Cyber Risk

Unlike any other type of insurance risk, cyber risk has agency – if you harden your defenses, a cyber attacker will change tactics to find another weakness. The organizations that survive these battles have cultivated operational resilience by fostering a proactive cyber security culture, with well-defined policies and up-to-date technology. Preparing for cyber risk in advance allows firms to react quickly as new threats emerge.

A Brief History

The first cyber insurance policy was developed about 20 years ago – before the cloud, the internet of things, online email platforms, and iPhones. IT departments were focused on protecting personal computers and on-site servers and networks.

Today, cloud computing and cloud storage has become the norm, creating a $1 trillion industry by the end of 2028. There are more than 75 billion connected devices around the globe, and 7.2 billion smartphones – figures that continue to grow, providing more and easier access to the internet. Managed security service providers are not so concerned about a single computer being infected, but rather viruses that spread quickly across entire organizations. Interconnectedness has become a component of critical infrastructure, and governments must grapple with how to minimize disruptions.

With the emergence of AI – which has benefits in terms of cybersecurity, but also creates a host of different threats – it’s a much different landscape than 20 years ago, and one that is evolving very rapidly.

Five Emerging Cyber Threats

Cyber risk is the defining risk of the 21st century. The rise of cyber dependency is connected to a whole range of potential knock-on effects with repercussions that can destabilize whole economies. Cyber-attacks are increasing in frequency and sophistication, positioning cyber as a top business risk. The evolution of cybersecurity has tried to keep pace, nevertheless, even large institutions (like JP Morgan, which spent $600 million in cybersecurity defenses) are victims of cyber-attacks.  So, what types of threats are we looking at for 2025?

1 | AI-Powered Cyber Attacks

AI is being applied to increase the sophistication of the cyber-attacks. Hackers are tracking employee behavior (searches, communications, social media) to generate names and predictive email text that can trick individuals into providing key details, clicking on links, or sending money. Deep fakes are also being utilized by AI – either videos or voice recordings – to elicit access to a network or a server via phone calls, emails or online.

Responses to cyber-crime have evolved from antivirus software 20 years ago, to firewalls, password protection, spam filters, endpoint security, access management, data protection, multi-factor authentication, advanced detection and assessments. And, now we’re seeing utilization of AI in cybersecurity protocols. Implementation of AI in cyber is another area that we really need make space for in our cybersecurity defenses going forward.

2 | Geopolitical Cyber Crime

Attacks from nation states – Iran, North Korea, Russia and China – are not just disinformation campaigns to sway elections, they are also sowing disruption in our critical infrastructure, energy grids, and transportation networks. These attacks intend to create the highest level of chaos possible for their adversaries, but they have the additional consequence of disrupting business productivity. There’s an economic and GDP toll from these types of attacks, but businesses need to be prepared for the fallout, because they are the unintended secondary victims.

Zero Trust is a new security model that takes a higher level of verification; there’s literally a zero trust of any user. The model requires verification of every device, every access point into a network, regardless of location, regardless of how many times credentials have been verified previously. Strict data lockdown is one way that to mitigate both the AI and the geopolitical cybercrime components.

3 | Access to Cyber Insurance

As a result of escalating cyber risks, cyber insurance markets are more stringent in underwriting and available coverage. Just to get a quote, an organization must meet increased requirements, like multi-factor authentication, data backups, redundancies, and staff training. Without them, underwriters are denying to even issue quotes.

Additional exclusions pertaining to nation state attacks and reduced limits for ransomware attacks are also becoming commonplace. So, the risk into 2025 and beyond is that the cyber insurance market may become less accessible. Ultimately, the greatest defense mechanism an organization could have often lies between the chair and the keyboard, making training, cybersecurity culture, and cyber hygiene a critical strategy for combatting this risk.

4 | Supply Chain Vulnerability

Third party risk remains a key avenue for potential cyber intrusions. Software suppliers are a critical source of this vulnerability. For example, in the healthcare space, legacy systems and outdated platforms create inherent vulnerabilities. Those should be monitored to ensure they’re not creating an entry point for would-be cyber criminals.

From the cyber insurance perspective, as well as cybersecurity in general, heightened scrutiny of all suppliers and vendors is critical – especially if there’s any access to data and networks – including their cybersecurity practices, ability to withstand a cyber breach, cyber insurance, or financial ability to remediate a potential issue.

5 | Cybersecurity Talent Shortage

There’s a gap between the number of cybersecurity professionals with the skills required to really deal with cyber threats at the pace at which they’re evolving and the demand for these workers. Companies often have to outsource their cybersecurity services because they don’t have the budget to hire the talent needed in-house, or their IT staff may not be able to adequately manage the firm’s cybersecurity needs. This is going to be a continued risk, and organizations need to prepare a realistic strategy to fund and procure these essential services.

Mitigating Your Risk

There is a persistent education gap in how to quantify cyber risk and the value of cyber mitigation investments, like cyber insurance, which brings a whole host of services and solutions with it. In fact, a recent survey found that most c-suite executives were not aware of the details of their cyber insurance coverage.

The first step to taking control of risk is to take stock of the organization’s risk mitigation strategy, which is generally comprise of four approaches: avoid, transfer, reduce, accept. In cyber, avoidance is unrealistic because most organizations are going to use some form of computer or digital component in their business. Risk transfer can include moving your data storage to the cloud where they have more security and resources to deploy, or cyber insurance – which shifts the financial impact of a cyber incident to the insurance carrier. Eliminating or limiting stored data is a risk reduction strategy, as are data access controls and limiting what data is collected. Lastly, accepting some level of risk for engaging with the internet and utilizing computers is unavoidable. The question becomes, how can we leverage the other strategies to lessen the impact?

There are a range of different cyber insurance products that have flooded the market and not all of them are created equal. Bundled products, meaning cyber coverage is tied into a business owner’s policy or property policies, really only provide only a financial component.

The average breach is coming in at roughly about $4.8 million in total costs – including notifications and credit monitoring services, forensics and data analysis. To ensure the right level of protection, a standalone cyber insurance product that includes all the different layers of cyber insurance protection that you need for liability, business interruption, and breach response is essential.

Conclusion

Continual monitoring of cyber risk and cybersecurity to keep pace with the ever-changing cyber threat landscape is, unfortunately, the new normal. While cyber insurance is one tool to minimize the financial impact, underwriting requirements are also increasing, so investing in the bare minimum cybersecurity standards is non-negotiable for businesses that intend to build the operational resiliency required to withstand the increasing frequency and sophistication of cyber-related incidents.

Forbes and Gartner have both rated risk management as a top priority for business leaders. To truly achieve effective cyber resilience, organizations must be ready to adapt and adopt a comprehensive strategy that integrates cyber resilience, third-party risk management, and robust cyber insurance coverage.

This conversation between Chaz Chalkey, VP at Dataprise, a prestigious Managed Security Service Provider (MSSP), Jason Stein, VP at Telarus, a technology distributer, and our own Andres Franzetti, President of Risk Cooeperative, a growing insurance broker with deep cyber insurance expertise.

The Terms of Engagement

Chaz Chalkey (CC) | Cyber protection and insurance may be new to some, so we’ll start by defining three  concepts we’ll cover extensively.

1 | Proactive Cybersecurity – A proactive stance in procuring cybersecurity solutions.

CC | While some people claim they have antivirus and a firewall to cover cybersecurity, we say that’s wildly insufficient. What is needed is the oversight to monitor, manage, maintain tools to bring greater insight to potential risks or incidents that may pop up across your technology landscape.

Jason Stein (JS) | Cyber experts like to say, it’s not IF you may be compromised, but WHEN. With 3.8 million cyberattacks per day, we see an organization fall victim to a breach every 14 seconds in the U.S costing and average of $9 million per breach. Because recovery is so difficult, organizations need lots of layers of security. Right now,88% of all breaches are caused by humans so we need to make sure we’re putting safeguards, like training, in place when it comes to protecting humans from themselves.

2 | Risk – The chance of loss and the financial impacts of that loss.

JS | Organizations need to ask, what financial impacts do identified risks pose, what is the dollar value of those, and then what is the roadmap to successfully protect the organization from internals risks, external risks, and natural risks.

3 | Cyber Insurance – An insurance policy procured to alleviate cyber risk when an organization is not prepared to absorb the financial hit of a cyber attack.

Andres Franzetti (AF) | Cyber risk is so interconnected that it impacts all areas of business, organizations really do need to have an extensive review of risks and assigned costs. But cyber insurance is not complicated by the many types of cyber insurance available. Standalone cyber insurance is what we recommend because of the variety of robust coverages like business interruption, third party risk, reputational risk, privacy and compliance related incidences, and breach remediation. A variety of bundled policies is also available.

The decision on the right insurance solution for your organization requires a hard look at the types of risk you’re willing to absorb and the types of policies that you’re considering implementing to ensure that you have the right coverage for your organization to the resiliency to withstand a cyber event.

CC | Can you highlight the differences between a standard business insurance and a focused cyber insurance plan?

AF | Business insurance encompasses a variety of different insurance policies like physical injury and general liability, plus mandated coverages such as workers comp. While cyber insurance is a discretionary policy, it is sometimes required for work contracts and we’re seeing greater privacy regulations and laws coming into place, which will eventually make it one of the mandated coverages.

Organizations need to understand the implications of cyber policy nuances on their organization, not just the technical specifications. Jason mentioned the cost of a breach is reaching the +$9 million level, and these nuances are some of the costs that are built into that cost, not just remediation, investigation and forensics. Consider the cost of payroll delays, inability to conduct transactions via the website, lost accounts from reputation risk, or vendor risk disrupting business.

Cybersecurity Impacts Insurance Access

AF | The requirements keep increasing from basics like password protection and a response plan, to now being more about integration of technologies and emphasis on training, dual factor authentication, redundancies and backups – impacts not only pricing but also access to cyber insurance.

Companies are being turned away if they don’t meet the minimum security requirements, and that’s a trend we’re going to see continue to increase. There is a tightening of access to cyber insurance, where only the firms that can demonstrate robust cybersecurity practices will be insurable.

JS | Exactly. The cyber insurance landscape is changing dramatically. You used to see everyone get a policy, and if you could prove a breach you got the payout. But in 2021 we saw over 2100 breaches, meaning more than $2.1 million dollars from carriers, so they had to put more requirements in place and raise premiums. Some organizations and industries now require cyber insurance while the requirements are getting more complex.  Our expertise helps support access those requirements more easily.

Enhanced Cyber Insurance Offerings

CC |  We would be remiss if we didn’t mention a new program Risk Cooperative and Dataprise created called ConvergeConnect^TM, where a cyber insurance carrier Converge has validated Dataprise as cybersecurity provider, allowing premier customers eligibility for savings up to 30% on their cyber insurance premiums. Actually, we’ve taken advantage of the the ConvergeConnect^TM program for ourselves at Dataprise and are saving tens of thousands per year. It has really helped us to invest in other aspects of our business.

AF | From the insurance perspective, we are helping to close the customer proximity gap. The insurance application process can be quite complex, with a lot of questions requiring technical data. Clients need help from their technology providers to complete the questionnaires, and ConvergeConnect^TM helps to streamline that and validate that the protocols are in place, giving the customer access to insurability and premier pricing. With Risk Cooperative serving as broker, clients have the support they need to understand their risks and the various policy coverages to get the protection they need.

Cybersecurity Trends 

JS | Cyber insurance is a $13 million industry with around 35 million firms – more than a third of U.S. companies – mandated to obtain a cyber policy. While policies used to be $1 million for a $100 thousand premium, now you’re seeing 2-3x the cost for the same coverage, depending on your cybersecurity protocols. Investing in cybersecurity helps keep those premiums down. But, the policies are also different, with segmented coverage and payout caps. Bringing in your MSSP and your broker to assess risk, assign a value to that risk, and explain your policy options will help ensure you have the best plan in place.

One statistic that stands out is 60% of organizations will use security risk as a factor when determining business relationships. This is huge, because understanding risk is not only valuable for you internal operations, but it’s also a determining factor when engaging in other business activities.

AF | On the other hand, proposed legislation such as the American Privacy Rights Act are creating new GPDR-like protections. These are expected to result in more costly claims, more fines, and more regulation tightening the insurance underwriting process.

We’re seeing a preference for a zero-trust model among underwriters, a model that requires classified access to data and breach response tools.  I also want to highlight the risk management component of 3^rd party risk from vendors, with compromised software supply chains resulting in $23m in losses in 2023 and predicted to triple by 2025. It’s critical that you have standards in place for the 3^rd party vendor management because those are the exposures insurers are looking at and will remove that coverage if proper mitigation components are not in place. Likewise, ransomware is becoming a line of coverage with reduced limits as a leading cause of cyber incidents.

Organizations are opting to outsource cybersecurity because the talent pool is extremely limited and specialization is needed to manage this highly integrated cyber threat. Still, underwriters are struggling to get the technical details for cyber insurance from the consumer, making programs like ConvergeConnect^TM a valuable program for clients seeking to build their cyber resiliency.

JS | Not to mention the influence of AI, which is today where cloud computing used to be – more than half of companies want to put some kind of AI in place, but there is just not a ton of security around it.

AF | From the insurance and underwriting side, it’s too early to tell how AI risk will be addressed by cyber insurance but you’re going to see requirements for AI continue to evolve.

JS | Our client needs are aligned with what Andres is saying: greater privacy regulations risk and outsourcing of cybersecurity.

Conclusion

CC | A conversation we have often with partners and customers is how layers of security are often part of a broader business resiliency strategy, driven by the need for business continuity and disaster recovery.

AF |  You’re absolutely right. It ties into the proactive risk mitigation we talked about at the beginning – containing losses, reducing downtime and limiting how much is paid out by the insurers – because, ultimately, if you can help contain that loss you have a better chance of managing premiums and maintaining coverage.

Certain risks could be limited or excluded by some policies, so understanding the details is critical to deciding if it’s the best available, while also keeping tabs on the pricing element. Sometimes the cheapest policy won’t have all the coverages, leaving you to shoulder those costs in the end. Your broker should be a trusted partner and walk you through the details to ensure that your policy has the most robust coverage available to you.