Cyber insurance and business risk: How the relationship is changing reinsurance and policy guidance

Just when we were getting ready for the holiday season, along came the security issues in Log4j. Security professionals across the world jumped into action to understand their risk levels, implement patches on any internal software, and deploy product versions from their suppliers that had been updated. This will continue this year, based on conversations with CISOs and security teams.

Behind the technical issues around the software supply chain and internal applications, there is also a business risk management element — for example, how a company manages risk to its operations using tools like cyber insurance to complement its security processes. In the event of a problem, cyber insurance should cover the costs to recover data, rebuild applications, and get operations running as normal again.

What Is the Role for Cyber Insurance Over Time?

Cyber insurance is a significant industry and growing fast — according to GlobalData, it was worth $7 billion in gross written premiums in 2020. The cyber-insurance market is expected to reach $20.6 billion by 2025. Over the past few years, the cyber-insurance market was competitive, so premiums were low and policies were comprehensive. Over the past year, that has changed — the volume of claims has gone up and led to more payouts, which affected the insurance companies’ profitability.

The Log4j issue will affect how insurance and reinsurance companies write their policies in future. Already, we’re seeing discussions about Log4j-related issues being excluded from reinsurance policies in 2022, as many policies came up for renewal on Dec. 31, 2021. This will affect the policies that insurance companies can offer to their customers.

What does this mean for IT security teams? For practitioners, it will make their work more important than before, as preventing possible issues would be more valuable to the business. Carrying out standard security practices like asset inventory and vulnerability management will be needed, while examining software bills of materials for those same issues will help on the software supply chain security side. These practices will also need to be highly automated, as business must be able to gain accurate insights within hours, not months, to deal with future threats while reducing the cost impact.

For those responsible for wider business risk, these developments around cyber insurance will present a more significant problem. Cyber-insurance policies will still be available — and necessary where needed — but the policies themselves will cover less ground. While the past few years had pretty wide-ranging policies that would pay out on a range of issues, future policies will deliver less coverage.

To read the complete article, visit Dark Reading.