It’s hard to believe it’s been a year since we made our predictions for the top cyber insurance trends of 2023. Looking back, even we were surprised by how accurate those turned out to be: cloud misconfigurations have driven up insurance claims; insurers are favouring organisations with XDR solutions; vulnerability prioritisation is top of mind; and, in Europe at least, managed security services are becoming a pre-requisite for cyber insurance.
That puts some pressure on us to get it right with our outlook for 2024. What will be the big trends affecting cyber insurance requirements in the year ahead? to Looking ahead, what will be the big trends affecting cyber insurance requirements in 2024?
The SEC’s Rule 106 announced last July can be counted on to have a major impact, imposing new obligations for publicly traded companies to disclose incidents promptly and report annually on cybersecurity risk management, strategy, and governance. The rule comes as cyber insurance coverage is expanding, costs are slightly down (in the U.S., anyway), and insurers are recognising organisations’ efforts to strengthen their cybersecurity controls, according to the Wall Street Journal’s August 2023 quarterly report.
With the cyber insurance industry continuing to evolve—and the threat landscape along with it—here are our thoughts on what’s in store for 2024.
Prediction #1: Insurers will expect modern attack surface management
SEC Rule 106 will make modern attack surface management (ASM) an increasingly key cyber insurance requirement in the coming year. Modern ASM provides the visibility and monitoring to satisfy the rule and at the same time ticks all the boxes that matter to insurers.
Up to now, ASM has tended to be piecemeal, focusing on just part of the enterprise technology environment and providing only point-in-time risk assessments. Modern ASM, on the other hand, is integrated and platform-based, providing total real-time visibility across all devices, accounts, and applications—on-premises and in the cloud.
The other crucial difference between ‘classic’ and modern ASM is that modern ASM assesses risk continuously rather than periodically. This provides a constant of the attack surface and vastly increases security teams’ ability to catch threats early.
Modern ASM also brings greater intelligence to its analysis, factoring in attack likelihood, potential impacts, asset criticality, and more. This makes it easier to prioritise risks effectively (more on that below), speeds up mitigation and helps lift organisations out of reactivity to a proactive cybersecurity stance.
As time goes by, insurers will start asking for attestation when it comes to modern ASM. Organisations won’t be able to simply say they have a platform capable of modern attack surface management: they’ll have to demonstrate that all the pieces of their security stack are truly integrated. CISOs will want to make sure their chosen platform can provide that confirmation through continuous risk assessment and meaningful reporting options.
Read more: Modern Attack Surface Management for CISOs
Prediction #2: Underwriters will use vulnerability prioritisation to assess risk
As underwriters in cyber insurance companies continue to deepen their understanding of the vulnerabilities that lead to breaches, they will concentrate on those they consider to be most critical and exploitable, and will factor them heavily into their risk assessments.
That means organisations will need the ability to prioritise vulnerabilities themselves—and to show their insurance providers that they’ve done so effectively. They’ll also want their tools to allow them to patch critical vulnerabilities quickly.
Over time, insurance companies may even seek to carry out random remote ‘spot assessments’ to ensure the necessary precautions are being taken (similar to the way auto insurance companies have apps that monitor driver behaviour in real time). It’s not clear that organisations will be open to this level of observation, though with the built-in risk prioritisation capabilities of modern ASM approaches, the continuous monitoring data will be increasingly available to support it.
Learn more: Vulnerability Assessment & Prioritisation
Prediction #3: Insurers won’t cover manufacturing breaches
Digitalization under the banner of Industry 4.0 has eliminated the air gap that kept industrial operational technology (OT) environments mostly safe from cyber-harm for decades. This increased risk has understandably led many manufacturing companies and other industrial players to turn to cyber insurance to protect themselves against losses. Yet insurers may not pay for damages incurred by manufacturing organisations.
Why?
Manufacturing is a critical industry, vital to individual national economies and international blocs of supply chain and trading partners. An attack on a manufacturer may be less about harming a specific business than about causing economic disruption. In situations like these—especially if multiple manufacturers were to be hit at once—insurers might consider attacks to be acts of war instead of cybercrimes, and acts of war are excluded from coverage.
Given this, it is absolutely critical for companies to establish comprehensive security strategies for their OT environments separate from counting on cyber insurance.
Read more: IT & OT Security: How To Bridge The Gap
Prediction #4: IR plans will become mandatory
Many organisations have established a risky relationship with their cyber insurance, treating it as an alternative to having a detailed incident response (IR) plan. But cyber insurance policies don’t spell out the procedural whats, hows, and whens of an IR plan, leaving critical gaps should a breach occur. Insurance companies know this and are likely to put a stop to the practise by making documented, tested IR plans a mandatory cybersecurity insurance requirement.
Cyber policies may also change in duration over the year to come. Security environments are extremely dynamic, which means policies can fall wildly out of step with reality over the course of a year. As a result, terms may get shorter, allowing providers to check in more frequently with clients and make sure they’re adapting to new realities.
Read more: Incident Response Services & Playbooks Guide
Cyber insurance requirements will continue to evolve
Providers of cyber insurance understand that some things are simply beyond an organisation’s control. It is impossible to safeguard against every single potential threat. But with regulators like the SEC emphasising what organisations can and should be accountable for—going so far as to mandate cybersecurity expertise on corporate boards of directors—cyber insurance requirements are sure to follow suit, reflecting the latest attitudes toward corporate cyber responsibility. Organisations that adopt a platform-based, modern ASM approach with continuous risk monitoring will be best positioned to adapt as requirements change.
Next steps
For more Trend Micro thought leadership on cyber insurance, check out these other resources here.