Opinions expressed by Digital Journal contributors are their own.
Rising premiums require new strategies
From data breaches to ransomware attacks, cybercrimes have surged in recent years, driving organizations to find ways to improve security measures and better protect their assets.
Rising risks have also catalyzed the growth of the cyber insurance market, which was valued at $14.4 billion in 2023 and is projected to double by 2030, according to the QualRisk Cyber Insurance Center (QCC) 2024 Global Market Report.
The cyber insurance market’s expansion parallels the increase in cybercrime and associated costs. Statista predicts the cost of cybercrime to escalate from $8.15 trillion in 2023 to $13.82 trillion in 2028. In addition, Verizon’s 2024 Data Breach Investigations Report (DBIR) found a 180% year-on-year rise in attacks exploiting vulnerabilities, especially involving ransomware and extortion-related threats.
Also, web applications are the primary entry points for exploitation of vulnerability attacks, as illustrated by the 2023 MOVEit attack, which compromised customer and employee data. Third-party vendor breaches, accounting for 15% of breaches, rose by 68% from the previous year. And the median loss from ransomware attacks was $46,000, with ransom demands ranging from 0.13% to 8.3% of the victimized organization’s revenue in 80% of the cases.
As third-party vendor breaches and losses from ransomware attacks have grown, insurance providers often demand that organizations have stringent cybersecurity protocols in place. To qualify for cyber insurance coverage, organizations often need advanced threat detection systems, data encryption, regular security audits, and employee training programs. At the same time, many insurers are lowering coverage limits and tightening policy requirements to manage rising risks.
CRQ’s critical role
Cyber Risk Quantification (CRQ) assigns numerical values to a potential cybersecurity incident’s impact on an organization. By translating complex cybersecurity threats into financial terms, CRQ can help organizations better understand their risk exposure and make informed decisions about investments and insurance needs.
Integrating CRQ into cybersecurity and insurance strategies may help organizations achieve a dual benefit: enhanced cyber resilience and optimized insurance coverage. Assessing the financial impact of risks posed by third-party vendors, for example, may help CISOs and organizational leaders make more informed decisions about vendor security practices.
Quantifying risks may also influence the terms of cyber insurance and contractual obligations, which may help organizations obtain a comfortable amount of cyber insurance coverage and accountability. In many ways, CRQ may help to bridge the gap between technology and business. “It all comes back to understanding risk,” said Chris Novak, Senior Director of Cybersecurity Consulting at Verizon. “By quantifying risks, organizations can clearly see their vulnerabilities and potential financial impacts. This clarity allows them to prioritize security efforts and allocate resources more effectively.”
Many of Novak’s clients are surprised when their gut view of their risk differs vastly from the actual assessed view. “It’s like going to the doctor and you feel fine. They run the tests. They give you the results. And they’re saying you’ve got a bunch of things you need to deal with and you’re like I came in feeling great. I wasn’t expecting you to give me all this.”
Once risks are outlined, Novak helps develop an action plan. Going back to the doctor analogy, he explained, “OK doc, thanks for the results. I gotta work on it. But what exactly does that action plan look like? What are the steps I need to take? Is this like a two-week plan, a six-month plan, or a five-year plan? And how grave are the circumstances if I don’t do it, or don’t do it the way you say?”
AI’s role in underwriting
Traditionally, cyber insurance underwriting and claims adjustments involved significant human guesswork, causing delays and scaling issues. Generative AI technologies may help organizations streamline processes, accurately analyze cyber risks, and provide tailored security recommendations.
AI models are helping to forecast future cyber threats by analyzing historical data. Organizations can use AI-derived forecasts to help prioritize cybersecurity investments. Insurers use AI to tailor policies to specific organizational risks, which may help organizations lower rising policy premiums and broaden coverage while reducing claim denials. “As it relates to risk quantification, we’re already using artificial intelligence on the back end of Verizon’s analytics,” Novak said. “We see the value of having large data sets that can inform us and to use those large data sets to produce valuable insights.”
An industry in flux
Third-party attestations or certifications are important to help assure potential business partners (including insurers) of an organization’s cybersecurity health. Novak advises organizations to adopt CRQ to help improve risk management practices, which in turn may help them negotiate more tailored insurance coverage and premiums.
At its core, CRQ may enhance cyber resilience, streamline regulatory reporting and may help organizations tailor insurance coverage.
By integrating CRQ into their cybersecurity strategies, Novak maintains that organizations may reduce regulatory headaches by streamlining reporting, facilitating transparent communication with regulators and proactively managing risks. The European Union’s Network and Information Systems (NIS2) Directive, for example, requires organizations to report cyber incidents significantly impacting operations. CRQ may help organizations quantify the potential impact of cyber incidents and may contribute to developing a robust incident response plan to meet NIS2 requirements.
Many businesses have benefited from adopting robust risk management practices. Healthcare providers, for example, are prime targets for cyberattacks. And many use CRQ to identify and reduce those vulnerabilities. Some healthcare companies have implemented CRQ and are starting to realize benefits including greater risk visibility and better decision making around cybersecurity frameworks.
In the years following its high-profile data breach in 2013, Target has taken a proactive approach to cybersecurity risk management. The retail giant made a $1 billion investment in technology and cybersecurity, including opening a state-of-the-art Cyber Fusion Center to protect customer data and ensure a quick, team-based approach to security incidents. Today, Target’s risk management strategy includes advanced analytics and risk quantification tools to better understand and mitigate cyber threats. By modeling the financial impact of various scenarios, Target has been able to demonstrate to insurers its commitment to cybersecurity.
Adding CRQ into cybersecurity strategies
Bringing CRQ into an organization’s cybersecurity strategy is a useful tool for CISOs and business leaders to develop healthy, robust operations, given its potential to help address potential cyber insurance and cybersecurity budgeting challenges as well as supporting future planning and decision-making needs. Integrating CRQ into cybersecurity strategies may help organizations increase resilience, make better cybersecurity investments and adjust to dynamic regulatory reporting requirements.
Verizon’s CRQ framework may provide the help CISOs and security leaders need to better articulate risk management practices, justify cybersecurity investments and potentially support better-tailored insurance coverage.
To learn more about CRQ and how to get started, review Verizon’s latest risk quantification insights here.