How cyber insurance is shaping cybersecurity strategies

Business Security

Cyber insurance is not only a safety net, but it can also be a catalyst for advancing security practices and standards

Black Hat USA 2024: How cyber insurance is shaping cybersecurity strategies

If there was ever any doubt about the relationship between cybersecurity and the cyber insurance industry, then Black Hat USA 2024 dispelled it. A full afternoon on a main stage was dedicated to the cyber insurance industry, allowing them to share their perspectives on cybersecurity, the evolving threat landscape, and what this means for organizational cybersecurity.

What the future holds for business cybersecurity, according to cyber insurers

The cyber risk insurance ecosystem is changing, moving from human-based underwriting, annual policies, with dozens of inputs and physical forms to a machine-augmented, continuous monitoring of zillions of inputs, all in the digital realm. It’s digital transformation on steroids.

The presentations included several stats and trends: this is, after all, an industry that lives on data and numbers to calculate risk. A presenter from Coalition, a specialized cyber insurer, claimed that they have assisted insured policy holders in resolving 74,000 vulnerabilities, which resulted in a 64% reduction in claims.

Considering that the time to exploit a vulnerability once proof-of-concept is publicly disclosed (or even if a patch is available) may be as low as 22 minutes, reducing the risk from vulnerabilities is a significant win. This short timeframe makes testing a patch prior to deployment near impossible.

The takeaway on this stat is that the cyber insurer is making themselves the notifier of potential vulnerabilities to customers; however, as the insurer has in-depth knowledge on what companies run due to the insurance questionnaire and scans, then it’s not that shocking they are moving into this specific area.

A presenter from Tokio Marine explained that that cyber insurance market stagnated in 2023, with approximately $9.5 billion in premiums in both 2022 and 2023. A flat market may be the result of the transformation mentioned above. When applying for a policy, there is a significant amount of information on cybersecurity posture that companies need to share with the insurer. This could even be a barrier to entry.

The pre-insurance questionnaires and scanning give the insurer unique insights into the nuts and bolts of a company’s cybersecurity policies, as does any claim as the insurer already knows all the protection solutions in play. This mass of data about a cyberattack gives the insurance industry a unique data set – they can pinpoint the areas of concern and the exact details on the method of entry should a cybercriminal have breached the protection measures.

According to the presentations, there have been changes in the initial attack vectors over the past year: phishing remains the largest issue, but switching places in 2024 are attacks exploiting Remote Desktop Protocol (RDP) and virtual private networks (VPNs) without multi-factor authentication (MFA) enabled (RDP attacks sink to position 3).

The importance of MFA was a clear message across all the insurance-related presentations. In 2021, 70% of companies had not implemented MFA, in 2023 and 2024 this figure is approximately 45%. This is an easy win – if you have not switched on MFA, then make it a priority.

The “pay or not to pay” question

Another interesting data point is that a small decline in the number of companies paying an extortion demand when attacked by ransomware – it dropped to 34.4% in 2023 and further to 26.5% in 2024. This is actually at odds with data released by Coalition in their recent white paper where they report the number of those paying an extortion demand to be 40%. Regardless, the number of companies paying the demands is too high. Payments should only be a last resort, and it’s inconceivable that even 26.5% choose this last-resort option.

I am certain that money talks and that companies pay ransomware demands as it’s the easier option, and if this is a pure financial costs decision I can see the logic of paying, but it’s not that simple and those that don’t pay a demand should be proud of having moral and ethical standards.

Learn how cyber risk insurance and how cyber risk cover, combined with advanced cybersecurity solutions, can improve your chance of survival if, or when, a cyberattack occurs. Download our free white paper Prevent. Protect. Insure. here.