Cyber risk is on the rise as the combined impact of surging threat levels, expanding attack surfaces and security skills shortages are putting organizations at a disadvantage. Faced with an increased likelihood that they may suffer a damaging security breach, many may be looking to transfer (some) liability onto a third-party carrier. But those who believe they can simply use cyber insurance as a replacement for investments in best-practice cybersecurity may be mistaken. In fact, the latter are increasingly now a pre-requisite for coverage.
So if cyber insurance isn’t a “get out of jail free” card for businesses, what is it good for?
What is cyber insurance?
At a very basic level, cyber insurance helps to insulate companies of all sizes from the financial impact of serious incidents such as data breaches and leaks. Depending on the policy, it might provide:
- Access to pre-breach assessments, vetted vendors and information to help enhance resilience before an incident
- Assistance with post-breach notification, forensic investigation, legal services and crisis management expertise
- Financial support for legal costs and damage claims against your company
- Cover for costs incurred to keep business operational and restore data, as well as loss of revenue
Policies can vary a great deal, but there are two main types of coverage:
- First-party coverage: Related to the direct impact to your business of a cyber incident. This includes the cost of lost or damaged software, legal bills, forensics, customer notification, monetary theft etc
- Third-party coverage: This relates to claims filed by others against your firm for losses they have experienced due to a cyber incident. This includes things like legal settlements with customers, lawyer and accountant fees etc
It’s important to note that cyberattacks on your company assessed to be “acts of war” may not be covered by your policy. Lloyd’s of London took the controversial step to force its insurers to insert a cyber war exclusion clause, in order to reduce carrier liability for state-sponsored attacks. However, proving that a threat actor was carrying out an act of war could be extremely challenging.
Why do I need cyber insurance?
Most companies will be in no doubt about why cyber insurance is predicted to be a US$64 billion industry by 2029. A combination of surging cyber threats and associated costs, plus increasing scrutiny from regulators, is forcing companies to find tried-and-tested ways to mitigate their risk exposure.
The move to hybrid working, combined with cloud and digital investments during the pandemic, has helped to drive productivity and more agile business processes, but also increased the cyber-attack surface. Unpatched home working endpoints, misconfigured cloud systems and mobile-borne threats are just the tip of the iceberg. One 2022 report claims that (79%) of organizations feel recent changes to working practices have negatively impacted their organization’s cybersecurity. In another, 43% of global organizations agree their attacks surface is “spiralling out of control.” The attack surface also extends to complex supply chains, and potentially negligent employees. An estimated 98% of global companies suffered a breach via their suppliers in 2021, for example.
As a result:
- The US suffered a near-record number of publicly reported data breaches in 2022
- Two-fifths of UK organizations surveyed in 2022 reported suffering a security breach in the previous 12 months
- Over a quarter (27%) of UK tech and business leaders expect business email compromise (BEC) and “hack and leak” attacks to increase in 2023, and 24% say the same about ransomware
Not only are serious security incidents more likely today. They’re also costing victims more. In 2021, the cost of cybercrime incidents reported to the FBI hit US$6.9 billion. A year later the total hit $10.3 billion – a 49% increase. That makes the total for the five years to 2022 a staggering $27.6 billion.
How do I qualify for coverage?
The cyber insurance market has undergone dramatic change over the past few years. A surge in ransomware breaches and subsequent claims during the pandemic led some to blame the sector for indirectly encouraging threat actors to launch attacks. The losses suffered by many carriers led to corrective action – a significant increase in premium rates and reduced coverage. Fortunately, prices are now stabilizing so policies are becoming affordable again.
Part of this is down to more granular policies which demand more of prospective customers. In this way, we can see the role of cyber insurance evolving – from lender of last resort to a security partner incentivizing good behavior. In short, by requiring companies to put in place best practice security controls and cyber-hygiene measures, insurers can actually drive baseline improvements in cyber risk management.
Depending on the policy, these measures could include:
- Regular (and off-site) data backups
- Use of strong, unique passwords and two-factor authentication
- Vulnerability scanning and automated risk-based patch management
- Cybersecurity awareness training programs run continuously
- Endpoint security software
- Regularly tested incident response plans
- Network segmentation to minimize the "blast radius" of attacks
What happens next?
SMEs and large businesses still rank cyber incidents as their number one threat. As costs mount, they will turn in ever greater numbers to cyber insurance. That in turn should drive improved security, lower risk and more affordable coverage. But there’s still some way to go: around half (48%) of SMBs still don’t have coverage, versus 16% of large organizations, according to the World Economic Forum (WEF). To optimize your use of insurance in the future, reading the policy small print will be more important than ever.
To find out more about cyber insurance for enterprises, this ESET handbook has you covered.