I still do a bit of ICS security consulting for asset owners in between S4, speaking at events, and the Unsolicited Response show. This consulting typically requires a $1M Professional Liability Insurance policy. It’s renewal time, and below are two new exclusions that would result in denial of a claim that are called out in the new policy.

No alt text provided for this image

This approach is just one of many examples that insurance companies are struggling with the cyber insurance product. Sure, these are two important vulnerabilities. But only two of many. And are they going to add exclusions for specified vulnerabilities each year? They are groping for solutions and, unfortunately in this example, not getting or heeding good advice.

A Fitch Ratings article is chocked full of 2020/2021 bleak numbers on cyber insurance. In 2020, Fitch estimates that 73% of premiums were paid out in claims. For most insurers this means a loss, as breakeven is typically between 60% and 70%. No need to cry for the insurers though as claims have been a low percentage in 2017 (35%), 2018 (34%) and 2019 (47%), albeit on a lower premium base.

One response by the insurers to higher cost of claims is to raise rates. Information on the percentage increase varies widely with Fitch saying 11% and insurer AIG saying their cyber policy premiums are 40% higher for renewals.

The good news, from the insurer’s perspective, is cyber security product revenue is growing at ~20% per year and is now at $2.7B.

The trends of increasing claims and increasing premiums has some skeptical that cyber insurance will be a helpful cyber risk management tool.

No alt text provided for this image

It is too early to judge the role cyber insurance will play. I’d agree with Dmitri that to date it has not made things better, and I would not bet against the insurance industry figuring out this cyber insurance product. I hope to have an insurance industry expert on the Unsolicited Response Show to explain how the industry has developed new products, such as piracy, hurricane, and other expansions to property/casualty.

Progress in this market will require the insurers to get a better idea of how to measure cyber risk based on a company’s security posture. Clearly whether a patch or two has been deployed isn’t the answer, but the Moody’s/Team8 cyber risk rating may be. Others are developing risk ratings as well.

Progress can also be made in reducing the claim size through a more effective response, and insurers will get better at assisting, and even dictating to some degree, the response. In the near term, I’m less hopeful in cyber norms and law enforcement diminishing the frequency and impact of the incidents.

———

One last thought on cyber insurance, particularly related to critical infrastructure asset owners. Some believe that insurance can’t play a role in managing critical infrastructure risk because a claims payment to the asset owner doesn’t help the people and business who have lost the service provided. While insurance may not be as useful of a risk management tool in critical infrastructure, it still can be useful.

For example, imagine cyber insurance for an electric utility. If a cyber attack takes out one or more units at a power plant, the corresponding generation capability would be lost. Insurance does not help the impacted customers. The power would be out. (but not really, in most cases the utility would either tap into their reserve capacity or buy power) The customer impact and impact on its reputation would be large if the utility said, “It’s not a big deal the power went out. We won’t lose much revenue because we have cyber insurance”. Outages happen for a variety of reasons at Power Plants, and the utility needs to be able to meet its customer demand when it happens.

Where insurance could be a useful risk management tool in this example is if the cyber attack caused physical damage to very expensive systems to buy and deploy. A utility, manufacturing company and other organization relying on ICS could have a resilient operation that allowed them to continue to provide the product or service to their customers, and still cover a portion of the physical system replacement cost via insurance.

It’s early in the cyber insurance game.

Subscribe to Dale’s ICS Security: Friday News & Notes.