Insurers, You Underwrite Cyber Risk. But How Good Is Your Own Cyber Security?
A new report by Black Kite, a provider of third-party cyber risk intelligence, analyzed the top 99 insurance carriers in the U.S. as part of a survey of the current cyber insurance landscape.
Among the top findings are that 18% of the insurance companies analyzed are above a critical threshold of ransomware susceptibility; 82% of the largest insurance carriers are susceptible to phishing attacks; and software vendors are the most common source of supply chain attacks, accounting for 25% of all third-party incidents in 2021.
Black Kite gives roughly 26% of insurers an “A” grade for their cyber posture, but the remaining 73% are three times more likely to experience a cyber breach.
“There’s a very wide range in cybersecurity capabilities and maturity in the industry,” said Jeffrey Wheatman, senior VP and cyber risk evangelist at Black Kite.
“Insurance and financial services are two industries in particular where risk management is a core of what they do. And for a long time, we made a lot of assumptions that they were also doing a great job managing technology and cyber risk. The report shows that while broadly speaking, that’s true, it’s not true enough.”
Looking Deeper at the Study’s Findings
Wheatman cited the widespread vulnerability to phishing attacks as one of the reports more unexpected findings.
“I was a little surprised that so many of these folks were susceptible to phishing,” said Wheatman, although he conceded that maybe he shouldn’t have been.
“These attackers have gotten so good. There are no spelling errors, no bad grammar, no fuzzy graphics. They’re able to fake addresses. There’s only so much you can do. That 82% [are] susceptible to phishing seems scary to me, but maybe not that surprising.”
As insurance is by nature data-intense, managing that data is critical.
“Insurance feeds so much data into other verticals, data management and data governance and information governance are super, super important about making sure where the data is, it’s protected, making sure you are getting rid of it when it is no longer useful. At some point data actually has negative value.”
Fortunately, Wheatman sees a growing awareness of that negative value.
“You’ve got to pay to store the data. You’ve got to pay to back the data up. And the more versions of data you have, where’s the authoritative source? In an industry that is so data driven, you cannot afford to have data that purports to be the same data that actually reports different information,” Wheatman said.
“Increasingly organizations are aware of the value of their data. And the flip side of the value is the risk.”
Outdated technology is another source of risk.
“There tends to be a lot of legacy technology,” said Wheatman. “There are systems that were built 20, 30, 40, or more years ago.”
And remedying that can be a monumental undertaking.
“I refer to myself as a professional paranoid, and yet I still can’t go to a client and say, ‘You know what? You’ve got to gut that at a cost of $300 million because you can’t patch it anymore.”
Looking to third-party vendors presents other risks. According to the report, three-quarters of third-party vendors do not meet the insurance requirements established by the companies that hire them, often due to unattainable requirements and high premiums.
“Ten years ago, vendor risk management was quite simple: Is legal okay with the contract and does finance think they’ll be in business until the contract is done? And if you said yes to those, you signed it. Well, now there’s an increasing awareness that the cybersecurity posture of our ecosystem is an exposure.”
And the threats from such exposures can be greater than they seem.
“Even though the initial trigger impact of a cyber incident may be small, they cascade. So that critical system, we now can’t send invoices out. So we can’t bill, which means we don’t have money coming in, which means we can’t pay our bills. Why? Because one system got hit with ransomware and we lost access for 12 hours. The effects of cascading are not super well-understood right now.”
What Happens When a Company Faces Loss
Understanding how those losses can ripple out is critical.
“The first step is understanding what your risk exposures are, looking at things like cascading risk and concentration risk,” Wheatman said.
“Cascading is if you’re in the center of your ecosystem and you use a software company and they use another one, and they use another one, and they use another one, you inherit risk all through that cascading line,” Wheatman said.
“The other perspective is around concentration risk, which is, even if you decide as an organization to not put more than half of your business-critical systems in one service provider, what if your partners don’t do that? What if … all of them are using the same software, this same cloud provider? If that provider goes down, you now get hit with all this sort of concentration risk.”
And according to Wheatman, insurers are increasingly unwilling to pay for such losses.
“Premiums are going up and payouts are going down,” Wheatman said. “Insurance companies are finding, in many cases, very valid reasons not to pay claims.”
He cites as an example a case currently being litigated where a ransomware claim was denied by the insurer, who said the attack was state-sponsored, and thus force majeur.
“If the insurance companies are saying, ‘Well, we’re not going to pay anything because it’s state-sponsored,’ that’s going to turn the market on its ear,” Wheatman said.
Facing Cyber Head On
So, how can companies minimize such risks?
“It’s the same as any other enterprise-wide risk,” said Wheatman.
“You go to the board or the C-level, and you show them a heat map or risk register, whatever vector, and you make sure they understand what those risks are, how potentially impactful it would be to business outcomes,” Wheatman said.
“And then we make decisions about how to balance the way we invest. The challenge there is because cybersecurity as a discipline is less mature than a lot of other disciplines, we struggle a lot with having those conversations. How much is too much risk? Well, nobody really knows the answer to that.”
But, he added, “At the end of the day, any risk management decision is an executive-level decision and the CISOs should not be the ones that are making these decisions. It has to be a business discussion.”
Wheatman sees more and more of that level of involvement, and he sees it having a positive impact.
“They’re starting to ask better questions about where those exposures are and what people are doing to mitigate or write those risks off,” said Wheatman. “I think in five years we will see a very, very different data point than we saw in this report. Maybe even sooner.”
And while the findings contained in the report are sobering, things could be worse.
“Insurance tends to be one of the better verticals,” said Wheatman. “Insurance, financial services, IT providers, tend to be pretty good. Is it alarming? Maybe a little bit, but I don’t think it’s horrendous.”
There is still work to be done to bring the insurance industry up to the level of cybersecurity, but Wheatman sees an upside.
“It’s a great opportunity to actually lead the charge and be better netizens, to help educate people about what ‘good’ looks like and give them something to aspire to.” &