Guest blog post by Sidney Prasse, Partner – Cyber, McGill and Partners
Not too long ago, many organizations would have classified cyber insurance as throw-in coverage capturing very little boardroom time and attention. We saw the few catastrophic "claims of the century" in the Yahoo data breach, NoyPetya malware attack, and Equifax data breach cascade through the insurance market, but the effects eventually felt isolated to certain industry classes and cycled through the market news wheel. If I were to use a true barometer for change, it was a very different time just four years ago pre COVID-19 pandemic. Remote working technology erupted, and organizations adopted remote/hybrid models, forever changing the way we work.
Fast forward to present day 2024, we would be hard-pressed to find a Fortune or Global 1000 company that does not transfer a portion of their modeled cyber risk today. This was simply not the case 10 years ago. General cyber insurance needs and spending continue to outpace the needs and spending from the previous year. According to Munich Re data, the cyber insurance market will more than double from $14B in 2023 to $29B in 2027. Capital markets see the need for insurer optionality across the cyber insurance market as demand for new coverage and creativity rises. Regulators like the Securities Exchange Commission see the impact that cybersecurity and cyber incidents can have on the economy and investor sentiment, which ultimately led to the new disclosure rules for companies subject to the Securities Exchange Act of 1934.
With that historical context and future framing, let’s shift gears to the customer — the cyber insurance buyer today. Navigating an industry still in its infancy phase is challenging for all parties involved, but especially the buyer. The cyber insurance procurement process is not all that intuitive. The last several renewal cycles may have included overwhelming and duplicative applications followed by extensive back-and-forth between risk management, IT colleague(s), and the broker to perfect responses and weigh marketing results. It can feel deflating when every year is a struggle, procedurally and financially.
But what if there was an easier way? What if your incredibly robust HITRUST r2 certification attested by third-party audit firms (assessors) could double as a cyber insurance submission body, create synergies between compliance, security, and cloud providers, and boost security ROI?
Look no further. Pivoting to leverage your already compiled, extensive data sets housed in HITRUST’s MyCSF SaaS platform will benefit everyone along the cyber insurance chain. Moving to a third-party attestation model creates absolute certainty around maturity states and brings far more transparency to the industry than we have now — which I’d loosely classify as a trust-and-sign model.
Let this be a call to action for all insureds (customers, buyers) and insurers (sellers). Rallying behind seasoned cyber underwriting practitioners in support of a first-of-its-kind cyber tech E&O insurance facility powered by HITRUST will bring lasting change to the industry. Turn-key capacity for HITRUST customers, differentiated terms for mature organizations that cannot seem to escape their industry shadow in the open market, and ROI incentives represent a few of the tangible benefits HITRUST customers can expect to see from this facility.
When purchased thoughtfully and strategically, cyber insurance can be an invaluable hedge against business risk. It’s time to reinvent the procurement process for CISOs and risk management professionals. We are thrilled to see Trium and HITRUST partner on this endeavor and pioneer change for healthcare, cyber tech, E&O insurance, and beyond.
If you are interested in exploring how your HITRUST certification can unlock benefits in the cyber insurance realm, check out this press release.