External data backups, strong passwords, two-factor authentication, awareness training… – the common measures for cyber prevention are now widely known. Cyber insurance promises additional protection and risk minimisation.

Analogous to the old-established policies, these allow various damages caused by cyber attacks to be addressed. The still young market in this area has significant potential, especially because of the increase in ransomware incidents among small and medium-sized enterprises. The well-known reinsurance company Munich Re estimates that the global cyber insurance market could reach a value of around USD 20 billion by 2025. Current threats from ransomware are estimated to be rising sharply as IT systems increasingly merge with critical infrastructure and operational technology systems. [1]

Cyber insurance as a driver of ransomware attacks?

In a study, the Royal United Services Institute (RUSI) from Great Britain surveyed the interactions between cyber insurance, cyber attacks and cyber security practices at companies. One thesis was that ransom payments to cyber criminals formed the basis for an evolution of ransomware operations and enabled attackers to improve and expand their capabilities. The increasing losses and damage amounts caused by ransomware attacks have also made it clear that the current reality is hardly sustainable in the long term, even for insurers. [2]

More incentives for cybersecurity – but how?

In theory, companies that take out cyber insurance should also have implemented the necessary standards and precautions internally. This is comparable, for example, to fire insurance, which requires that all necessary precautions such as fire compartments, fire alarms and fire extinguishers are taken and maintained. From this assumption, the insurance industry would be in a good position to drive best practices such as ISO27001 or NIST and promote their implementation among companies. This would also be in the interest of insurance carriers, who are financially motivated to reduce claims and losses. However the study results indicate that certifications according to certain standards are routinely not a prerequisite for insurance in most cases. How exactly existing IT security standards are included in the assessment was very inconsistent.

Conclusion: Insurance does not automatically lead to an increase in IT security

According to the study, the possibilities to positively and sustainably influence the IT operational security of the customers are not being used enough. Further clear words can be found on improving the security situation: „So far, cyber insurance has not lived up to the expectations placed in it as a tool to improve companies’ cyber security practices“, the Institutes says. A warning addresses the original point of criticism: „Cyber insurers may inadvertently facilitate the behaviour of cyber criminals by contributing to the growth of targeted ransomware attacks.“ [3]

This indirectly confirms a reservation against uncontrolled use. Nevertheless, the original purpose must not be misunderstood: The main purpose of cyber insurance is not to improve cyber security, but to assume the remaining residual risk for the insured company.