Cyber has been one of the top risks that companies and organizations are dealing with and are exposed to for some time now. If this was already a trend in the last two years, there has recently been an exponential increase both in terms of frequency and severity of cyber risks. There are several reasons for this increase including the growth of digital transformation and associated hyper-connectivity, the Covid-19 pandemic and finally, the incredible escalation of cyber-attacks, with focus in recent times on ransomware attack, digital supply chain and infrastructure attacks.
The cyber threat is no longer just an emerging risk. It is now present, global and on its way to becoming systemic. In fact, it has a serious impact on all areas of society, citizens, families, and organizations, whether they are small, medium, or large. This is largely because organizations are now, more than ever, dependent on technology, information, interconnected to extended digital ecosystems and digital supply chains (suppliers, partners, etc.) from which they benefit and of which they are part. This dependency generates vulnerabilities with an extraordinarily wide scope, and because it significantly increases the attack surface for cyber criminals to exploit in an organized and structured way, it is impossible to gain full control, causing disruption, maximizing damages and not legitim profits. Despite this context and the fact that those responsible for organizations’ cyber security are more aware of these risks, it is a fact that in general, investment in cyber risk management plans and insurance solutions has not been proportional. In general, we get the impression that larger organizations have been increasing their investment in cybersecurity and cyber insurance as part of the implementation of cyber risk management strategies. This attitude towards cyber risk is not reflected in small and medium enterprises; in fact, cyber insurance penetration in this segment is still low, but we believe that this attitude is starting to change due to the rise of cyber threats. This shift is crucial for all organizations. Their executives must take a strategic approach to cyber risk and address it at the top management level. Given the impacts that a cyber incident can have, the consequent risks are not only a matter of IT, but of business continuity, legal, people, values and reputation.
The cyber risk management activity of companies necessarily includes its transfer to the insurance market, through cyber insurance, in order to increase their resilience and ensure the continuity of their operations and activities. We emphasize that cyber insurance does not replace or exclude security mechanisms and effective incident response plans; nor do these make insurance unnecessary or redundant. These realities complement each other. It is already indisputable that most incidents result, for a variety of reasons and forms, from human error (for example, the simple loss of a laptop or cell phone, careless download of a malicious file attached to a phishing email, etc.) and not only from problems in the security infrastructure.
What about the market?
With the escalation of cyber incidents, the insurance market took significant losses and saw its profitability margins shrink. As a result, it reacted by installing a special hard market context, increasing its reliance on the reinsurance market to cover its own risk and capital. Indeed, the cyber insurance market is more restricted, solutions are more difficult to construct than in previous years, and it is very likely that this trend will continue to deteriorate, especially for medium and large companies. Pedro Pinhal Technical & Claims Director at MDS Insurers are now, and with no comparison to the pre-2020 period, increasing rigor and care in risk analysis and underwriting, requesting greater volume and detail of information through more exhaustive questionnaires; narrowing the scope of coverage including a tightening of terms and conditions; contracting their capacity and risk appetite; increasing premiums; establishing sub-limits, especially for ransomware and extortion covers; requiring best practice risk mitigation controls from policyholders, such as MFA, RDP, backup practice, patch management, employee training, end point detection and response, incident response planning. In a hard market the deep knowledge of the client's risk, the consultant's experience, expertise and also technical creativity, as well as his network of relationships in the insurance and reinsurance market worldwide will be absolutely decisive factors to bridge the gap between the demand and the client, between who wants to transfer the risk and who takes it and build the best and most comprehensive solutions for the Client.