The FT reported the launch of the “first catastrophe bond for cyber threats” by specialist Lloyd’s insurer Beazley on Monday. The bond is intended to protect Beazley if “total claims from a cyberattack on its clients exceed $300m” and so insulate its balance sheet from the impact of an improbable but catastrophic cybersecurity event. The FT’s Ian Smith tweeted that Beazley’s CEO viewed the bond as tapping into a capital “pool that is trillions [of dollars] rather than hundreds of billions” seeing it as a path enabling the insurer to “hedge and grow”.
Cybersecurity insurance remains in very high demand as cyber threat levels remain elevated following sharp increases during and in the immediate aftermath of the Covid-19 pandemic. The rapid acceleration in insurance prices slowed somewhat, but premiums have still increased by an average of approximately 27% per quarter between Q4 2021 and Q3 2022 according to a report by the CIAB. The surge in prices directly reflects the increasing frequency of claims as well as their severity. Some industry leaders, such as Mario Greco, Zurich chief executive, have even gone so far as to say that cyberattacks will be “’uninsurable’ as the disruption from hacks continues to grow.”
The issuance of the catastrophe bond by Beazley is probably evidence that a future where cybersecurity risk is generally uninsurable is an unlikely outcome. What is not in doubt is that as risk from cyber threats has grown exponentially it has had far-reaching consequences for companies and insurers alike.
Opportunity … for cybercriminals
The pandemic significantly accelerated the adoption of cloud systems alongside a concerted move by companies to hybrid working. The associated need to manage complex, distributed systems and networks has proven to be a particular challenge from a cybersecurity perspective. Because so many organizations are now exposed to attacks because they have inadequate protection in place, the cyber threat levels continue to increase, an issue set out in detail by information tech body the Computing Technology Industry association (CompTIA).
The growing number of potential targets has led to a surge in the number of cybercriminals as well as the variety and scale of potential attacks. While in the past hacking was the remit of a specialist few, the widespread availability of powerful off-the-shelf tools, coupled with a large number of ‘soft’ targets, means that even relatively unsophisticated players can experiment with this potentially highly lucrative activity. And the bottom line is that more people and more criminal groups than ever are engaging in hacking.
Companies are doing their best to keep pace, with the number of cybersecurity professionals working globally increasing from 4.1m in 2021 to 4.6m in 2022 according to a report by Statista. While this is a sizeable increase, it is dwarfed by the sheer number of job openings in this sector, which is estimated to be 3.4m in 2022 according to another report, this one by (ISC)2, a globally recognized cybersecurity organization, which concludes that “the cybersecurity gap has grown more than twice as much as the workforce”.
The lack of cybersecurity specialists, alongside the upward pressure on their salaries, means that critical vacancies at many organizations remain unfilled to the detriment of the safety of their systems and data. While a tier 1 bank, with its status and deep pockets, will have fewer issues attracting the right talent, others may not be so lucky.
The type of entity successfully targeted by cybercriminals seems to bear this out with schools, hospitals, restaurants and local government all examples of organizations now reporting cyberattacks or breaches. According to the (ISC)2 report, 49% of respondents reported that their organization had a “significant shortage of cybersecurity staff” while 74% believed that the shortage of cybersecurity staff put them at risk of cyberattack.
Insurance requirements increasing
Alongside rising insurance premiums insurers have been amending policies and introducing stricter requirements for any organization seeking to insure itself against a potential cyberattack. Insurers, particularly those in the US which suffers a disproportionate number of attacks, are closely scrutinizing a company’s cybersecurity measures even before providing a quote or offering insurance. Companies without the following measures in place at a minimum are routinely refused insurance:
- multifactor authentication;
- strong password policy;
- adequate and continuous employee training;
- endpoint detection;
- backup systems;
- incident response plan;
- disaster recovery.
Many insurers insist on even more robust cybersecurity arrangements to mitigate their potential exposure and policy limits are becoming routine alongside the more exacting requirements.
It is therefore possible to speak of cybersecurity risk being uninsurable in connection with organizations that have either failed to prepare or cannot afford to put the required measures in place. Lack of preparedness, of course, given the dearth of available cybersecurity talent noted above, is often not the firm’s own choice, but just the sad reality of abrupt change. CompTIA’s report rightly points out that equilibrium here is years away and further significant restructuring of the entire ecosystem connected to cybersecurity is a given.