The current structure of the cyber insurance market in relation to the threat landscape has been under attack. Historically, organizations would seek insurance, get a minimum capability requirement, attest to doing the required items, and then transfer (a portion of) the financial risk to the insurers. The prevalence of ransomware events and the associated payouts have made that approach unsustainable for the cyber insurance market and it has always been a terrible approach for the insured. Cyber events have far-reaching implications and a failure to evaluate risk and build cyber resilience commensurate with fiduciary responsibilities in this day and age is malpractice. The increases in premiums and lower coverage levels are simply a necessary industry response from cyber insurers. We – the cyber security industry, leaders in all sectors and verticals, and specialists in cyber engineering, GRC, technology – now are faced with a choice. Do we start to change the conversation and narrative around what our role is in allowing this to have occurred and work collectively to lower the risk pools so cyber insurers can play their critical role in transferring some of the financial risks OR do we continue to push our products and services as the savior without consideration of how they work together to enable integrated cyber resiliency?
I think 2022 will continue the trend of ransomware events both hitting the news and being quietly handled. This will likely cause some insurers to leave the cyber insurance market and others simultaneously increase their premiums, lower their coverage levels, and require more proof that the insured are meeting cyber hygiene requirements. The bottom line is that cyber insurance is one of many critical tools for active cyber resiliency and like any other tool, when it is overused it wears down and when it is used in replacement of the ‘right’ tool for the job it performs poorly.
About Jeffery J Engle
Jeff Engle is Chairman & President at Conquest Cyber where he brings a broad spectrum of experience in Risk Management, National Security, and Business Process Optimization. He is responsible for the development and implementation of all strategic initiatives including cyber risk management and secure digital transformation programs. He has served as a consultant for the Department of Defense’s premier adversary emulation team and has conducted vulnerability assessments and training all over the world.