As cybersecurity threats continue to escalate in 2024, what should insurers do?

Remote working / home working, using a laptop. — Image by © Tim Sandle

The growing menace of cybersecurity threats, rising through 2023 and set to become even more commonplace in 2024, presents problems for the insurance sector. How should the sector plan to react for the year ahead. To consider the best strategy, Digital Journal heard from Andrew Correll, Director of Insurance Solutions at SecurityScorecard.

2024 Cyber Insurance Forecast: Stormy Weather Ahead

The insurance sector faces a number of challenges and these are site to increase as more companies become impacted by cyberattacks. Correll notes this in stating: “As cybersecurity threats continue to escalate in 2024, insurers face a delicate balancing act. On the one hand, insurers must scrutinize companies more closely to assess their risk profiles and ensure adequate safeguards are in place.”

There are also economic factors to consider: “On the other hand, they must also remain competitive in a rapidly growing market, which may tempt some to loosen underwriting requirements and lower premiums to gain market share. This dichotomy will create confusion for insurance buyers, who may struggle to understand the evolving underwriting landscape and the potential implications for their coverage.”

Maintaining a realistic premium during this period is important. Here Correll warns: “Insurance companies that slash premiums will introduce new exclusions to offset the reduced revenue. This can leave policyholders with a false sense of security and expose them to significant financial losses in the event of a cyberattack. When an organization purchases a cheaper policy and subsequently experiences a claim, it will discover the reason for the lower price tag. This reinforces the misguided perception that cyber insurance is a racket.”

Navigating the AI Minefield: Challenges Ahead for Cyber Insurance

One reason why the situation next year will become more challenging is due to new forms of attack, including artificial intelligence. Correll fears: “In 2024, cyber insurance is set to undergo a seismic shift as it pivots towards embracing AI technology. However, AI adoption comes with a caveat: The industry is ill-prepared to grapple with the inherent risks and complexities that AI introduces in pricing and underwriting considerations. Just as insurers previously wrestled with the potential cyber exposures in property or general liability policies, they now face a critical problem — where should AI find its place within insurance policies? This fundamental question will trigger a profound reassessment of the boundaries and extent of insurance coverage for AI-related incidents.”

Correll also sees a new dimension in the form of data privacy: “The escalating prevalence of AI in our lives will inevitably raise a slew of pressing concerns, most notably concerning data privacy. The wrongful collection and use of data in an AI-driven world will become contentious, sparking heated debates about whether such liabilities should fall under traditional cyber insurance or specialized policies.”

Cyber Insurance Telemetry Data Requirement

Looking towards internal vulnerabilities also matters and firms should not neglect this, states Correll: “A shift in cybersecurity insurance practices is on the horizon as carriers will demand unprecedented cybersecurity transparency. While many organizations understand how attackers view their systems from the outside, they often lack visibility into potential security gaps within their operations. This is where internal controls play a crucial role in safeguarding sensitive data and preventing unauthorized access.”

This is likely to create new demands for internal controls, observes Correll: “Carriers are catching on to this and starting to ask questions like, “Do you have MFA?” This question is simple, but the answer is complex. It’s about more than just whether MFA is in place but also how well it’s deployed. Carriers want to know if MFA is consistently applied across all critical systems and if all authorized users are required to use it. These factors are difficult to assess through a simple questionnaire, and carriers increasingly seek more granular insights.”

With new demands comes new requests for evidence: “More carriers will require organizations to share telemetry data in response to this demand for enhanced visibility in 2024. Telemetry data provides a detailed view of how internal controls, such as MFA, function in real-time. By analysing this data, carriers can confirm whether key controls are in place and assess their configuration and effectiveness. This deeper level of insight will enable carriers to provide more comprehensive risk assessments and tailored security recommendations to their clients.”