Key takeaways

• Cyberinsurers are raising premiums and limiting coverage as they try to make their businesses more profitable in the face of rising breach costs. 
• Cyberinsurance underwriters are growing more sophisticated in tying premiums and coverage terms to the state of their policyholders’ cybersecurity programs.
• Demonstrating a solid application security posture that incorporates a systematic process for dynamic application security testing (DAST) could help companies more favorably negotiate with their cyberinsurance providers.

After years of meteoric growth in the cyberinsurance market alongside a dramatic increase in costly breaches hitting both the insured and uninsured, that market is poised for a reset. Cyberinsurers are seeing their payout costs skyrocket and are on a mission to limit their exposure and make their policies more profitable. 

This could be a wake-up call for companies that overly rely on cyberinsurance – particularly those whose executives have become comfortable with the misperception that cyberliability policies are an acceptable substitute for a sound cybersecurity program. As cyberinsurers become more sophisticated in tying premiums and coverage limits to the level of security controls put in place by policyholders, organizations will need to rethink using cyberinsurance as a proverbial security blanket. 

This means that to affordably maintain cyberinsurance coverage – and be assured of a payout when incidents happen – companies will have to reliably prove their security controls to insurance companies. And they’ll need to go far beyond basic best practices like having multifactor authentication (MFA) and incident response plans. They’ll need to build out a layered and comprehensive cybersecurity program that also incorporates vulnerability management and application security measures, including regular dynamic application security testing across their entire attack surface.

The state of cyberinsurance

The pending shake-up in the cyberinsurance industry is already well underway. Last year saw increases in premiums, restrictions of coverage, and limitations in the kinds of policies insurers were willing to offer. A report from The Wall Street Journal in February shows that between 83% and 88% of companies (depending on size) reported cyberinsurance premium increases for the same level of coverage during their most recent renewal periods. Additionally, between 46% and 49% of companies said their coverage terms became more restrictive, and 28% to 45% said that fewer insurers were willing to offer them a policy.

Quarterly percentage jumps in premium rates for cyberinsurance renewals seemed to reach a peak in the U.S. market at the tail end of 2021, with a 34% increase in the fourth quarter, according to an April report from credit and insurance ratings firm Fitch Ratings. On an annual basis, the report shows that the U.S. market saw a 73% increase in premium rates in 2021 and a further 50% jump in 2022. The slight deceleration in premium increases is attributed to a couple of key factors: underwriters becoming savvy about how and when they write policies, and insurance companies actively accounting for security controls demonstrated by their policyholders.

“Insurers serve a role in promoting effective cyberrisk management practices for policyholders and have become more insistent that insureds demonstrate practices that include use of dual factor authentication, diligent system updates and patches, and frequent employee cybertraining as part of the application process,” the Fitch Ratings report explains.

The Wall Street Journal report also states that experts from MunichRe, a global reinsurer, have observed that insurance companies are moving away from questionnaires to underwriting that “relies on using objective, data-driven information on the risk profile of applicants.” For organizations seeking new policies and renewals, factors such as security ratings and risk scoring from firms like RiskLens, SecurityScorecard, and RiskRecon – as well as proven compliance with security standards and guidelines such as the NIST Cybersecurity Framework (CSF) – could count for a whole lot more when negotiating premiums and coverage terms. 

Demonstrating application security coverage with DAST, IAST, and SCA

Traditionally, the security controls categories most frequently named by insurance companies in their cyberinsurance application forms have been focused on endpoint and network security, including MFA, encryption, incident response, antivirus, and firewalls. While having a DAST solution and other application security tools such as IAST (interactive application security testing) or SCA (software composition analysis) might not check off any of those specific boxes, demonstrating you have an effective application security program could still help optimize cyberinsurance premiums and coverage levels. DAST can be especially useful due to its ability to deploy quickly and test any web application regardless of technology or source code availability. Showing that you have a process for testing applications in development and production could influence cyberinsurance negotiations in a number of ways, both near- and long-term.

• Compliance with security standards and frameworks: Whether it’s NIST CSF, Payment Card Industry Data Security Standards (PCI DSS), or ISO 27001, organizations need strong application security practices and regular testing tools to comply. If you can demonstrate compliance, you are going to have stronger ground to stand on when it comes time to negotiate with the insurance company.
• Security validation: Even if an organization cannot formally show compliance, DAST can still offer some provable security validation. DAST is particularly well-suited to identify and prioritize remediation for issues that involve poorly implemented authentication, encryption, and configuration states in running web applications. Regular DAST scan results could provide a way to offer underwriters a documented record of the true state of security within an application portfolio. 
• Risk reduction: Actions taken based on DAST scans as part of a systematic program should reduce the risk to an application portfolio over time, which in turn will be reflected in better scoring from security ratings firms, whether used directly by the organization, by a third-party assessor, or the underwriters themselves.

The bottom line

Implementing a DAST-based application security program can contribute to reducing cyberinsurance premiums by improving the security posture of web applications and reducing the likelihood of successful cyberattacks. By identifying and fixing vulnerabilities proactively, companies can lower their risk of security breaches and potential financial losses associated with cyberincidents. This can go a long way with insurers – and potentially result in lower premiums or more favorable insurance terms when you’re in the market for cyberinsurance.