This is not breaking news: the cyber insurance market is booming all around the world. No claims without insurance, whether they are environmental, financial, commercial, or even cyber.
The CAGR (Compound Annual Growth Rate) of the global cyber insurance market is expected to be 35.92% from 2022 to 2027. Quite impressive!
Negotiating a cyber insurance policy has become complex
The uncertainty does not benefit either the insured or the insurer.
- The insured faces a surge in insurance premiums. This surge increases the risk of having to deal with litigation in the event of a claim. There is no worse situation for a business leader than delaying the coverage of a loss that occurred today and has immediate financial consequences. Business interruption, penalties, and the need to rebuild production capabilities: the consequences of a cyberattack are abrupt and require immediate resources.
- For the insurer, the situation is not ideal either. There remains a significant level of uncertainty regarding the actual effectiveness of the insured’s cybersecurity and resilience measures. This is particularly true for medium-sized companies. The cost of verifying the effectiveness of cyber insurance capabilities quickly becomes prohibitive compared to the expected insurance premiums.
The increasing adversarial nature of the cyber environment, with random or highly targeted attacks, does not help clarify the situation. Traditional means of assessing protection measures do not provide insurers with a comprehensive view:
- Declarative control solutions inherently rely on self-reporting, making it impossible to verify the effectiveness of the stated measures.
- Functional or technical audit solutions (pentests, code audits, bug bounty programs, etc.) only target specific areas and come with high implementation costs.
- Vulnerability scanners provide a limited view of security and the effectiveness of SecOps capabilities.
Next-generation attack simulation solutions can significantly change the landscape
With cyber defense capability scoring, such as BlackNoise, it is possible:
- To continuously assess the ability to detect and respond to attacks as early as possible.
- To confirm that all technical solutions in use are effective and properly implemented and configured.
- To ensure the absence of regressions or blind spots over time.
This does not involve decommissioning the usual solutions for auditing and compliance control of security policies. Nor does it mean turning away from risk management models and ISMS (Information Security Management Systems). However, for a healthier cyber insurance market for all stakeholders, it seems essential to transition to continuous scoring of the effectiveness of cyber defenses.