I've been asked about the state of cyber insurance multiple times over the past couple of months.
It started with a Q&A session at an emerging technology committee at one of the state banking associations and by the end of it, I felt like a politician at a town hall meeting with questions like:
“What are we supposed to do about this?”
and
“What's being done to resolve this?”
I felt completely helpless. Unfortunately, I don't have a lot of influence in the cyber insurance industry, and I hate it when good people have a problem with no solution.
The Problem
They all had good reason to complain. Cyber insurance rates have been rising 30%, 50%, and even some doubling year over year for about the past three years. Some cyber insurance companies have even announced that they're getting out of the business altogether.
But who can blame them? They're losing money faster than they can raise their premium rates.
On top of it, the FTC announced that it's considering subsidizing cyber insurance for catastrophic cyber events (i.e., ransomware).
You know what Ronald Reagan said: “If you want more of something, subsidize it; if you want less of something, tax it.”
In my opinion, I would say that we should be taxing ransomware payouts rather than subsidizing them. But I digress…
All of this is because too many companies treat cyber insurance like a weight loss pill instead of eating healthy and exercising.
They are missing the key components of a good information security program and are relying on cyber insurance to be their information security program rather than enhancing it.
The problem for community banks is that, while many of them have good information security practices in place, their policies are being lumped in with companies that just don’t get it. They’re paying the same premiums as companies that have zero to little controls in place.
The system is broken. So how do we fix it?
What about self-insurance?
In several of the discussions, I was asked what I thought about self-insurance.
I remember when I first got my driver's license, and I got my first bill for car insurance. I remember saying out loud, “This is ridiculous! I should just save up the money and then I'll have it in case I'm in an accident!”
Then I remember my dad saying, “That's a great idea. But what if you have an accident tomorrow?”
My dad had a good point back then, one that’s absolutely relevant in this conversation today.
We're seeing minor incidents cost over $100,000. And unfortunately, the occurrence of those minor cyber incidents is happening more frequently. Even if your cyber insurance premium was $30,000 a year it takes you 3-4 years to break even and you still don’t have coverage for a $5 million catastrophic event.
Can you absorb that kind of impact?
This doesn’t even consider the accounting nuances that could impact your capital and liquidity ratios. All things that should be discussed with your CPA, financial auditors, and regulators before pursuing this route.
All in all, I just don't feel the self-insurance route is a great solution.
What about risk-based insurance options?
This is the equivalent in the health insurance world to the companies that do blood tests and health screenings and then offering savings for “healthy” participants.
The bad news is: I don't think this has matured quite yet in the cyber insurance world.
The good news is: we're starting to see some companies try.
Coalition
I actually got to interview a bank that uses Coalition for their cyber insurance policy. They saved over 50% annually from their previous provider.
Coalition does external scans of your network and then sets premiums based on your risks. They even warn you if you have critical vulnerabilities that remain, stating that it may affect your cyber insurance coverage.
Right now, they're still only performing external scans, and it seems like some of those can result in some false positives. (i.e., when we scanned our network during our free trial, there were IPs that showed up that don't even exist for us.)
I'd like to see them evolve to include internal pen testing, phishing tests, and other metrics in the process. While I think Coalition has a ways to go it, feels like they're taking a step in the right direction.
FifthWall
Their marketing materials say they're taking a risk-based approach, but I'm not entirely sure how they do it. I reached out to a contact there, as well as general support, and did not receive a response by the time this article was written.
Still, it may be worth looking at if you are exploring risk-based cyber insurance as an option.
Closing
The cyber insurance industry has a lot of growing up to do.
Just because it's not perfect doesn't mean we need to abandon it altogether. It can be a key piece of a good information security program depending on your risk profile.
I feel like the only way we solve some of the current problems we’re seeing with cyber insurance is to keep demanding risk-based coverage and risk-based premiums and vote with our dollars by supporting those companies who are trying to reward good cyber hygiene.
If you're ever curious if your cyber insurance coverage is correct for your bank or credit union, we have a tool that we can quickly run you through. Let me know and we'll see what we can do to help, just contact us at support@bedelsecurity.com.