The world of cyber insurance – constantly changing

Michael Winte

Michael Winte is the head of the Cyber, Technology & Crime division of Funk, an international insurance broker and risk consultant. In the following interview, he reports on changes and developments in the insurance market, with advice and tips on incident prevention and cyber policies. He also offers a prediction on how cyber insurance premiums will develop.  

Michael Winte, Head of the Cyber, Technology & Crime division of Funk

Mr. Winte, could you tell us a little about yourself?

I’m 46 years old and was born in the beautiful city of Bremen – but I’ve been living in Hamburg for some time now. I earned a degree in insurance management in Cologne and, after working in a few shorter-term positions, joined Funk eight years ago. Shortly after starting with the company I got interested in cyber insurance. A lot has changed since then – both here at Funk, where we’ve added many new colleagues, and on the market.  

What are your perceptions of the cyber insurance market – both looking back and today?  

The cyber insurance market has changed a lot in the past years. At the beginning it was still no problem to buy extensive coverage of EUR 25 million or even more from an insurer – based on risk information that was rudimentary at best. Today insurers are very cautious. The high number of claims in the recent past and insurers‘ increased know-how have led to limitations on capacity and coverage amounts. At the same time, premiums, deductibles, and IT security requirements for clients are growing.

Funk acts as a broker for companies of all sizes. How do you see the situation today: can‘t companies – at least those of a certain size, let’s say with EUR 300 million in annual sales – just invest in technical and organizational measures on their own and cover any remaining risk themselves? To put it another way: how can cyber insurance pay off for both sides in the long term?

Transferring risk to an insurer can only ever be the last step in a comprehensive risk strategy. Some risk will always remain – if it didn’t, insurance would be obsolete. To this extent, the current trend for insurers to look more critically at their client’s IT side makes perfect sense. On the other hand, insurers adjusting their premiums shouldn‘t lose sight of what’s reasonable. If premiums continue to skyrocket while coverage requirements (in other words, obstacles) for their clients become even stricter, cyber insurance will eventually become unattractive, even for companies.

What preventative measures would you recommend, especially for manufacturers?

For manufacturers, IT primarily serves to support implementation of required processes. In addition to key fundamental measures to protect IT, these companies often need to focus on safeguarding IT-enabled production processes (OT). The following aspects are especially worth mentioning:

  • Using network segmentation to separate IT from the OT infrastructure. A firewall should be established at the network gateway, with whitelisting of the necessary communication protocols. The firewall should be capable of behavior-based threat detection and IDS/IPS should be activated.  
  • Legacy systems (outdated operating systems and software components) should play the smallest role possible in communication (no access to emails or the Internet).
  • Remote access points in OT, such as those for maintenance purposes, should not be permanently available. Instead, connection should only be possible after explicit approval (manual 2FA) or secured with MFA.   
  • Endpoint protection solutions should be in place on all available and approved systems. Due to different manufacturer guidelines, not every solution can be implemented in each case.
  • Patch management and backup management should also cover OT systems.

This list is certainly not exhaustive and a number of points could be added.

Should companies‘ insurance even cover ransom payments if they are affected by ransomware attacks? Or is refusing to pay under any circumstances a better choice?

In our point of view, it’s difficult to give general advice on this question. Our experience shows that paying a ransom makes no sense in many cases. However, we have also seen individual cases in which, for example, attackers threatened to publish business-critical data. In cases like these, the victims essentially had no choice but to pay the ransom and prevent a further threat to the company’s very existence. Insurers are increasingly careful and are imposing lower limits for these situations. As we see it, however, the coordination required among IT experts, regulatory bodies, and insurers generally leads to sensible outcomes and decisions against paying ransoms.

What technical developments in cyber security do you find especially interesting?

In light of the threats that exist today, it’s hard to limit ourselves to individual topics. Of course, it’s no surprise that questions directly related to the crisis in Ukraine are very pertinent. Recommendations to stop using certain products (like the warning from Germany‘s Federal Office of Information Security regarding Kaspersky) are just one example. This situation could demand enormous costs and effort from companies.

We also see the topic of securing AD-based administrative accounts growing in importance. Implementation feasibility is central here; in other words; what do potential solution approaches look like? In our view, companies clearly need an easy-to-use solution that offers full protection and functions in every context – especially in light of the different infrastructure models in use. But in the end, such a solution is still just one small sub-aspect of the ransomware resilience complex. We are aware of many developments and extensive requirements that will certainly become no less important and exciting in the future.

Do any industries or types of companies have an especially hard time getting coverage?

The majority of insurers have absolutely no risk appetite for certain industries, including gambling, adult entertainment, or fossil energy, to name a few. They also tend to be skeptical about public utilities, cities, and municipalities – and currently media companies as well.

Are there two or three less obvious aspects of cyber policies that companies should keep in mind? Could you share any tips or tricks?

In our opinion, the most important aspects to consider are the sub-limits available for ransomware attacks (many insurers no longer offer full-capacity coverage for such incidents) and their own technical obligations. By imposing these obligations, insurers shift the risk assessment, which should normally take place before the contract is signed, into the claims process. As a result, clients risk having their coverage denied if the insurer accuses them of failing to meet minimum technical standards. We believe that insurers should check whether their standards are met before the contract is signed and not confront companies with accusations of failure to meet them when they make a claim.

Is it true that insurers don’t pay claims if, for example, companies don’t take certain actions on time or provide incorrect information about their IT up front?

We haven’t experienced a case like that. But it’s true that insurers today often impose requirements and set deadlines for implementing certain measures. If companies don’t take these steps, their insurance will no longer cover some claims – for example, those due to ransomware. If a company provides false information before signing the contract, the insurer may indeed be justified in withdrawing or contesting coverage under Germany’s Insurance Contract Act (VVG). In this sense, companies should check all information they provide to their insurers very carefully.

Are there any other misrepresentations or half-truths that you frequently hear, even from experts?

We wouldn’t use the terms “misrepresentation” or “half-truth.” But certainly in today’s highly dynamic market environment we hear statements and assumptions that, in our view, overshoot the target or simply aren’t feasible in practical terms. In some cases, we see a failure to take a company’s specific circumstances into account. In the words of our cyber risk consultants, the requirements are “over-engineered.” That’s not to say that requirements in general don’t make sense – and thanks to the many claims they process, insurers know a lot about the attack vectors. At the same time, companies simply don’t have the financial or personnel resources to implement some requirements. Sometimes lack of know-how is an obstacle too, meaning that companies need a service provider’s support. That drives up costs as well. For this reason, we increasingly hear the question of whether cyber coverage makes sense. That brings us back to the beginning of our conversation and the importance of a comprehensive risk strategy – in which risk transfer is just one small part.

As you see it today: are premiums likely to keep going up, or will they eventually drop again (adjusted for inflation, etc.) as companies increasingly adopt security measures?

We don’t anticipate the current trend of rising premiums to reverse any time in the near future. But we also believe that the adjustment reached its peak last year and further increases will be somewhat more moderate. Stable premiums are unlikely in the foreseeable future, in part due to the very high claims level.

Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.