Risk Management Regulations Set to Hit the Cyber Market
Cyber risk is a perpetual challenge much discussed in the media as it continues to grow in complication, scale, and frequency.
Catastrophic losses suffered through cyberattacks are increasing the demand for transparency of risk in order to sustain the cyber insurance market.
This article explores concerns from the perspective of cyber carriers and seeks to identify:
Whether minimum risk management regulations are in the pipeline to address systemic risk across the cyber market.
The NCSC’s proposed security standard in which cyber insurance policies are expected to be underwritten.
Whether these controls go far enough to meet the market's need for accurate risk modelling and loss reduction.
Rapid digitalisation and increased connectivity over the last couple of years have added pressure on businesses for more stringent cybersecurity controls, and whilst they remain lacking, the insurance market carries the burden of systemic risk, heightened by the Russian-Ukraine war. However, these uncertainties can be tackled at the root, by modelling outcomes that confidently grasp accurate loss probabilities. This conundrum sparked changes to cyber coverage, with the transition to standalone cyber policies, the Lloyd's Market Association (LMA) Cyber War Exclusions, and more recently, Lloyd’s demand for syndicates to act on state-backed cyberattacks.
This latest bulletin hit the cyber market this summer, calling for additional restrictions and asking insurers to exclude nation-backed hacks.
All cyber carriers selling through the Lloyd's platform must rewrite their policies starting March 2023, to include a clause that excludes losses for cyberattacks sponsored by government entities. The notice seeks to ensure “that all syndicates writing in this class are doing so at an appropriate standard, with robust wordings”. The August bulletin is to be addressed in addition to the four cyber war exclusions outlined by the LMA last December, which removes the burden for insurers to prove when an attack is state-sponsored before triggering exclusions. Lloyd’s does not require an unconditional exclusion for state-backed cyberattacks, rather, the bulletin (point 2) specifies the exclusion applies when these attacks are clearly state-on-state and inflict as much harm as a physical act of war. At the time of writing, the latest attack by Iran-backed hackers on Albanian government services would serve as a perfect example of where such an exclusion would apply.
Although Lloyd’s is clearly taking steps to reduce the probability of loss, many cyber carriers may be opposed to these restrictions while they strive to grow their business after the extraordinary rate increases of 2021, and the first half of 2022. Insurers with a larger presence are more likely to welcome these exclusions, narrowing their coverage to avoid catastrophic losses. However, is it enough to simply limit loss probabilities by excluding likely scenarios? Will additional exclusions lead to buyer uncertainty and the belief that their policies will not adequately protect them? If cyber policies are perceived as of no value, will the market see reduced renewals and take-up?
An industry-wide approach to risk modelling
The 2021 Cyber Insurance and the Cyber Security Challenge report by the Royal United Services Institute (RUSI), sought to address systemic risk at its root, calling for an industry-wide approach by insurers to obtain the accurate level of cyber maturity and hygiene of their policyholders.
Although there is a clear market need for cyber insurance policies to be underwritten to standardised security requirements, they must apply industry-wide, not just to certain syndicates. A uniform change is essential to avoid another race to the bottom, where underwriters insisting on more stringent conditions and cyber hygiene are undercut by competitors offering coverage without such assessment.
Although insurers have expressed warmth toward minimum cybersecurity standards, there are regulatory concerns over competition and questions around how adequate levels of security, and the most effective best practice will be defined. Will the chosen minimum standard be enough to increase secure behaviours and practices at a level that adequately informs insurers of cyber risk? Or will policyholders simply tick the box as a matter of compliance, and then suffer the results of its failings? When addressing concerns over the risks posed by ransomware in particular, the report issued the following recommendation:
The insurance industry should work with the NCSC and cyber security partners to create a set of minimum ransomware controls based on threat intelligence and insurers’ claims data. Insurance carriers should require these controls to be implemented as part of any ransomware coverage. These controls should include:
Timely patching of critical vulnerabilities in external-facing IT infrastructure.
Enabling multifactor authentication on remote-access services (such as remote desktop protocol instances).
Limiting lateral movement by adopting network segmentation measures.
Implementing procedures to ensure regular backups are created.
These recommendations are without a doubt, essential to organisational risk management, however, they could be considered conflicting with guidance drawn upon earlier in the report which states, “all insurers use Cyber Essentials as an existing baseline for assessing SMEs”.
The problem is that Cyber Essentials is simply a pass-or-fail self-assessment. It doesn’t involve auditing to ensure improvements are made in the right direction or that mitigation strategies are implemented.
You either meet the criteria, or you don’t. Recognising the framework's shortcomings, the report goes on to say, “Although Cyber Essentials is sometimes criticised for being too basic, its simplicity is what makes it the best option for the UK. The controls required as part of Cyber Essentials would represent a minimum on top of which insurers can recommend additional controls or risk frameworks based on claims data or changes in the threat landscape".
However, organisations (particularly SMEs) still lack awareness of their vulnerability to cyber risks, with many allowing little resources for cybersecurity and training. Given the choice, it would be easy to see how businesses could opt for the path of least resistance. With the current economic challenges posed by soaring inflation, post-Brexit labour and supply shortages, and post-pandemic debt/loss, how likely is it that businesses will implement controls in addition to baseline requirements and therefore improve their cyber risk management maturity levels to make them insurable?
Furthermore, having to ‘layer on’ additional controls is not straightforward and may require additional assessment, thus negating the simplicity of the Cyber Essentials approach that RUSI recommends.
Minimum standards adversaries
The idea of adopting minimum standards is not new to the market, although it seems that without additional pressure, it is unlikely to be embraced.
Government procurement rules require organisations that process personal and sensitive data to hold a Cyber Essentials certificate, and as the government-favoured standard, it looks likely to become regulated across the cyber insurance market, although this is yet to be confirmed by the NCSC. Further hinting towards this notion, the Cabinet Office updated its National Cyber Strategy earlier this year, and as part of its resilience procedure, plans to increase its support of market influencers (procurers, financial institutions, investors, auditors, and insurers) by incentivising good cyber security practices across the economy. The strategy proposes improvements to corporate reporting of resilience to risks, and states “we will continue to promote the take-up of accreditations and standards such as the Cyber Essentials certification scheme”.
In discussing accountability of cyber risk, the 2022 cyber security incentives and regulation review published in January this year states, “the use of new and existing technology will be underpinned by targeted effective regulation to ensure the implementation of appropriate cyber resilience measures by those who have the greatest responsibility to protect organisations, individuals and vital sectors from disruptive and harmful cyberattacks”. It then claims, “the government will work with market influencers, including insurers and procurement professionals, to ensure that awareness of cyber risk, and awareness of relevant advice and guidance, is embedded across different sectors”.
Undoubtedly, the improved quality of cybersecurity risk data will soon be a mandatory component for all stakeholders in the insurance process. (Re)insurers and brokers will require assurance of Cyber Risk Management Maturity (CRMM) and verification to a minimum standard. If the standard is to be the Cyber Essentials certification, will this still leave policyholders vulnerable to cyberthreat at a level that is unacceptable to insurers?
From our observations in responding to hundreds of incidents through cyber insurance claims over the last two years, the current cyber incident pandemic is largely caused by threat actors taking advantage of four key vulnerabilities:
Poorly written and vulnerable software, enabling attackers to exploit weak or unpatched systems
Poorly configured systems where security mechanisms are not implemented to prevent unauthorised access
Poorly trained staff who are easily deceived by attackers, using their victim’s access and/or implicit trustworthiness to commit fraud and steal data
Lack of corporate governance and strategy on cyber risk (key review areas for effective cyber risk management include - responsibilities, asset awareness, IT budget, payment controls, IT staff count ratio, cyber skills and awareness, and technology versions)
The question is, will the Cyber Essentials (CE) framework provide adequate cybersecurity risk data to safeguard both the insurer and the policyholder?
Does the government standard provide assurance of effective technical and cultural cybersecurity controls? If the answer to these questions is either no or maybe, then the solution as it currently stands does not deliver simplicity, but rather becomes unnecessarily complex. The chosen standard should be a single, comprehensive, and adequate assessment, not CE with the addition of other reviews to remedy its shortcomings.
Technically, CE is a good first rung of the ladder, examining IT security controls and objectives, and whether minimum controls are in place to be acceptably secure.
The assessment evaluates whether an organisation meets firewall, configuration, user access, malware, and security update management controls. However, it is not designed to estimate how vulnerable you are to attack in the way a risk-based assessment would. There are five concerns that must be addressed if CE were to be considered the minimum cyber risk management standard across the cyber market:
CE has a very specific focus. It is not sufficiently broad enough to cover points 3 and 4 outlined above, which leaves compliant organisations to remain somewhat vulnerable to attack.
Staff training (point 3) – CE is designed to look at technical controls. It does not assess cultural cybersecurity (training, attack scenarios, etc.).
Corporate governance and cyber risk strategy (point 4) – CE only lightly addresses governance in relation to the aforementioned controls. No consideration is given to information, its sensitivity, or its location. It does not address security spend or resourcing.
CE is predominantly a machine-based self-assessment with guidance supported by documentation and online help (pop-ups), in place of the human element. It is left to the individual, potentially providing inaccurate responses, and neglecting to involve essential executives and departments when gathering critical data.
The assessment lacks auditing to ensure improvements are made in the right direction and mitigation strategies are implemented. You either meet the criteria, or you don’t.
The NCSC will need to address complications with competition and regulatory law.
CE does not analyse the client’s internet presence, pinpointing the online vulnerabilities an attacker may actively seek out.
According to The Council of Insurance Agents & Brokers, as part of an initiative to cement the UK’s position as global leaders in cyber insurance, the government requires brokers to include CE accreditation as part of their risk assessment for small and mid-sized businesses. However, this initiative dates back to 2015, and with little movement thus far, this could suggest the market's resistance is due to the aforementioned complications over competition law. Likewise, with CE's reputation as a basic-level assessment, the contention may lie in a lack of trust in the framework and an expectation by underwriters that further assessment will be needed in any case.
There’s no doubt over the market's need (and desire) for a uniform approach to cyber risk modelling and consistent underwriting, it simply comes down to having the resources to access reliable policyholder data, and accurately quantifying client exposure.
An alternative approach
Offering an alternative solution, the Cyber3 Rapid Risk Review has been formulated specifically for cyber insurance markets and tailored to the demands of the (re)insurer/broker, navigating the process of transparent coverage and accurate risk quantification.
Alleviating the problematic back-and-forth of ‘prop form tennis’, the assessment incorporates questions asked by leading insurance underwriters, obtaining vital information, and generating proposal forms. The framework was designed to cut out the complexity, bypassing delays as information is gathered from the client's IT and Finance departments and the board of directors.
Measuring Cyber Risk Management Maturity (CRMM), Cyber3 provides an understanding of attack methods and the principal vulnerabilities cybercriminals look for. Giving a complete overview of an organisation's people, processes, technology, vendors, and data assets; the assessment indicates how these controls can be compromised by using high-level attack scenarios and demonstrating critical defence strategies. The Cyber3 portal for assessed clients, brokers, and underwriters presents the organisation's cyber hygiene in relation to their approach to implementing these controls, with findings and recommendations aligned to each CRMM metric.
The interactive assessment includes all the CE control areas and is delivered by an experienced cybersecurity specialist who provides guidance from start to finish, ensuring all essential department heads are in attendance during the review. An action plan is provided with prioritised remediation strategies for practical improvements in cyber risk reduction, inspiring confidence, empowering executives, and delivering assurance. Results are geared towards assisting clients, giving practical and empathetic advice, enabling them to manage cyber risk effectively, and ensuring that if the worst does happen, losses are minimised.
Information sharing between insureds and insurers is central to the issue around accurate cyber risk modelling and loss probabilities.
Missing information and client data can be directly attributed to the lack of involvement from relevant personnel, as often those engaging with underwriters do not have oversight or understanding of their organisation's IT assets and processes. For larger clients, the organisation's IT department is often unaware of legacy IT infrastructure and third-party providers who create additional exposures to cyber risk. For these reasons a self-assessed cybersecurity certification framework which is not adaptive and lacks essential guidance, governance, and the involvement of relevant personnel, would surely not be suited to a class of insurance so heavily dependent on accurate data and loss probabilities.
If CE becomes the mandated minimum standard, is it realistic to expect that organisations will also pay the costs of an additional assessment? Will (re)insurers and brokers who accept recommended controls, in addition to CE, find themselves undercut by competitors offering coverage without them? Although businesses are beginning to recognise the need for cyber insurance and the very real threat posed by cybercrime, their budgets are tied-up in Covid debt, staff shortages, inflation, soaring energy costs, and supply chain issues. With CE the only measure of client risk and loss probability, systemic risk is inevitable; the cyber market will be misinformed and risks poorly managed.
Another concern is that some may misunderstand that CE is simply a minimum standard and consider themselves suitably secure if they are compliant. Whilst this is not a failing of CE, it can become a problem if the true scope of CE is not adequately communicated, leading to a false sense of security.
Comparatively, Cyber3 is adaptive to each insured and determines a comprehensive picture of CRMM and how to improve it, regardless of organisation size, or technical and organisational complexity. It provides the cyber insurance market with an opportunity for actual risk quantification, and the benefit of a ‘one-stop’ process. The assessment is delivered by experts in the field of cyber risk, with an informed appreciation of the dynamics and affordability of risk management solutions within the market. And so, when it comes to applicability for cyber carriers, the assurance offered by Cyber3 surely calls into question how appropriate it would be to regulate CE as the standard cyber risk management solution.
The NCSC has been working alongside the DCMS and the insurance industry in view of introducing minimum standards across the cyber insurance market, and although they have discussed Cyber Essentials; no agreement is in place yet. Conversations are on hold while the NCSC appoint a new cyber insurance lead which they anticipate will be in late October. Until this point, we can only hope the outcome offers a solution capable of protecting the cyber market.