Cyber insurance has failed to live up to expectations that it may act as a tool for improving organisations’ cyber security practices, finds RUSI

Cybercrime is a complex, rapidly growing and severe threat to both government and business. In 2020, losses from cybercrime were estimated at over $945 billion worldwide, while the average payment for a ransomware attack was reported to have risen from ’$84,116 to $220,298’ from Q4 2019 to Q1 2021. 

This rise is taking place at a time of rapid change in the online environment as organisations seek to digitalise, increase connectivity and accommodate increased remote working, heightening the need for protection. With both national infrastructure and economic security at risk, ‘one tool that has gained traction is cyber insurance’.  

However, think tank RUSI’s Cyber Insurance and the Cyber Security Challenge report concludes that if cyber insurance is to have the desired impact, the ‘insurance industry must overcome significant challenges’. 

Based on interviews and workshops with experts across the insurance and cyber security industries, government, academia, the paper identifies an insurance industry that is not only struggling to understand cyber risk itself, but that it is ‘struggling to collect and share reliable cyber risk data that can inform underwriting and risk modelling’.  

Without data, insurers and reinsurers are unable to accurately assess an organisation’s risk or security practices and so cannot price policy premiums accordingly. In addition, the cyber insurance market is yet to embrace use of financial incentives or impose security obligations to improve the cyber security practices of policyholders. 

As a result, while some cyber insurers are beginning to move in the right direction, the industry is still struggling to transit from theory into practice when it comes to incentivising cyber security. In fact, the reverse may be taking place.

The paper notes that ‘cyber insurers have received considerable criticism for facilitating ransom payments to cybercriminals’ and in doing so are ‘incentivising cybercriminals’ engagement in ransomware operations and enabling existing operators to invest in and expand their capabilities’.

The losses from ransomware have also contributed to some insurers leaving the market. 

Due to these shortcomings, the impact of cyber insurance to the goal of improving cyber security practices is ‘more limited than policymakers and businesses might hope’. 

In order to address this challenge the paper provides actionable recommendations for the UK cyber insurance sector, aimed at both strengthening response and bolstering the market.  

Recommendations include: 

  • Insurers should collectively agree on a set of minimum security requirements as part of risk assessments for SMEs. 
  • Cyber insurance carriers should explore partnerships with managed security service providers, cloud service providers and threat intelligence providers to gain access to internal sources of data. 
  • The Cabinet Office and Crown Commercial Service should develop a policy and legal framework to mandate cyber insurance coverage for all government suppliers and vendors. 
  • The National Security Secretariat should conduct an urgent policy review into the feasibility and suitability of outlawing ransom payments. 
  • The NCSC, the National Crime Agency (NCA) and insurance industry stakeholders should leverage existing public–private partnership models for combating cyber threats and financial crime, and establish a dedicated information-sharing partnership to exchange anonymised threat intelligence and ransom payment data. 
  • Insurers should specify that any ransomware coverage must contain a requirement for policyholders to notify the NCA and the NCSC in the event of an attack and before a ransom is paid. 
  • The insurance industry should work with the NCSC and cyber security partners to create a set of minimum ransomware controls based on threat intelligence and insurers’ claims data.