12-June-2024, min readtime

Cyber insurance policies lag behind current realities

The terms and conditions of cyber insurance policies lag too far behind current realities, with hackers increasingly targeting data. That’s according to Dennis de Hoog, CEO of Computest Security. He highlighted this gap to attendees at the Claims Conference of the Dutch Association of Insurers last week.

Shift in targets

"Acceptance criteria used by insurers for cyber policies are outdated compared to the modus operandi of cybercriminals. Many criteria still focus on encrypting backups to prevent business continuity from being threatened in the event of a cyberattack," said De Hoog. This approach dates back to when cybercriminals would quickly try to encrypt a backup to extort companies.

However, he explains that the approach to cyberattacks has changed recently. De Hoog cited the example of the Ticketmaster hack, where hackers claimed to have obtained personal information of 560 million customers. The current goal is to steal as much data as quickly as possible and gradually publish parts of it on the dark web, he says.

Experiments with detection

"That's the extortion mechanism they use. By making privacy-sensitive data public, affected organizations are embarrassed, and it becomes clear that a successful hack has resulted in a data breach. This must be reported to the authorities and the affected consumers. When there is a threat of an even larger data breach, the willingness to pay ransom increases."

De Hoog notes that some insurers are already experimenting with measures against this, such as through detection. "There has been increasing attention to this in recent years. If you don't know you're being attacked, you're automatically too late and can't mitigate the damage."

Causes of the lag

According to De Hoog, the gap between the modus operandi of cybercriminals and the conditions used by insurers has a few causes. "A classic fire or theft risk is more static. Digital risks are much more dynamic. It's challenging for insurers to adapt to this."

De Hoog is familiar with the financial services sector. In the early days of cyber insurance, he was a risk advisor at Aon. He sees little evolution in the way cyber policies are structured. "It was virtually the same ten years ago. It's a sort of digital first-aid kit, including a legal expert, a forensic specialist, and a crisis communication expert. Meanwhile, the world has not stood still, so many (potential) customers have already taken action for theirselves in these areas."

Additionally, companies increasingly need to demonstrate that their digital security is in order, notes De Hoog. "You show this by, among other things, having a cyber insurance policy, but somehow this doesn't resonate. All insurers and insurance brokers want to capture that large market share, but it hasn't happened in the past ten years."

'No longer attractive'

Although De Hoog understands that insurers need to make a risk assessment, he is critical of the market in recent years. "On one hand, it became more expensive to take out a policy, and on the other hand, there were all sorts of exclusions. You could add those coverages back into the policy for an additional fee. For many potential policyholders, it became no longer attractive, partly because they questioned what they were getting in return."

Last year, Computest Security managed to bring on board former Aon CEO Marc van Nuland as a strategic advisor. De Hoog frequently discusses the insurability of cyber risks with him. Together, they are trying to figure out why there is no massive demand for cyber insurance. "Is it too little known? Does it not sufficiently meet the need?" De Hoog wonders aloud.

New cyber insurance policies

"That's why we initiated discussions with insurers and brokers. This led to a lot of positive feedback," says De Hoog. They are looking at integrated solutions that ensure policyholders feel supported throughout the entire duration of the insurance policy.

Additionally, the assistance of Computest Security aims to reduce the risk of an incident through preventive measures, for example. Currently, several projects are underway where the company is developing new (variants of) cyber insurance policies in collaboration with insurers.

"Show that you are not only focusing on that first-aid kit during an incident but take a step forward in the security chain by starting with prevention and working on detection. That can be very helpful, as it means you are no longer offering a point solution for when things go wrong, but also making it less likely that things will go wrong," says De Hoog.

This website works best with JavaScript enabled