Launch Cyber Insurance Support Services

Leverage technology service capabilities to meet cyber insurance needs.

Analyst Perspective

Many remember the early days of the cyber insurance industry – when eligibility was determined by shockingly simple and relaxed questionnaires. Back then, a basic firewall was often enough to secure coverage. But those days are long gone.

Today, the cyber insurance industry stands at an inflection point, recognizing that these prior approaches were ineffective and unsustainable. Insurers now demand robust due diligence and comprehensive security controls, meaning only organizations with mature security postures will qualify for coverage. As the bar for insurance eligibility continues to rise, customers around the world are scrambling to meet these new requirements.

This shift creates significant opportunities for technology service providers to step in and offer valuable services that help businesses not only meet security standards but also secure the insurance they need.

Info-Tech offers a wealth of cybersecurity research that directly supports the evolving requirements for cyber insurance. Using the included tool from our extensive library, organizations can immediately take steps to enhance their security and successfully meet their cyber insurance needs.

Dr. Justin St-Maurice Principal Research Director Technology Services Info-Tech Research Group

Executive Summary

Your Challenge

• Insured customers need trusted partners to manage premium costs, renew coverage, and monitor cyberthreats in an evolving landscape.
• Insurers increasingly rely on third-party technology service providers (TSPs) to validate security controls, manage incidents, investigate claims, and scrutinize your delivery.
• Many unknown unknowns, driven by the increased use of AI, are rapidly complicating cyberthreats. Insurers are increasing their expectation of due diligence as AI-driven attack vectors become more common.

Common Obstacles

• You need to define your role and service offerings in the cyber insurance ecosystem and service the need of policyholders in an increasingly complex and adversarial environment.
• You need to offer specific cyber insurance service activities and need to develop specific business capabilities and mature them.
• You need to identify resources to help mature your service offerings to meet the requirements of cyber insurers and effectively manage risk.

Info-Tech’s Approach

• Align your cyber insurance support services with the cyber insurance lifecycle. Specifically define your role as a trusted cyber insurance enabler and support your customers throughout the course of the insurance contract.
• Use cyber insurance as a catalyst to sell and grow your cybersecurity offerings.
• Leverage Info-Tech’s suite of tools to develop your capabilities and leverage your membership to successfully grow your business.

Info-Tech Insight

Monetize the need to make organizations insurable by becoming the trusted partner of policyholders. Contribute to key cyber insurance activities by providing added value during policy selection, risk assessment, underwriting, policy implementation, incident response, claims management, and policy renewal.

There are growing interplays between the cyber insurance and technology service provider industries

For technology service providers, cyber insurance is both an opportunity and a risk.

Cyber insurers and technology service providers offer complementary services, with insurers assuming calculated risks and technology service providers working to mitigate and avoid them.

Fundamentally, providers and insurers share a common goal to prevent breaches, avoid losses, and maintain seamless operations.

At times, insurers and policyholders have different interests, and technology service providers provide technical arbitrage to understand and manage risks.

Both industries are challenged by rapid technological change and need to adapt to new and unpredictable threats.

• Slides 5 to 9

  EXPERT INSIGHTS ON MARKET SHIFTS
  Real-world stories and fables from experts highlight subjective factors relating the two interconnected industries.

• Slides 10 to 12

  CYBER INSURANCE BY THE NUMBERS
  Objective facts and statistics showcase the evolving nature of cyber insurance and the complexities of managing risk, policies, and claims.

EXPERT INSIGHTS ON MARKET SHIFTS

Don’t lose your shirt! Cyber insurers can mandate specific service providers to their clients after a cyber claim is filed.

Picture this: Your mid-sized customer suffers a cyberbreach and immediately calls their cyber insurance provider for support. Instead of just processing the claim, the insurer says, "We'll cover you, but from now on, you must use our chosen managed security service provider if you want to maintain your coverage." Suddenly, your customer is compelled to switch to a different service provider – not by choice, but as a condition of their insurance.

Implications for Technology Service Providers

Proactive cybersecurity services will safeguard your client relationships. In the event of a breach, a client's claim could result in them being directed away from your services, regardless of your existing relationship and goodwill. Enhance your offerings to minimize the risk of client breaches to make it less likely they'll need to file a claim and be forced into a new relationship.

Becoming an insurer’s preferred partner is great business, if you can find it. Align with cyber insurance companies to become the MSSP they recommend and secure a pipeline of new clients.

Source: CEO of a Technology Services Firm

ChatGPT Prompt (September 2024): Draw me a one-panel comic of a technology service provider losing their business to another party. You can see the service provider’s sad face. In the background, there is a cyber insurer, tall and intimidating, who is directing the customer to another group of providers. The customer is reluctantly joining the other provider, with their items in hand.

EXPERT INSIGHTS ON MARKET SHIFTS

AI vs. AI? Advanced automation and AI may become conditions of cyber insurance.

At a conference, the president of a major vendor confides, "Cyber insurers are gearing up to require the use of artificial intelligence in security defenses." She elaborates that cybercriminals are unleashing AI-driven attacks, and the only effective countermeasure is deploying AI on the defense side too. "It's becoming a battle of AIs versus AIs," she muses. "If you don't have AI guarding your systems, you might soon find yourself uninsurable."

Implications for Technology Service Providers

Have a plan to integrate AI into your security services offerings. Anticipate the need to enhance your cybersecurity solutions and stay ahead of sophisticated attacks to keep business and provide next generation services. Continuously update your defense strategies to match the speed at which attackers innovate.

Keep an eye on evolving cyber insurance requirements. If your customers require cyber insurance, assume changes are on the horizon and stay informed about future insurability standards.

Source: President of a Technology Company

ChatGPT Prompt (September 2024): Draw me a one-panel comic of two AIs fighting in a proverbial cybersecurity arena. Let's suggest they are playing chess and that the winner of the game will get money and data and other riches. Let's also have a cyber insurer in the background dressed as a referee who will be making sure the match is fair.

EXPERT INSIGHTS ON MARKET SHIFTS

Stay in your lane. Cyber insurers estimate and assume risks while technology service providers mitigate and avoid them.

At a recent cybersecurity roundtable, a confident MSSP took the floor and made a bold offer: “If you use our cybersecurity services, we'll underwrite any security breaches you might face, and we'll handle finding reinsurers!" The room fell silent as attendees exchanged glances. Was this guy serious? Anyone who understands risk will understand that assuming that level of risk is a very bad idea. The representative was coming off as a cowboy who was shooting from the hip: someone to be avoided instead of embraced.

Implications for Technology Service Providers

Carefully position your role and limits. Venturing into underwriting and insurance can blur ethical and legal boundaries. Ensure you operate within the bounds of the law to avoid severe repercussions. Build partnerships with insurance companies to support your clients' needs instead of trying to replace traditional insurance roles.

It’s impossible to eliminate all risks. Avoid overconfidence and avoid making risky promises. A realistic approach to unknown and unknowable threats is essential. Focus on delivering exceptional cybersecurity services while acknowledging that incidents are always likely.

Source: Cybersecurity Expert

ChatGPT Prompt (September 2024): Draw me a one-panel comic of a technology service provider selling services that are impossible. Have a small gate in place to try and prevent an elephant from entering the yard. Have a text bubble for the service provider saying, “nothing can get into my yard!” Have some skeptical onlookers.

EXPERT INSIGHTS ON MARKET SHIFTS

Friend or foe? The insurer-client relationship can start to look more adversarial, with competing interests at play.

At a cybersecurity meetup, a CISO shared an unexpected twist in his dealings with their cyber insurer. "Out of nowhere, we discovered that our insurer had hired an external firm to test our defenses," he said. "It felt like we were suddenly in a standoff – like two lawyers prepping for court. They came back with a list of vulnerabilities and a set of strict conditions we had to meet to keep our coverage. It was adversarial, and we felt the need to have our own representation just to navigate the situation."

Implications for Technology Service Providers

Anticipate more adversarial dynamics between insurers, policyholders, and third-party contractors. Be prepared for insurer-client relationships to become confrontational as cyber insurers can only become more critical of safeguards and demanding of due diligence.

Be prepared for third-party oversight and review. Assume that someone will come to check your work and validate your services. Keep detailed records to defend your practices under external scrutiny and get ready to welcome an external review of your practices.

Source: Ex-CISO of a National Media Corporation

ChatGPT Prompt (September 2024): Someone created a fancy cybersecurity machine. Draw me a one-panel comic showing someone inspecting the machine. The person who created the machine is watching as someone else inspects it. In the background there is also someone skeptical that the job was done correctly, dressed as a business executive.

EXPERT INSIGHTS ON MARKET SHIFTS

The end of cyber insurance? Though it is a common safety net that many require, it might soon vanish.

Over an early morning coffee, a risk management guru leaned back and confidently declared, "Cyber insurance is on its deathbed." Few in the coffee shop paid attention, but he continued as though he had the room’s full attention. "Think about it," he continued. "With cyberthreats evolving faster than ever and 'unknown unknowns' lurking around every corner, insurers can't predict risks anymore. And if they can't predict risk, they can't insure against them. Anyone who knows anything about risk knows they shouldn’t assume unknown risk. Cyber insurance as we know it is dead."

Implications for Technology Service Providers

Use cyber insurance as a catalyst to deploy cybersecurity solutions that minimize risks. Monetize the need to get cyber insurance as an opportunity to partner with clients to grow mature processes that mitigate cybersecurity risks.

Prepare for an insurance-free landscape. Adapt your service model for a future where cyber insurance may no longer be available or reliable. Taking action to qualify for cyber insurance today sets the stage for the day when it is no longer needed.

Source: Leading Risk Management Expert

ChatGPT Prompt (September 2024): Draw a one-panel comic. There is a tombstone that represents cyber insurance. In the background, a lot of crazy things are happening that wouldn't be covered or predicted by traditional insurance. Random stuff, but funny.

CYBER INSURANCE BY THE NUMBERS

Cyber insurance growth and evolution

33% — Percentage of executives citing high price as main reason for not having cyber insurance (Munich Re, 2024).

66% — Percentage of executives that stated network security should be provided as a service with cyber insurance Munich Re, 2024).

US$22.5 billion — Global cyber insurance market size by 2025 (“Global Cyber Insurance Market Size,” Statista, 2023).

US$15.63 trillion — Projected global cost of cybercrime by 2029 (“Cybercrime,” Statista, 2024).

• In a survey conducted in 2024:
  • 33% of senior executives cited the prohibitive cost of cyber insurance as the key reason for not adopting coverage, underscoring affordability challenges within the industry ("Senior Executives' Reasons,” Statista, 2024).
  • 66% of executives highlighted the desire to bundle network security with cyber insurance policies and signaled a desire to move toward more integrated service models (“Opinion of Senior Executives,” Statista, 2024).
• The estimated global cost of cybercrime projected to escalate to US$15.63 trillion by 2029, leaving insurers little choice other than to tighten policy terms and increase premiums to mitigate their exposure (“Cybercrime,” Statista, 2024).
• The global cyber insurance market is expected to reach US$22.5 billion by 2025 and reflects an ongoing demand for risk transfer products in a more volatile digital landscape (“Global Cyber Insurance Market Size,” Statista, 2023).

CYBER INSURANCE BY THE NUMBERS

Trends in underwriting, policies, and claims

• Factor influencing cyber insurance risk and payouts remains multifaceted, influenced by regulatory compliance, third-party exposure, company size, and the sensitivity of the data being protected (UpGuard, 2024).
• Emerging risks related to AI are increasingly on the radar, with nearly 700 potential risks identified in just the last two years (MIT Technology Review, 2024). These risks pose new challenges for insurers as AI systems become more advanced and complex.
• In 2024, the average cost of breaches associated with a high-skill shortages jumped by 7.1% to US$5.74 million (“Average Cost of a Data Breach,” Statista, 2024).
• In 2016, enterprise risk management capabilities were the primary consideration for underwriters assessing cyber risk and underwriting policies (Deloitte University Press, 2017).
• Claim denials remain a challenge for many businesses, with some reports indicating as many as 44% of claims in 2023 were rejected due to noncompliance with security requirements (Accent Consulting, 2024; Your Policy, 2024).
• By mid-2023, claim frequency had decreased to 1.64% while the global average cyber insurance claim amount was US$86,592 ("Average Claim Amount,” Statista, 2024).

CYBER INSURANCE BY THE NUMBERS

Record holders in the cyber insurance industry

• In France, the cyber insurance industry saw dramatic improvements in recent years. The market underwent significant transformation after a challenging period where loss ratios spiked to 167% in 2020. However, by 2022, insurers in France adapted their pricing models and tightened underwriting practices, successfully lowering the loss ratio to just 22%. This reduction was driven by more disciplined risk management strategies ("Loss Ratio,” Statista, 2023; Commercial Risk, 2024).
• The United States continues to bear the highest costs for data breaches, with an average cost per breach reaching $9.36 million as of early 2024. The US remains a critical focus area for insurers due to its large-scale digital infrastructure and frequent high-profile breaches. This has led to increased premiums and stricter policy terms, especially in industries like healthcare and finance that are more vulnerable to cyberattacks (“Average Cost of a Data Breach,” Statista, 2024; S&P Global, 2022).
• One of the most severe attacks on the US healthcare system resulted in damages exceeding $1 billion, setting a record and illustrating the significant impact of large-scale cyber incidents (Insurance Business, 2024).

Clients need help navigating the complexities of cyber insurance and technology risk

The growing need for help offers new opportunities to deliver comprehensive, integrated support services to policyholders. Technology service providers can bridge the gap between cybersecurity, risk control, and insurance requirements in the era of AI.

There is an overlap between cyber insurance entitlements and other technology services

• Cyber insurers provide prevention programs

  Preventative assessments identify potential vulnerabilities in systems and processes, helping policyholders understand and mitigate risks before an attack. Information and training is also a preventative measure to empower employees with knowledge on best cybersecurity practices to reduce the likelihood of human error leading to breaches.

• Cyber insurers provide assistance during incidents

  Assistance services provide expert support in the event of a cyber incident, guiding organizations through the response process. This includes forensic investigations, legal services, managing breach notifications, credit monitoring, crisis management, and public relations to mitigate damage and restore trust.

• Cyber insurers provide recovery services

  Recovery services focus on restoring operations quickly and minimizing financial losses after a cyber incident. This includes business operation restoration, compensation for lost revenue, and data recovery to ensure a swift return to normal activities.

Info-Tech Insight

Cyber insurers know that an ounce of prevention is worth a pound of cure. A proactive approach not only minimizes claims but also lowers premiums. Cyber insurers, service providers, and policyholders all want the same thing – no incidents and no claims!

Maximize the value of cyber insurance

Keep premiums affordable

Implement recognized cybersecurity frameworks and standards. Review and align controls to insurer requirements to ensure compliance and eligibility.

Assess and optimize policy coverage. Complete business impacts assessments and determine recovery time objectives to determine policy needs.

Verify controls before underwriting. Ensure organizations meet insurer requirements to get the best premiums.

Generate insights on risk likelihood and new trends. Stay ahead by providing insights into emerging risks and severity and updating practices to be ready for future renewals.

Unlock entitlements

Streamline incident response and coordinate efforts. Engage the cyber insurer and leverage entitlements based on a play and reduce delays, confusion, and downtime.

Create detailed documentation for improved claim handling. Investigate root causes, track impacts, and validate insurer actions.

Develop clear communication plans with insurers. Avoid duplication of efforts, reduce costs, and adhere to insurance terms.

Keep cyber insurers to account. Ensure fair claim assessment and advocate for entitlements when required.

Understand risks and opportunities in the cyber insurance landscape

Info-Tech Insight

For technology service providers, cyber insurance is both an opportunity and a risk.

Providers that excel at managing cyber risk with mature processes and services will prosper, whereas smaller ad hoc teams are a serious risk.

Support customers throughout the cyber insurance lifecycle

Info-Tech Insight

Coordinate with cyber insurers and policyholders by adopting insurance language.

Align service offerings with specific lifecycle stages to help contextualize your value proposition.

Align services with the cyber insurance lifecycle

Insurance Life Cycle		Technology and Consulting Service Opportunities
Risk Assessment		Perform detailed cyber risk quantification and vulnerability identification to assess exposure and ensure alignment with requirements.
Policy Selection		Translate risk assessments into financial terms and recommend policies that meet risk transfer needs.
Underwriting		Prepare comprehensive documentation, support onsite audits, and advocate for the organization’s cybersecurity posture to insurers.
Implementation and Maintenance		Continuously monitor, audit, and test cybersecurity controls and perform regular penetration testing to maintain compliance.
Incident Response		Coordinate incident response with insurers by providing regular updates, avoiding duplication of effort, and ensuring all entitled services are utilized.
Claims Management		Provide detailed claims documentation, resolve disputes through technical evidence, and validate compliance with policy requirements.
Policy Renewal		Assess the effectiveness of modernized cybersecurity practices, review insurance usage, and renew policies based on current risk and innovation.

Info-Tech Insight

Monetize the need to make organizations insurable.

Contribute to key cyber insurance activities by providing added value support and services during policy selection, risk assessment, underwriting, policy implementation, incident response, claims management, and policy renewal.