Why GRC programs could benefit cyber insurance

Cyber insurance enables global commerce in the wake of cyber risk. Maturing into this imperfect aspect of the global economy in real-time has been turbulent, impacting the processes of both underwriting and claims.

The 2024 NAIC Cyber Insurance Report demonstrates the cost of inadequate cyber risk management.  For the top 20 cyber insurers by market share, $274 million was collected in policy premiums and $107 million was paid out in claims.

A baseline

Three items that can help to limit the exposure for cyber insurers are: underwriting, claims, and cybersecurity. Underwriting something that doesn't conform to traditional risk models presents a learning opportunity for the insurers.  Claims present a compound opportunity for the insurer as claims are reflective of the risk not called out by the underwriting process and/or may be an opportunity to tighten the language in the policy.  Afterall, insurance policies are contracts and contract law is all about the language. Better cybersecurity is the area where many insurers, policyholders, and practitioners are focused on getting the best return-on-investment (ROI), but the financial ROI does not always equate to better security.

This is a challenge for the cyber insurance industry. They are masters of predictive analysis and risk assessments. Yet, cyber risk management continues to be elusive. Quantifying cyber risk is more abstract art than mathematical formula. Cybercrime, cybersecurity, and cyber claims data are distinct datasets. There is no single source of truth from which to build predictive models and no easy way to correlate data gathered via unique collection methods.

Similarly, not all cybersecurity solutions and services are equally effective and integrating disparate solutions may decrease efficacy. Security solution efficacy aka catch-rate is a key component to understanding the cost of risk. Even mediocre security solutions can be better fortified if the organization has a strong governance, risk and compliance (GRC) program.

The impact of AI

We are a few years into integrating artificial intelligence (AI) into countless platforms, supporting a seemingly endless list of use cases. AI technology is disruptive to the extent of needing purpose-built regulations to promote its growth with safeguards that protect the people and assets it touches.

The rising threshold for cyber insurance is closely tied to the growing regulatory landscape.  Regulations are one aspect of how cyber insurers can evaluate cyber risk.  

GRC is a benchmark

GRC is an operational component of an organization's cyber security strategy.  It has a long history in cyber risk management as it aims to guide how the organization manages risk and adheres to regulatory requirements.

The state or federal government may pose regulatory requirements and/or be industry-specific (e.g., HIPPA, FERPA, FISMA, PCI-DSS, etc.).

Utilizing regulatory compliance as a benchmark for evaluating how well an organization manages risk is being adopted at greater rates.  HITRUST and Lloyd's of London recently announced a joint effort to establish HITRUST compliance as a standard to reduce the cost of cyber insurance. While HITRUST is not appropriate for every organization due to cost and limited resources, every organization should have a GRC program. Requesting to see audit reports and gap analysis documents should be part of every risk assessment.

For cyber insurers aiming to normalize how insureds and applicants are risk rated, GRC is an under-utilized metric as a risk mitigation tool. It is the role of the GRC team to know which regulations apply to the organization and how to meet the requirements.  For instance, a 2023 survey of more than 1,300 respondents from around the globe who either influence or manage their organization's risk and compliance programs found that only 53% rated their programs as mature. Furthermore, the State of Risk & Compliance Report, from GRC software maker NAVEX, found that 20% described their programs as "early stage."

The law is reactive.  Regulations are proposed and enacted after the impact of something new is understood.  As technological advancements are made regulations will follow.  

Consider the following:  If cyber insurers applied greater value to GRC, would program maturity statistics increase?  If GRC maturity was used as a barometer of cyber risk management, would fewer security incidents improve underwriting and lower claims?