Cybersecurity: Cyber Insurers’ Response to Increasing Risks

According to a recent article published by DarkReading.com, a cybersecurity news site, the number of software security vulnerabilities is increasing exponentially, with nearly 33,000 common vulnerabilities and exposures, or CVEs, identified through mid-September. The number of CVEs is expected to climb to 47,000 by year-end.  This risk environment creates significant challenges for companies and their insurers, and this excerpt from the article reviews how underwriters are responding to it:

Conversations with insiders suggest that the insurance industry is adopting a combination of approaches to address the increasing risk. Some carriers and brokers offer services to help policyholders address CVEs and other threats, such as proactively scanning networks and alerting to potential vulnerabilities. Others, such as Chubb, penalize policyholders that fail to address known threats in a timely manner, according to an industry insider who requested anonymity because they were not authorized to speak on the topic.

The penalty approach is based on a “period of neglect,” where coinsurance share increases based on the number of days an exploit wasn’t addressed, and limits of insurance are reduced accordingly. These terms are not new, and the insider tells Dark Reading that they are often negotiated out of the policy. Chubb did not respond to requests for comment.

The article quotes industry experts as saying that discussions with underwriters continue to focus on patching cadence and ensuring that “critical and high-severity CVEs are patched within seven days.”  Companies usually patch critical applications first, but the problem is that the vulnerability may not be in the critical application itself, but in a more mundane one that interacts with it.  As one expert points out, the 2017 Equifax breach was caused by an unpatched Adobe application that interacted with other critical applications.