to customs and suffered $356m in damages. And 23andMe, the genetic-testing company, admitted that
            nearly 7 million people’s personal data was accessed by threat actors in December 2023.

            A twofold plan of action to address cybersecurity in this new age has become a must, involving: (a) a
            shift to require the overall effectiveness of a company’s defensive tools and people when responding and
            restoring from cyberattacks and (b) mitigating the increasingly material monetary risks that a company is
            not able to demonstrably contain for themselves.




            Cyber Insurance: Mitigating the financial risks of cybercrime

            Cyber insurance, or cyber liability insurance, attempts to insulate businesses and individuals from the
            financial  losses  incurred  by  cyber  incidents.  Such  severe  threats  often  exceed  companies’  ability  to
            contain or control them, but how do companies and insurers know where to draw that line?

            IBM reports that the global average cost of a data breach went up by 15% over the last three years, hitting
            $4.45  million  in  2023. As  costs  increase  and  cyberattacks  become  more  aggressive,  especially  with
            cybercriminals now harnessing the power of AI, cyber insurance and a comprehensive view of actual and
            residual risk exposures in cyber is no longer a luxury.

            A  World  Economic  Forum  report  suggests  that  71%  of  organizations  now  have  cyber  insurance.
            However, this still leaves a sizable proportion of businesses with no protection, and even among the 71%
            majority do not have satisfactory coverage. A bigger obstacle, though, is that ineffective underwriting
            models continue to dampen businesses’ appetite for cyber insurance and for insurance companies to
            provide it.

            A lack of understanding on a company’s ability to withstand severe cyber events underlines why Boards
            are unsure about whether they have those cyber risks covered, and accentuates why premiums are so
            expensive. Demanding and using a data driven, efficacy-based approach to know where that line actually
            exists in cyber provides a fairer option to companies and can put the insurance industry back on the rails
            for profitable growth.



            Issues with current insurance underwriting models

            Today, cyber underwriting remains primarily reliant on inputs from traditional paper-based assessments.
            There have been recent improvements, including increased data on major losses which has allowed
            underwriting models to cater more specifically to company and industry characteristics. The ability to
            leverage vast  datasets  on  losses  that  increase  the  granularity of  risk assessments  greatly  improves
            understanding of the ways in which companies can control and mitigate cyber risks. This is exemplified
            by the NIST CyberSecurity Framework 2.0 and the Center for Internet Security (CIS) – Critical Security
            Controls, both of which have helped to improve the traditional model.

            However, despite the establishment of more comprehensive guidelines for managing risks, underwriting
            models continue to rely heavily on paper based assessments of ‘control maturities’ and generic models







                                                                                                            198