The proliferation of cyberattacks and cyber claims related to ransomware incidents have led to higher insurance premiums over the past few years.
According to a Check Point report from the 3rd quarter 2022, the number of attacks rose 28% year-over-year: Combine that with increased costs and you have a recipe for increased premiums.
The rise in high-impact cyber incidents has pushed the young cyber insurance industry back on its heels as market players reexamined how they assess cyber risk and price coverage. Although pricing has stabilized over the past quarter, businesses would do well to improve scrutiny of their third-party software and supply chains.
SMB Security Challenges
Isabelle Dumont, vice president of market engagement at Cowbell, a provider of AI-powered cyber insurance for SMBs, says the world woke up to the security challenges caused by third-party vendors in 2013 when the retailer Target suffered a major cyber incident tied to system access for its HVAC supplier.
“Many suppliers to large companies often are small businesses that lag behind in their deployment of cybersecurity controls. They can be an easy path for cyber criminals to launch attacks on larger organizations,” she says. “This additional risk needs to be considered when pricing cyber coverage and has an impact on cyber insurance premiums.”
She explains that having adequate cybersecurity deployed when interacting with third-party vendors drastically improves the risk profile of any organization. “It also makes it more insurable for cyber, which in return lowers premiums or opens more coverage options,” Dumont adds.
This approach by larger businesses ranges, for example, from compliance to security best practices when deploying cloud providers and requiring multi-factor authentication (MFA) for maintenance services when they access the company’s connected equipment.
From her perspective, third-party scrutiny on cybersecurity yields positive outcomes for all, starting with the most important benefit, which is to lower the likelihood of facing a cyber incident.
Jerry Caponera, general manager of risk quantification at ThreatConnect, a threat intelligence company, argues the influence of third-party vendors on a company’s cyber insurance premiums varies based on the relationship.
“A company can take out insurance for third parties, but we don’t see a lot of those premiums tied directly to the number of third parties a company has under contract,” he says. “The effectiveness of third-party vendors’ security doesn’t play into the cost of a cyber insurance premium.”
On the other hand, where he sees some impact on cyber premiums with respect to third parties is “pass-through requirements”. That means if a third party wants to contract with a parent company, the parent company can require the partner to have a certain level of insurance.
“In some cases, the amounts third parties are being requested to carry greatly exceeds their current spend and can put both companies — the parent and third-party company — in a bind,” Caponera says.
Challenges in Addressing Security Posture
Jason Rebholz, CISO at Corvus Insurance, notes many organizations struggle to properly assess the security posture of their own environment, let alone the environments of their third-party vendors.
“Modern organizations are an interconnected bundle of security risks. The lines between organizations and the vendors and SaaS providers they use have blurred,” he says. “Understanding the interconnectivity between various technologies and vendors can help identify future risks.”
He explains that while hackers still favor a direct approach to attacking organizations, other doors can be opened — as evidenced by the Target breach, for example.
Rebholz says organizations should first focus on how they address the security risks from attacks directly against their infrastructure.
“From there, they should then expand to how they address the threats of lax security in third-party vendors,” he explains. “Most companies will find that the key principles of securing their own environment will help dictate their strategy and approach in mitigating the risks of third-party vendors. We shouldn’t diminish the threats that third-party vendors introduce to organizations.”
Rebholz says a robust third-party risk management program may indicate to insurance carriers that a more mature security program exists.
“It is important for organizations to highlight to carriers how they manage the overall risks within their environments,” he adds. “That includes security controls for your own environment, a subset of which is how you manage security risks from third-party vendors.”
Reducing Risk Across Supply Chains
Caponera explains that when a cyber breach occurs due to a third party, it’s often challenging to find out where it originated.
“Most companies are focused on getting operations back to normal and resuming their business,” he says. “What’s lacking is the ability to look broadly across the entire ecosystem of a company’s operations — from their own IT systems to their third-party vendors’ systems — in order to assess and mitigate cyber risk.”
He adds a tangential, but powerful, benefit of cyber insurance scrutiny on third-party vendors will be the reduction of risk across these supply chains.
“If increased scrutiny helps a third-party vendor provide better security, that impact will be felt across all their customers, not just the vendor,” Caponera says.
In turn, cyber insurance companies will be able to help drive better awareness and proper investment once they start prioritizing cyber investments by financial risk reduction.
“These prioritized reductions can be baselined across an industry or sector, again, reducing risk at scale,” he says.
Rebholz notes the cyber insurance industry must continue to evolve, including in how it uses new technology tools and new forms of data together, thus better quantifying and assessing risk.
“The combination of security data, threat intelligence insights, and a more quantitative understanding of financial impacts learned from claims data can deliver a better understanding of risk from data and security expertise,” he explains.
How to Get the Best Cyber-Insurance Deal
Noberus Amps Its Tactics: How IT Leaders Can Keep Up with Evolving Ransomware
Services You Should Expect From Your Cyber Insurance Provider