In this article, I wanted to break down some of the trends in the Cyber Insurance market that I am seeing along with some predictions for 2023 and beyond. This is not a post I typically do but I have been fascinated by the rapid evolution we are seeing unfold so I wanted to share my thoughts. 

Industry Trends

Rapidly Evolving Market

A market research study by Mordor Intelligence estimated that the cybersecurity insurance market was $9.29 billion in 2021, and they expect it to reach $28.25 billion by 2027. One of the consequences of the increasing number of costly data breaches, ransomware attacks, and other security incidents is the rise in premiums for cyber security insurance. In Q2 of 2022, Cyber insurance premiums increased by an average of 79% in the US vs Q2 the prior year. The reasons for the ongoing increases in cyber security insurance premiums are various but I believe they can be summarized into two buckets. First, insurance companies are less willing to take on the risk of providing coverage. As an example, the chief executive of one of Europe’s biggest insurance companies, Zurich, has warned that cyber attacks, rather than natural catastrophes, will become “uninsurable” as the disruption from hacks continues to grow.  Second, there is high demand for coverage due to increased awareness of the potential damage that cyber risks can cause to businesses of any size.  

In addition to premium price increases, underwriters are attempting to mitigate the losses from cyber claims with much stricter underwriting requirements, including making cyber security protocols such as multi-factor authentication or EDR solutions mandatory. Cybersecurity questionnaires are becoming longer and longer as underwriters are struggling to better grasp the risks.

With all of these considerations, the market for cyber insurance is still at a very infant stage. According to research conducted by Sedgwick: “Despite cybercrime being listed as one of the top concerns on the mind of SMBs, only around 15% stated that they had purchased specific cyber coverage so far”, making cyber insurance the single largest opportunity for growth among carriers, brokers and MGAs for the foreseeable future.

Increased Government Regulations

In 2022, we also saw the government starting to tighten the laws and regulations surrounding cybersecurity. With the introduction of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), critical infrastructure companies will have new strict requirements on reporting cybersecurity incidents. CIRCIA defines a Managed Service Provider (MSP) as part of the covered entities that would have to follow these reporting requirements. Additionally, the DoD is beginning to enforce NIST 800-171 and CMMC requirements for any defense contractor handling CUI (Controlled Unclassified Information) more strictly. In 2022, the DoD released a memorandum to all its contracting officers reiterating that all defense contractors handling CUI must implement at a minimum the NIST SP 800-171 security requirement and have a Plan of Action & Milestones (POA&M) for each requirement not yet implemented. In 2023, we are expected to see new CMMC certification requirements in new DoD contracts. Compliance with NIST 800-171 will no longer be relied upon with self-attestation. Instead, contractors will have to conduct an audit by accredited C3PAOs (Certified Third Party Assessment Organizations).

More Tools, More Complexity

Cybersecurity revenue is expected to show an annual growth rate of 13.33% from now until to 2027, resulting in market volume of around $300 billion by 2027. The rise of hybrid and remote work since COVID has been coupled with a rise in security threats to most business, no matter the size. These increased threats are forcing companies to stitch together and pay for many multiple tools from different vendors. For example, Axonius reported in May 2021 that 72% of organizations reported increased complexity within their IT environment over the past two years. And in June 2022, the Solarwinds IT trends report stated that 54% of respondents had visibility into less than half of their app and infrastructure estate.

GRC Tools on the Rise

You may be wondering how this fits into cybersecurity but it will make more sense in the predictions! GRC tools have gained a ton of market share in the past few years. These companies already have a proven solution for automating security and compliance. They integrate with many 3rd party solutions and map to the most popular compliance frameworks. Some of the largest players in this space are as follows:

A report for Polaris Market Research predicts that this market will be work $96.98 billion by 2028. Funding into this market is rising, with $1 billion being funneled into businesses within this sector in the first 10 weeks of 2022 alone. Top providers in this space are reaching billion-dollar evaluations, such as Vanta, who recently secured Series B funding that valued the company at $1.6 billion.

We are also seeing companies that are already shifting their focus to tether companies with cyber insurance carriers. These companies provide some service or automation for security and compliance but they also use that information to partner with insurance providers for cyber coverage. Some examples of companies in this area include the following:

Predictions

Cyber Insurance Carriers will not accept self-attestation

I think this will take years to come to fruition on a broad scale, but we are already seeing these trends with the partnerships being formed with companies that have automation around evidence collection. I interviewed a few insurance providers on this topic and they bluntly told me that they could care less about what automation you have today around the evidence collection. The larger carriers are doing so much volume that it is an accepted risk for them to only have companies perform self-assessment questionnaires. The number of claims in that pool is low compared to their premiums.  They did mention the following key trends which validates what we are seeing in the market:

  • Higher premiums quarterly
  • Less Coverage
  • More Exclusions
  • New mandatory requirements slowly rolling out

I believe there is too much money in this market for cyber risk to go into an “uninsurable” state. It is clear that insurance providers do not understand the risk as they slowly make things like MFA and EDR solutions mandatory to gain coverage which should be table stakes to any organization with a proper cyber security practice. Just like with the government regulations coming for CMMC, I believe insurance providers will require an independent audit by accredited C3PAO or some type of real-time automation platform for evidence collection to acquire cyber insurance.

GRC Tools will Evolve

Currently, many of the popular GRC tools getting funding cater to startups (companies under 200 employees) looking to get SOC-2 compliant. These are primarily software companies that do not have the inhouse resources to perform self-attestation and are looking to get compliant quickly. The primary value from these tools is the deep integrations with cloud software to automate evidence collection and mappings to compliance frameworks. As more and more companies move to the cloud, I believe these tools are uniquely positioned to help them maintain a better cybersecurity practice. Government regulations will continue to tighten and companies will not be able to afford self-assessments while keeping up with the rapidly evolving technical changes in the market. Tools like these will become a necessity to be able to scale in a secure fashion and potentially be a requirement to get cyber insurance. That last part may take more time to become a reality but even if we talk about needing an accredited C3PAO instead, these tools could significantly reduce the time and money it takes to provide an auditor what they need.

Companies will reduce the number of vendors they work with

The explosion of SaaS apps within companies has increased more than ever because of COVID. As we potentially enter a recession, I believe more heavy scrutiny will be placed on the number of apps being used to cut cost. The other benefits of doing so are reducing operational overhead internally and reducing your attack surface. Security awareness will continue to spread and more scrutiny will be placed on the vendors that businesses work with. Vendor risk management will become a standard requirement for acquiring cyber insurance. 

Transparency of Trust will become commonplace

Some of the GRC tools have a “Trust Page” feature which provides real time insights of a company meeting security and compliance standards. It is very powerful to see and represents all the data being collected for a company with the integrations across applications they use to do business. With cyber threats growing, security awareness increasing, and government regulations tightening, I believe this type of transparency will be commonplace for every business (no matter if they need to meet regulatory requirements). This will also take years to happen, but I believe the first wave will be with vendors that interact with sensitive data. Every vendor will have real-time APIs you can tap into to provide a summary of risk.

AI will play a role in underwriting

You can’t talk about predictions without talking about AI, right? In this case, I do think some type of AI is uniquely positioned to help deliver an automated, data-driven underwriting process. If you think about GRC tools expanding their integrations and aggregating the data, you can get a clearer picture about the overall risk at a company (Along with trends over time). Even just looking at Microsoft graph data could tell you so much about the risk of users, devices, and applications. How many times are users getting blasted with phishing campaigns? How many times are they clicking on malicious links? How often are devices seen with new incidents? Are employees accessing corporate data in a secure fashion? The levels of risk seen will ultimately determine if a policy can be written and how much premium is going to be charged based on the expected direct loss ratio.   

Conclusion/Feedback

I would love to hear your thoughts on this topic and overall feedback from what I have provided. I will be posting on the socials but feel free to hit me up if you want to chat: Msp4msps@tminus365.com

Sources:

Vanta lands $40M to automate cybersecurity compliance | TechCrunch

The-SME-Cyber-Insurance-Market_Perception-and-Adoption.pdf (sedgwick.com)

Cybersecurity Insurance: A Complete Guide | Cybersecurity Guide

Cyber Insurers Raise Rates Amid a Surge in Costly Hacks – WSJ

Cyber Insurance Premiums Are Up—And That’s Not The Only Industry Shakeup (forbes.com)

The 2021 State Of Enterprise Breaches | Forrester

The Cyber Insurance Gap: What Is It, and How Can We Close It? (blackberry.com)

Cyber Security Market Overview by Size, Growth & Trends, 2029 (fortunebusinessinsights.com)

REPORT: 4 Key Factors Driving IT Complexity (axonius.com)

SolarWinds IT Trends Report 2022

Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) | CISA

Cyber attacks set to become ‘uninsurable’, says Zurich chief | Financial Times (ft.com)

ConnectWise Introduces MSP-Specific Cybersecurity Framework and Security Partner Community | The ChannelPro Network

CompTIA Introduces Cybersecurity Trustmark | The ChannelPro Network

Cyber Incident Reporting For Critical Infrastructure Act of 2022 (cisa.gov)

Critical Infrastructure Sectors | CISA

Presidential Policy Directive — Critical Infrastructure Security and Resilience | whitehouse.gov (archives.gov)

New Regulations from the Government for MSPs and Cybersecurity | Pax8 Blog

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 – Eversheds Sutherland (eversheds-sutherland.com)

If You’re Waiting for CMMC to Start Compliance, You’re Already Behind (preveil.com)

System Security Plans – DIB SCC CyberAssist (ndisac.org)

Share with the Community