Why a Carrot Beats a Stick in Cybersecurity Breach Insurance
Author: Zach Atya
Director of Insurance at Measured Analytics and Insurance
Zach is on a mission to fix what he sees as shortcomings in the industry. Through sober-minded cyber risk analysis, data insights, and multisectoral partnerships, we can work together to protect the most important (and vulnerable) part of our economies, small and midsized businesses.
Just look at the headlines today and it’s plain to see: more and more companies of all sizes are getting breached… more frequently and with greater magnitude.
While there are a variety of attacks out there, the most acute and growing threat is ransomware which can cripple a business or even put it under. Consequently, many companies are now beginning to carry cyber insurance.
Cyber insurance (also known as liability insurance or breach insurance) can provide some peace of mind in the event of a breach… assuming you can get it.
The reality is that it’s becoming harder for SMBs to get breach insurance. Many insurance providers are taking a punitive “stick” approach and insisting that companies have massively robust cybersecurity systems in place to qualify for insurance. Between having to purchase additional sets of security tools and increasing rates across the market as a whole, the barrier to acquiring and maintaining cyber insurance has never been higher.
As our partner, ActZero, pointed out in their recent cybersecurity predictions for 2022, breach insurance is increasingly “a luxury for the rich” — an option only for companies with deep pockets.
The companies hit hardest by these hurdles to cyber insurance are the small and medium-sized businesses (SMBs), who are being hung out to dry by the insurance industry.
SMBs are the target of 43% of all cyberattacks, up from just 18% a few years ago. As larger businesses throw resources at cybersecurity, SMBs — which often can’t afford cybersecurity software priced in the tens of thousands of dollars — present soft targets for hackers.
Having hardened systems is better for everyone, and everyone wants them. But what are SMBs supposed to do?
The insurance industry’s STICK approach
The insurance industry’s traditional approach, what we call the “stick” approach, is little more than a kneejerk reaction to offload risk. Incumbent insurers are not renewing current clients, particularly in light of the pandemic, or they’re jacking up rates.
Premiums nearly doubled in the United States from 2020 to 2021 as ransomware frequency and severity exploded during the pandemic, with rates jumping 73% in certain geographies during the same period. In some extreme cases, rates for some policies have risen by as much as 300%.
This “stick” approach is especially punitive towards clients seeking new coverage or seeking coverage for the first time. Applicants are denied coverage based on a range of cybersecurity criteria, many of which are especially difficult for SMBs to afford or implement, such as:
- Privileged access management and/or MFA
- Incident Response / 24/7 SOC
- Full Backup / DR capabilities
Faced with this reality, what choice should an SMB make about its limited resources? Pay to harden systems or pay exorbitant rates for cyber insurance? The insurance industry’s “stick” approach leaves SMBs stuck between a rock and a hard place, forced to make a bad choice or not given one at all.
And given today’s threat landscape, going uninsured is an unenviable option.
An alternative: the CARROT approach
Rather than a punitive “stick” method, we think that a “carrot” approach would be more helpful.
A “carrot” approach incentivizes and rewards businesses that lower risk and keeps insurance affordable, building bridges between cybersecurity and cyber insurance. This “carrot” method recognizes that, fundamentally, both cybersecurity and cyber insurance share the goal of threat mitigation.
Measures to help SMBs lower their risk profile are precisely the kinds of solutions a “carrot” that will keep breach insurance affordable and available to all. These measures include proactive steps like vulnerability remediation, security awareness training, and systems config and hardening.
Taking such steps doesn’t necessarily make them more affordable if they’re done in-house, but instead of punishing the SMB segment and forcing companies into impossible trade-offs (check out our whitepaper for more on the opportunity cost of making ‘impossible’ cybersecurity trade-offs), they could function as partnership elements between insurers and insurers.
Instead of ultimatums, a better approach dangles a carrot. Suppose insurance companies work to provide resources and direction to SMBs like we strive to do at Measured. In that case, it can democratize cybersecurity solutions and provide cyber insurance that is within reach of SMBs.
What a partnership approach could look like
To demonstrate, let’s imagine a partnership use case:
An organization might not be insurable if they don’t have endpoint detection and response (EDR). Rather than slamming the door shut on this SMB, however, the insurer could help them become insurable by improving their cybersecurity position by addressing their security gaps.
For example, the insurer could propose their SMB partner work with a cybersecurity company to get Managed Detection and Response (MDR), which encompasses EDR, and offer the SMB better premiums to make such security enhancements.
The industry wouldn’t universally adopt the “stick” approach if viable options such as the “carrot” were more widely available.
That’s why ActZero and Measured Insurance are breaking new ground with this “carrot” approach — combining services that focus specifically on the SMB.
This innovative, synergistic partnership is rooted in machine learning and AI, leveraging them to perform risk analysis, identify emerging security threats, and democratize access to enterprise-grade cybersecurity and cyber insurance solutions for this underserved segment.
SMB clients benefit from both increased security effectiveness and financial savings. Read our press release for full details on the partnership between ActZero and Measured Insurance.
Insurers talk about being in partnership with the companies they insure, but the punitive “stick” method that is so often the reality in the industry doesn’t sound like a partnership to us.
That’s why we’re all-in on the “carrot” method described above. This approach builds a trusted and mutually beneficial partnership that draws on pre-existing synergies and takes SMBs from uninsurable to very insurable — and from low defensive capabilities to hardened systems and sound practices.
For us, the “carrot” method assists and rewards both companies over time for evolving their cybersecurity programs.
To learn more about the evolving cyber insurance situation and the rest of our cybersecurity predictions for 2022, download our white paper here.