In its recent Security and Exchange Commission (SEC) filing, Progress Software, the company behind the MOVEit file transfer software that’s been used to breach dozens of major organizations, says it plans to try and fully collect on its $15 million cyber insurance policy. But how is that fat $15 million payout likely to effect how insurers approach their own businesses?
Faced with class action lawsuits, fines, and a battered business brand, there’s little question the company will need millions to cover its losses. And to boot, Progress Software was already collecting on a claim related to a previous incident in November 2022, unrelated to the MOVEit ransomware campaign, according to its most recent 10-Q filing with the SEC.
“As of August 31, 2023, we have recorded approximately $4.9 million in insurance recoveries, of which $3 million was related to the November 2022 cyber incident and $1.9 million was related to the MOVEit vulnerability, providing us with $10.1 million of additional cybersecurity insurance coverage (which is subject to a $0.5 million retention per claim). We will pursue recoveries to the maximum extent available under our insurance policies.”
Higher Premiums, Less Coverage
Cyber insurers don’t have the historical data or developed risk models that others do, like car or home insurers, which means they are constantly adjusting their “risk appetite,” according to Mark Millender, senior advisor for global executive engagement at Tanium. He thinks payouts like the one Progress Software is seeking will both drive up premiums and ratchet up requirements for coverage across the cyber insurance ecosystem.
“As loss ratios increase and drive down profitability, risk tolerance recedes and the need to drive up revenues is reflected in premium charges,” Millender says.
And, getting policies renewed in the wake of this Progress Software claim, and others, is going to get trickier, he predicts.
“At the same time, the insured submitting the claim will be under increased scrutiny at the time of renewal,” according to Millender. “The insured’s ability to renew with the same or another carrier will depend on many factors, including this claim experience, but also general cybersecurity defense posture and how the incident was addressed.”
Cyber insurance policies are undoubtedly already getting more expensive and providing less coverage than before: Two-thirds of companies surveyed for a report from Delinea on the current state of the cyber insurance industry said they saw a 50% increase in cyber insurance premiums, with more narrow coverage over the past year. And, a full 80% of companies reported they submitted at least one claim in the past year.
“Three key factors are driving the growth of the cyber insurance market,” Bud Broomhead, CEO at Viakoo says. “This includes the expanding liabilities from cyber breaches, boards and senior management holding more responsibility for breaches, and the ‘forcing function’ that cyber insurance provides to maintain their cyber security posture.”
Broomhead adds that as the cyber insurance market matures, these factors will change, but the bottom-line result is likely to be a continuing trend towards more expensive policies with less coverage. But as cyber insurers refine their risk evaluations, premiums should stabilize, he adds.
Cyber Insurers Communicating With Security Teams
Cyber insurers are taking a closer look at the risk profiles of their clients, a trend that will be driven to new heights by the Progress situation. One of the outcomes of this increased scrutiny has been greater cooperation between cyber insurers and their policy holders, Dara Gibson, cyber insurance services leader with Optiv, explains.
“Cyber insurers are now communicating with cybersecurity teams,” Gibson says. “It’s going to become more of a collaborative effort between the insurers, cybersecurity and the insured because a greater understanding of what ‘good’ looks like is taking shape.”
It’s up to enterprise teams to do the same kinds of assessments, Broomhead advises.
“Risk assessment and cyber insurance will always be evolving in the same way that threat vectors themselves evolve,” Broomhead says. “The most important thing is for an organization to do its own risk assessment and ensure that their internal policies address their entire attack surface.”