybercrime, which includes everything from theft/embezzlement and DDoS attacks to accidental disclosure and hacking, is up 600 percent as a result of the COVID-19 pandemic, putting small businesses even more in the crosshairs of cyber criminals.

Yayuan: As mentioned earlier, the current premium volume from cyber insurance only covers a small portion of the actual cyber loss. Therefore, much of the risk is retained by companies themselves. So cyber risk management should focus on prevention and loss control.

First, a company can try to make its systems are as secure as possible. For example, design a secure system and constantly update systems to protect against malware and hack.

Second, a company should have a cyber incident response plan in place to minimize financial and reputational damage when a cyber attack occurs.

Third, a company should purchase cyber insurance even though coverage is limited. Companies should actively work with insurers on preventative measures and crisis management support. The smaller the company, the more important such support services are.

Fourth, companies in the same business may work together to develop a cybersecurity strategy and protect each other from cyberattacks.

Lastly, for large-scale cyber events, the government should step in and unify corporations, insurers, and reinsurers to work out a long-term risk-sharing solution. As has been seen in terrorism risk and earthquake risk, government-backed risk management solutions are necessary when a systemic risk might surpass the capability of the private insurance industry.

David: Update passwords regularly and make them harder to guess. No pet names, birthdays, or mascots. Setting up dual authentication and biometrics will also help. If a business purchases cyber insurance, the insurer will provide loss control services and guidance on how to manage the risk.

Abhishek: One of the most important things is to understand the value of the data you have. Once you understand the information you own and quantify its value, your realize how important the data is that you’re collecting.

Secondly, you need to make sure that your network is secure. Whatever software, enterprise services, or databases that you are using, you want to make sure that your data is encrypted properly. You want to reduce the number of injection points or vulnerabilities that could be exploited by bad actors.

Another thing is that technology is continuing to move toward a cloud-based environment, making services cheaper and requiring less maintenance, improving access for smaller scale businesses. So given that malicious actors are starting to come for small scale businesses, cloud-based technologies are also facilitaing the remedies and solutions for small businesses that could help protect against attacks.

Eugene: This is a major question that we’re still trying to address. Part of the issue is for businesses to give cybersecurity a level of attention commensurate with its importance. That means board level reporting, a real budget for ongoing improvement and defense, and investment in personnel, training, and tools. It may even mean rearchitecting the business to appropriately segregate and partition IT systems and data in separately-protected enclaves.

To do cybersecurity right means making a commitment in resources and prioritization. Every board (and C-suite person) should ask what it would mean to business if some/all of their data was stolen/leaked/corrupted. Then they should ask if they are confident that their company has validated, rehearsed responses to incidents that could cause those kinds of damage. If the answer is “No” or “I don’t know” then they need to do some immediate planning and assessment, probably guided by an external organization with experience in that kind of operation.

Michael: There are several components to managing risk and any security expert will tell you that you are never 100% protected. The best you can do is to minimize your risk by constantly addressing and updating the latest security concerns and known vulnerabilities.

The best way to do this is to secure a qualified security expert or company to help you manage your risk. These companies and experts will make sure that you stay current with system patches and upgrades that address newly discovered vulnerabilities that cyber criminals are looking to exploit.

The second thing is to make sure that you adopt a regular and fostered culture of cybersecurity awareness inside of your organization. If your employees do not understand the general concepts of cybersecurity and how these attacks take place, then they will always be at risk and you will be put at risk by your own staff because they do not acknowledge that their actions are creating risk.

Patricia: When a business has identified cyber risk exposures, the first step in managing the risk is internal loss control, i.e., undertaking activities to reduce the frequency and severity of potential losses. These methods include, for example, enhanced security protocols, monitoring of data access, and resiliency checks.

As it may be impossible to reduce potential cyber losses completely, a cyber insurance policy will help cover the financial consequences of an event. Effective management of the cyber risk requires continuous monitoring of cyber exposures across the business to ensure that internal loss control efforts adapt, and cyber insurance coverage limits are adjusted, as cyber risk conditions change.

Ragib: Businesses can organize and manage cyber risk in multiple ways. The first thing is awareness. All employees, from entry level to the top level, must be aware of the cyber risks, identifying potential phishing and social engineering attempts, etc. Practicing cyber health hygiene (not clicking on unknown links, not clicking on attachments, double checking email sources, etc.) should be a part of annual training for everyone.

Next is prevention. Make sure all the software systems are updated. Ensure that everything is backed up regularly. For backups, have multiple places where data would be backed up on a daily basis, and one of them should be a physical backup in a disk/media not connected to the network (e.g., a removable drive).

Finally, have a mitigation plan for cyberattacks—the question is not “if,” rather it’s “when” the attack will happen. Have contingency plans for data theft, data loss, and if necessary, insure against losses from such attacks.

Clifford: Multi-factor authentication is one way firms can more securely protect their systems and sensitive information from a breach. In the case of the Colonial Pipeline cyberattack, the breach occurred by way of a legacy Virtual Private Network (VPN) system coupled with single factor authentication. Upgrading your customers’, employees’ and vendors’ access to your systems is a critical step every organization should make.

More generally, larger companies should incorporate cyber risk into their enterprise risk management functions and focus on the following activities: (1) develop a cyber risk maturity threat assessment, (2) monitor, analyze and control cyber risks, and (3) prepare for cyber incident management and resilience.

Phil:

• Organize for the fight – know your assets – data, hardware, software, personnel
• Practice good cyber hygiene – virus protection, two factor authentication, eliminate default passwords, endpoint protection, least privilege
• Train personnel – against phishing, internet scams, social engineering, intellectual property protection
• Secure data – encrypted at rest and in transit
• Manage your systems and resources – understand how systems are being used through internal or third party monitoring
• Prepare for a cyber event – build relationships and resources before the event
• Understand the changing threat environment and modify your approach and policy as required

This is a lot for a small business, but it is no different from understanding accounting or legal issues. Learn the basics and hire expertise to check your assumptions and posture.

Levent: Managing cyber risk is a professional job and cannot be managed 100 percent. This is because in cybersecurity, we have three things: known knowns, known unknowns, and unknown unknowns.

Known knowns means that we know the things that we know in cybersecurity. So I can manage the risk for those known knowns. For example, let’s take the Zeus virus. It’s very well known, we know the signature, and if that virus comes to my computer, almost all possible antivirus software will be able to detect it. This is because they wrote the software based on those knowns.

For known unknowns, we know what we don’t know. Here we can manage risk somewhat, but not 100 percent because we don’t exactly know what’s going to happen. But we know that something may happen from this part, or this weakness, or from this particular application, and I can go and manage that application or that weak point.

The most difficult area is the unknown unknowns. This means we don’t know what we don’t know, and that scares everybody. Because you don’t know where the attack is going to come from, when it’s going to come, and where it’s going to attack. How are we going to manage these unknown unknowns? That is not easy, but people are working on it.

For small businesses, your risks will depend largely on your industry. If you are a small retail shop, you probably don’t have a lot of information on the customer, so any threats regarding data loss are not that big of a deal. However, if you are a dentist or a doctor, you will have private customer information, which is important to protect.

Some basic steps to protect your data are to make sure you backup your data and make sure it is encrypted. For many small businesses, because of the pandemic, they moved many of their services and data to the cloud. So suddently, the security of your laptop or your local network is not a big deal anymore because what really matters is the security of the cloud. So if you’re getting your cloud services from an Amazon or a Google, you are assuming these companies have proper security measures in place against some particular threats. In some sense, you are right, they have those measures, but in another sense, they may not, as they are also suffering from security attacks. However, it is probably better for a mom and pop shop to use a cloud service than to try and understand how to do it themselves.

Kevin: Most small businesses need basic security hygiene. The good news is that basic security does not cost a lot. The bad news is that most small businesses lack a security “expert” who can understand it enough to make these decisions.

A good place to start is the NIST Small Business Security Standard or the BBB Small Business Security Standard. These frameworks offer specific advice for a small business to organize against attackers and put down a fundamental framework that will keep most bad guys out. Understanding the common attacks and then fortifying against these attacks efficiently is the key for the small business.

For example, a recent Ponemon Institute cybersecurity report indicates the most common small business cyber attacks are:

• Phishing/Social Engineering: 57%
• Compromised/Stolen Devices: 33%
• Credential Theft: 30%

The aforementioned small business security standards take these statistics into consideration and are the place to start when investing in cyber defense.