Companies buying cyber insurance will have to prove their use of multi-factor authentication (MFA) and undergo detailed security audits, as the fledgling industry fights back against ransomware-driven losses that have pushed it to the brink.

The cyber insurance premium pool – which, according to US National Association of Insurance Commissioners figures, comprised around $4.3b ($US3.2b) of direct written premiums – has steadily increased as a growing number of companies bundle cyber coverage with their other business policies.

A recent US Government Accountability Office (GAO) analysis noted that 47 per cent of insurance clients had added cyber insurance policies in 2020 – up from 26 per cent in 2016.

Yet with ransomware demands spiralling into the nine and ten figures, cyber insurers last year paid out 73 per cent of the premiums they collected – up from just 34 per cent in 2018.

That growth is threatening the industry’s viability, with industry analyst firm Fitch Ratings warning that “a higher propensity of cyber incidents, particularly ransomware attacks, are likely to hinder” industry growth that would be hit by “significant premium rate increases and tighter coverage terms.”

Recognising ransomware’s existential threat, providers have this year overhauled their policy settings.

A new US Cyber Insurance Market Outlook report from Risk Placement Services (RPS), for example, notes that insurance providers are winding back coverage amounts – from, say, $5 million to $3 million or even $1 million – and boosting premiums by as much as 300 per cent, even for existing customers.

“Over the past year, we’ve seen the challenges of the COVID-19 pandemic and increasing frequency and severity of ransomware attacks put pressure on the US cyber liability market,” RPS national cyber practice leader Steve Robinson said, blaming “unprecedented” claim losses on “a growing mismatch between exposures and underwriting”.

Claimed losses for ransomware attacks and supply chain interruptions were leaving many general insurers unable to resell their cyber risk to larger reinsurers, Robinson said: “they found themselves in a situation where the shelves were empty and there was no reinsurance left to buy.”

Can better insight save Australia’s market?

With ransomware exploding – recent Australian Cyber Security Centre (ACSC) figures noted nearly 500 reported ransomware attacks in Australia alone last year, up by 15 per cent on the previous year – local companies have been leaning on insurers to cover their losses.

Closely watching the experience of more-mature US markets, Australian regulators have moved to reduce insurers’ ransomware exposure with policies such as a mooted ban on insurers paying ransoms, and a newly released Ransomware Action Plan that will criminalise cyber extortion and force large companies to report ransomware attacks.

“The payment of ransoms by insurers is helping drive the illicit ransomware trade,” CSCRC CEO Rachael Falk said. “What is vital when it comes to ransomware and cyber insurance is that we start to starve out the cyber criminals and break the payment chain by stopping insurers paying the ransom.”

CSCRC recommendations include preventing insurers from paying ransom or extortion payments; clarifying what is and is not covered by cyber insurance; developing guides to help SMEs benefit from cyber insurance; and increasing ‘bundling’ that combines cyber insurance with other business policies.

Evaluating these policy changes will, however, require better visibility in a sector that the CSCRC said is suffering a “lack of transparency”.

This is expected next year, after the Australian Prudential Regulation Authority (APRA) mandates reporting of cyber insurance and management liability data in the National Claims and Policies Database (NCPD).

Improved reporting, APRA says, “will assist insurers in quantifying this risk so as to develop adaptive pricing models and products to support this strategic response.”

Onus on the insured

Even as the market works to prevent a financial washout, insurers are becoming far more savvy about the cybersecurity controls they expect companies to use.

Just like a car insurer would expect you to wear a seatbelt and never drive after drinking, companies applying for cyber insurance can expect to have to demonstrate use of multi-factor authentication (MFA) as a minimum.

Replacing what used to be cursory questionnaires, insurers are now demanding supplemental application forms documenting a range of cybersecurity practices.

Expect to produce policies around data privacy, backup, segregation, testing, and recovery; biometric data storage where fingerprint scans are used; IT vendor vetting processes; employee cybersecurity training; use of vulnerable remote desktop protocol (RDP); use of endpoint detection and response (EDR) tools; email security; and log-in security and user authentication.

“Insurance companies are setting IT infrastructure minimums,” said RPS area vice president Nick Carozza. “What has been a challenge for many companies is that these controls went into effect so quickly. Many companies were caught in a situation where they didn’t have the time or the funds to implement these controls before their policy renewal date.”

Increasingly, insurers are likely to lean on security measurement metrics like SecurityScoreCard, which evaluate and rank companies’ online security exposure.

Although “they can’t see everything”, said SANS Institute director of emerging security trends John Pescatore during a recent webinar, the scores “have turned out to be a pretty strong leading indicator of the likelihood of attack.”

“A couple of years collecting data in this scoring industry was enough to show the cyber insurance industry that they can use it for something like that as well…. If they are, say, making calls to known [malware] command and control centres or are having vulnerabilities, this means they are more likely than everybody else to be compromised.”