A recent survey by Markel in late 2021 found that over half of small-to-medium enterprise (SME) respondents had fallen victim to a cybersecurity breach. The increase in hybrid working, as well as limited in-house expertise, has left SMEs increasingly vulnerable to cyber attacks. In July 2022, CFC Underwriting, an MGA, reported a new form of ransomware attack, ‘BazarCall’, targeting SMEs which accounted for 10% of malware incidents detected by CFC in its portfolio across a three-month period.
Whilst the necessity to insure SME cyber risk is growing, underinsurance has been increasing with many SMEs insufficiently covered. This issue has been created by cost-saving attempts made by SMEs in the face of inadequate products, as well as limited and inconsistent provisions from insurers.
Insurers are starting to work with the wider cybersecurity industry to increase their appetite to insure cyber risk. This collaboration is bringing in data providers and consultants, to close this underinsurance gap by enabling SMEs’ cyber risk to be better quantified, covered and monitored. These partnerships have the potential to reduce cyber premiums and the likelihood and impact of future cyber events. Similarly, SMEs are becoming more interested in taking on policies that offer appropriate cyber coverage at more reasonable prices.
The SME cyber underinsurance problem
The COVID-19 pandemic accelerated and normalised hybrid working. SMEs were amongst the first to adopt technologies, such as cloud operating systems or data plug-ins via application programming interfaces (API), to address this behavioural change. However, SME staff often did not have the expertise to adopt cloud technologies or API integrations in a way which ensures a robust cyber defence.
When asked about SMEs’ lack of expertise around configuring cloud infrastructure, the consulting company KPMG explained to InsTech that this misconfiguration increases organisations’ attack surface, leaving critical assets and client-facing services exposed to focused adversaries and indiscriminate opportunistic attackers. KPMG recommends that SMEs should, where possible, use third parties to implement, review and regularly test cloud-deployed workloads and services to ensure clarity and efficacy of implemented controls as part of managed cloud security posture.
Moreover, an unstable geopolitical environment with the Russia-Ukraine conflict and growing tensions between mainland China and the West have given cyber criminals access to previously untapped attack channels. As attention is pulled towards cyberwarfare, non-state affiliated cyber criminals are able to take advantage of this redirection of attention and attack organisations of all sizes, often undetected.
Whilst the risk of SMEs experiencing cyber attacks is increasing, insurers are struggling to quantify and price this cyber risk due to a lack of historic attack and real-time cybersecurity data. A late 2022 poll by InsTech asked how confident MGAs and insurers were in their understanding of the tools and solutions to measure and manage cyber risk. The vast majority, 71% of respondents, felt they needed to learn more about the tools and solutions available to measure and manage cyber risk.
A second InsTech poll in late 2022 focused on identifying the greatest opportunities for new tools to support cyber underwriting. This poll highlighted a lack of data and risk management solutions. 34% of respondents saw cyber risk scoring as their greatest opportunity. It is likely for more niche lines, such as SME risk, that the challenge is even greater.
Due to a lack of adequate underwriting data and risk management solutions insurers have resorted to introducing exclusions and using limiting terms and conditions. For example, from March 2023 the Lloyd’s of London marketplace plans to exclude losses arising from state-backed cyber attacks in its cyber insurance policies. This is not surprising as such attacks on businesses have increasingly led to significant losses as they are much harder to model. Unit 42, a cyber security consultancy, found that the average ransomware payment increased by 82% from 2020 to 2021, now costing $570,000 USD on average.
Insurers have also chosen to raise rates and entry levels for policies to avoid these costly claims. A recent CEO survey conducted by PwC found that 66% of insurance CEOs are “extremely concerned” about cyber threats. As a result, insurers have begun to require applicant policyholders to demonstrate security controls such as advanced endpoint detection and response (EDR) protection, network segmentation and multifactor authentication. These changes mean that SMEs face a barrier to entry into cyber insurance as they can often lack the technical expertise to implement necessary security measures and cannot afford to pay for external consultants to introduce them.
Consequently, SMEs may find themselves making the choice between paying for inadequate cyber coverage and saving money. Businesses often opt to save money instead of taking out potentially inadequate coverage, with a GlobalData survey in 2021 finding that 29% of SMEs cancelled their cyber insurance policies to cut costs.
Improving risk data reduces the protection gap
Technology and data analytics companies are stepping in to support insurers in closing the protection gap and increasing SME cyber risk coverage by enabling more data-driven underwriting and improved risk quantification.
The simplest way to measure and monitor cyber risk is the cyber risk score, which has grown in popularity due to its ease of understanding for both policyholders and insurers. Companies such as CyberCube provide cyber risk intelligence, analytics and modelling to (re)insurers and brokers to solve the issue of insufficient data within cyber threat analysis. The company has developed ‘Account Manager’ which scans internal and external security data, historical losses and other sources, using proprietary analytics methods to produce a cyber risk profile. As part of profiling a company’s risk, CyberCube produces two cyber risk scores. These quantify a company’s security and exposure vulnerabilities and can be used by underwriters to assess the insurability of a company. These risk profiles can be integrated into underwriters’ workflow via an API.
Cowbell Cyber, an MGA, also offers cyber coverage to SMEs and uses a risk-scoring methodology to create tailored coverage for its policyholders. The MGA uses Cowbell Factors as a risk quantification and benchmarking tool for its potential policyholders. Cowbell Cyber scans various network vulnerabilities such as cloud security, third-party risk and EDR to produce a cyber risk score for policyholders to select appropriate coverage which matches insurable security threats. Other businesses, such as Capgemini, a consulting company, offer these services to insurers at the point of risk selection. The company evaluates historical breaches associated with the potential policyholder to produce a risk score. This risk score is used by insurers to select the appropriate coverage for the business. Policyholders receiving scores from Capgemini are also provided with recommendations to improve their cyber risk score if they are unable to meet insurers’ requirements for coverage.
Whilst there are inconsistencies between what risk factors are measured and how risk scores are calculated, the data provides insurers with an improved quantitative understanding of SMEs cyber risks. Underwriters can use this data to tailor policies, including exclusions and terms and conditions, that are suited to an SME’s needs as well as the insurer’s risk appetite. MGAs and insurers have started to use this improved risk data to create accurately priced cyber insurance products for SMEs. Pen Underwriting has made SME cyber insurance available on its broker portal whilst large insurers such as AIG, HDI Global and Travelers have begun to offer cyber packages for their SME policyholders. Some businesses have created policies for even smaller businesses. Slice, an MGA has created a pay-as-you-go product for very small enterprises (VSEs) and the self-employed.
Risk scores also give SMEs an overview of their cybersecurity vulnerabilities, enabling them to address these risks and reduce their premiums over time. These scores, therefore, have the potential to reduce the number of SMEs cancelling their policies to reduce costs, especially as underwriters bring in risk quantification from both in-house and external sources of expertise. The more accurately a risk is quantified, the more tailored policies and risk mitigation strategies become which supports the gradual lowering of insurance premiums for SME policyholders.
Continuous cyber risk monitoring increases the quality of SME cyber protection
However, it is not enough to engage with cyber risk data at the point of underwriting. Cyber risk is continuously evolving with new threat actors and forms of attack developing. An example of this is the recent surge in ransomware attacks, as noted in Munich Re’s 2022 survey of over 7,000 participants which highlighted that the proportion of ransomware attacks across all sizes of business has increased by 7% since 2021. The most common route of entry for a ransomware attack is a phishing attempt. CFC Underwriting’s report in July 2022 on ransomware detailed that ransomware hackers were using a phishing email to trick victims into phoning a call centre. Victims were instructed to download software that infected their computers and led to undetected ransomware attacks. SMEs are particularly vulnerable to these forms of attack as teams rarely have an in-house cyber analyst or forensic specialist to monitor threats and educate employees on the risks associated with phishing.
MGAs have responded to this need by offering cyber risk mitigation services. Cowbell Cyber and Coalition can monitor policyholders’ cyber risk and alert customers of potential data breaches. These MGAs are also taking proactive measures to alter policies in real-time to suit the businesses’ changing requirements in relation to new cyber threats.
Insurers are also providing policyholders with cyber risk mitigation tools. Chubb, which according to Insuramore wrote 9.29% of global cyber insurance gross direct premiums in 2021, is offering its policyholders a free cyber alert mobile app. This app identifies cyber incidents and provides information on those affected, such as customer names and locations. Policyholders can also access an incident history report to inform response efforts.
However, it is not possible for all insurers and MGAs to develop risk mitigation tools in-house. Insurers and other MGAs are beginning to collaborate with data analytics companies to develop tools to monitor and respond to cyber threats. Companies such as Quod Orbis, a cyber security consultancy and data provider, offer a continuous controls monitoring (CCM) service to insurer clients. The CCM service can be integrated into insurers’ internal monitoring systems to provide real-time alerts on risk exposures.
Blink Parametric has also developed a similar system, OWLDetect, which scans the dark web and a global data source to detect personal data breaches. As of September 2019, OWLDetect’s data source had over 20 billion identity attributes, 6 billion clear text passwords and 30,000 large, unknown and accidental breach corpuses (machine-readable texts which can be searched). This product has been developed to detect a breach as soon as possible, especially if it is leaked to the dark web or being traded illegally. OWLDetect provides a clear step-by-step risk mitigation action path for the client promptly so as to increase the chance of mitigating any personal, employee, or financial loss occurring to the SME customer or employee. Clients also use OWLDetect as a post-breach mitigation tool to manage end customers’ confidence and general liability for all parties subject to a breach. The product is currently embedded within over one million insurance policies, internationally.
Other service providers are opting to rebuild cybersecurity for SMEs and offer strategy services. KPMG’s approach is to offer clients cyber transformation programmes to provide them with an improved cybersecurity posture. Transformation services include architecture and operations management and cloud-security programming.
From risk monitoring to attack remediation
Threat detection alerts notify SMEs of attacks but cannot stop them from occurring. Due to limited resources SMEs often face an education gap, which could increase the chances of a breach. Additionally, a lack of cyber security specialists’ presence within SME businesses means that even if threats are detected, they cannot be remediated quickly and effectively. Insurers, with help from partners outside of insurance, are responding to the need for attack response services through a mixture of increasing awareness through education and providing incident response services.
Capgemini is offering its insurer clients an incident management program which includes network forensic services, malware analysis and incident timeline investigation following an attack event on a policyholder.
Insurers are also addressing this need with Brit Insurance offering its SME members advisory, data recovery and attack remediation services. Policyholders can access Brit’s Data Safe portal which provides advice and information on evolving cyber risk and have access to security experts as well as sample plans and procedures to prepare for the event of an attack. If an attack occurs, policyholders have access to a 24/7 breach reporting hotline or use Brit’s app to notify the insurer. Once an attack occurs, policyholders have access to legal counsel and crisis management experts to navigate the aftermath of an attack. Likewise, Beazley has developed a Beazley Breach Response (BBR), a response management service for its policyholders. Both first- and third-party incidents are covered with policyholders having to access services across various industries including legal, forensic and public relations experts.
MGAs are also offering attacking remediation services. Coalition is providing an in-house incident response team made up of forensic specialists and security engineers to recover data following ransomware incidents. Boxx Insurance is another cyber MGA that provides insurance to individuals and SMEs. Boxx Insurance’s cyber offering for businesses includes an online learning course for employees to undertake which provides material on the latest cyber trends. The MGA is also offering targeted phishing simulation tests for employees to recognise and respond to these types of events. This service in particular is helping to close not only the protection gap, but also the education gap within cybersecurity awareness for SMEs. These businesses are learning to manage and mitigate cyber risk with the help of their insurance provider.
In 2021 Marsh took steps towards cross-industry collaboration, by launching its Cyber Incident Management service (CIM). The CIM service brings together forensic, cyber extortion, data recovery and other specialists to support clients in the event of an attack. Bringing experts together across various industries has facilitated a complete cyber insurance and security package which quantifies, manages and responds to cyber threats.
InsTech is continuing to explore emerging trends in cyber insurance. In November, we hosted a members’ dinner, sponsored by Mastercard, exploring the Data Operational Resilience Act. In 2023 InsTech will expand its cyber activities to include live events and further written content. If you would like to be involved in these future activities please reach out to Tara@instech.co. For more information about upcoming articles, reports and events subscribe to InsTech’s weekly newsletter by using this link.