The Messy Reality of Cyber Insurance

img blog The Messy Reality of Cyber Insurance r1

In an era dominated by technology and interconnectedness, the digital landscape has morphed into a breeding ground for chaos and exploitation. While technological advancements have brought unparalleled convenience and efficiency, they have also opened the floodgates to an escalating wave of cyber threats and attacks. 

In the midst of this digital dystopia, cyber insurance has emerged as a seemingly viable solution, promising to shield businesses and individuals from the fallout of cyber assaults. However, delving into the world of cyber insurance reveals a darker side riddled with disappointment, deception, and disillusionment.

The mid-2000s to early 2010s saw a boom in the cyber insurance market, with insurers vying to capitalize on the growing fear of cyber threats. Policies began to offer a false sense of security, claiming to shield businesses from a wide range of cyber risks. But, the truth lies in the fine print, where exclusions and loopholes abound, leaving policyholders exposed to the very risks they believed they were protected against.

One of the most insidious downsides of cyber insurance is its potential to breed complacency in SMBs. Businesses may view cyber insurance as a substitute for robust cybersecurity measures, neglecting to invest in preventive measures to thwart attacks. The result is a vicious cycle of escalating threats, and insurance claims that only serve to perpetuate cyber warfare.

In excerpts from an article by JUMPSEC, they wrote, “To cope with increasingly costly pay-outs, providers are redefining the terms of cyber insurance to reduce their exposure. The implications could spell myriad changes for the cybersecurity industry. Whatever the outcome, it’s time for organizations to re-evaluate whether their policy will cover them against the attacks they are most susceptible to.

JUMPSEC explores the current state of cyber insurance, and whether its potentially diminished role presents a problem or an opportunity for organizations looking to reduce their cyber risk exposure. Let’s take a look at a couple of eye-opening statistics…

  • Cyber insurance loss ratios are now consistently above 60%, presenting an existential threat to the insurance industry and making cyber risk unprofitable to the extent that it may become uninsurable.
  • Cyber insurance premiums have risen by over 94% from 2019 to 2022, in large part due to the rise of ransomware over that period. While cyber insurance appears to be growing sustainably, this is predominantly due to premium costs, not increased take-up rates or expanded coverage.

The future of the cyber insurance market is impossible to predict precisely. The insurance industry wants to send a clear message that the market is beginning to stabilize as it continues to grow. Others are announcing the industry’s dramatic decline or ‘imminent death’ of cyber insurance as we know it (i.e., Forbes). And it isn’t simply the media catastrophizing. The CEO of Zurich, Mario Greco, recently stated “What will become uninsurable is going to be cyber” – citing threats to critical infrastructure that can fundamentally disrupt wider society.

Even if organizations manage to afford increasingly expensive cyber premiums, the process of actually claiming compensation has been proven to drag on for years (over 5 years for both the Mondelez and Merck cases mentioned above).

In addition, companies are required to deploy an ever-increasing set of security controls in a changing regulatory landscape to qualify for cover in light of increasingly rigorous compliance checks, with:

  • Stricter demands from banks and financial regulators
  • Updated cybersecurity frameworks (i.e., NIST’s framework revisions)
  • New guidance from the Information Commissioner’s Office (ICO)

Specifically, insurers are requiring greater detail on how organizations monitor and manage their day-to-day cyber security operations, including minimum standards for multi-factor authentication (MFA) and endpoint detection and response (EDR). Auditor Grant Thornton outlined that higher-level evidence of staff training, vulnerability scans, and monitoring system logs will be ongoing requirements.

Between such geopolitical ambiguity, soaring premiums, and compliance challenges, organizations can no longer rely on insurance as the primary method of managing their cyber risk exposure.

But the removal of the perceived safety net that insurance provides may be exactly what organizations need – a wake-up call to make their business more secure. Not by checking compliance boxes to satisfy insurers, or relying on minimum standard annual testing, but by implementing controls that will make their organization more resilient to attack.

This isn’t to say that cyber insurance is a waste of money, with those who have the means and resources to fund it as an added layer of risk mitigation. However, many organizations are now reconsidering the role of cyber insurance and whether to renew their policy in 2023 and beyond.

Advice for security teams

As many organizations opt not to renew their cyber insurance policy for 2023, it is vital that they reinvest in their cyber defense capabilities, ensuring that the potential impact of a breach can be minimized. organizations should assume that compromise is inevitable – and plan accordingly.

Even the most stringent cyber-insurance compliance requirements are still relatively basic. Regardless of how the cyber insurance market may change, organizations must ensure they are confident in their ability to prevent, detect, respond, and recover from cyber-attacks by looking beyond compliance.

As a minimum, all organizations must first be confident that:

  • Backups have been tested to ensure that recovery is possible and practical.
  • The ‘blast radius’ has been minimized in the event of a compromise through effective identity and access management, and network segmentation.
  • A well-established recovery plan has been designed and tested against specific incident scenarios, and contingencies for critical business functions are in place to ensure operational resilience.

Beyond these foundational controls, threat-led testing approaches enable organizations to move beyond a compliance-driven approach to:

  • Accurately assess which business processes, digital systems, technologies and people are most likely to be targeted by an attacker, and how they are most likely to be abused.
  • Evaluate the likelihood of certain attacks (based on specific threats the organization faces) against the impact of compromise and identify the highest risk scenarios possible.
  • Implement tailored and targeted prevention, detection, and response controls to mitigate the likelihood of a systemic compromise occurring, ensuring business continuity, and accelerating the restoration of normal operational levels.

Just as insurance companies are urging their subsidiaries to be extremely careful with the wording of their policies, organizations continuing to subscribe to cyber insurance need to provide clarity. Organizations with cyber insurance should review their policy, and perhaps schedule a frank conversation with their broker about when their organization is covered, and when it is not.” 

In excerpts from an article by Forbes, they wrote, “Hackers will go after the least complicated path with the highest yield. Large companies have more resources and deeper pockets; however, they typically have stronger security postures, making them more difficult to attack. A small business may not have as robust a security infrastructure or deep pockets, but their insurance company probably does, and the reinsurer certainly does. 

If your business is breached, telling the attacker you can’t afford to pay the ransom may quickly backfire, as ransomware gangs have been known to send copies of the victim’s cyber insurance policies to them. They do their homework and are often steps ahead of their targeted victims. 

Not surprisingly, the pain that cyber insurance companies experienced by improperly pricing the market has now been placed on the customer’s doorstep. Cyber insurance policies have had massive premium increases, and now there are more stringent and costly security requirements. They require clients to deploy and report on antivirus software, install firewalls, conduct regular system updates, deploy data and system recovery software and execute regular data backups to external media or secure cloud services. Clients must also have a system that manages user access and permission policies, ensure multifactor authentication, have an incident response plan, and perform regular employee cyber awareness training.

Finally, many insurance companies have “loopholes” in their contracts that can make it more difficult for clients to get paid on claims. For example, clients must demonstrate they have the aforementioned security measures and have implemented sufficient and regular cybersecurity training.

The average cost of business cyber insurance is $500 to $5,000 per year. Surprisingly, only 55% of organizations have cyber insurance; however, within the past three years, cyber insurance claims have increased by 100%, with payouts totaling 200%. Unfortunately, cyber insurance doesn’t cover property damage, such as damaged computers. This is a problem because, in addition to data, ransomware targets computer systems that can cost more to rebuild than purchasing new devices.

The most positive outcome of cyber insurance may be that it now mandates businesses to be more fully aware of the scope of cyber risk and prepared with the cybersecurity they need to protect themselves. With the kind of money insurance companies must pay out in the event of a costly breach, that seems like a fair shake to me. Ultimately, by forcing companies to beef up their security in order to qualify for cyber insurance, insurers are helping to fortify efforts to thwart ransomware attacks.”

What Small Businesses Need to Know About Cyber Insurance

In excerpts from an article by BizTech, they wrote, “Despite the rising frequency and cost of business data breaches, just over one quarter of small to medium-sized businesses carry cyber insurance.

In part, this stems from misplaced confidence, with 58 percent of businesses claiming they could “quickly resolve” any cyberattack. Businesses also expressed uncertainty about the costs, benefits, and challenges of bringing an insurance provider on board.

Both the upfront costs and the associated impacts of a breach on reputation and productivity make cyber insurance an attractive option for organizations. Yet those same factors have caused carriers to raise policy premiums and tighten conditions for coverage. According to Fortune, the average price of cyber insurance in the United States rose 79 percent in the second quarter of 2022.

Two factors play a significant role in this increase. First is the growing number of cyberattacks on businesses of all sizes, meaning there’s a greater chance of insurance claims and potential payouts. Second, many companies are using outdated or ineffective security controls, making it easier for attackers to gain access. As a result, cyber insurance companies are now requiring organizations to complete checklists that ensure they have basic security tools in place before policies are issued.

The Solutions SMBs Need to Stay Protected

Cyber insurance carriers don’t want to pay out to policyholders that are reckless or irresponsible.

For small businesses, this often takes the form of failing to adopt appropriate security policies and not implementing modern tools capable of detecting or responding to emerging threats. This is especially worrisome given the increasing preference of attackers to breach small businesses using ransomware and then use their ill-gotten gains to target larger enterprises.

To obtain cyber insurance coverage, SMBs should have four (at least) solutions in place.

  • Enterprise-grade email security: Insurance companies now ask small businesses to purchase and deploy enterprise-grade email security tools capable of automatically detecting and blocking common threats before they reach employee inboxes. These solutions often come with staff security awareness training options that can help reduce risk.
  • Data loss protection: SMBs must have tools in place capable of pinpointing potential security issues and taking action to prevent data loss. Third-party services such as penetration testing, policy, and access evaluations can help.
  • Multi-factor authentication: Passwords remain a problem for organizations of all sizes. As a result, SMBs must deploy MFA tools that ask users to provide an additional identity factor for access, limiting the ability of attackers to brute-force their way into networks.
  • Next-generation firewalls: Traditional, state-based firewalls can’t keep pace with new threats. Today, SMBs need next-generation solutions that help keep them ahead of attacker efforts.

For many small businesses, it isn’t enough to know what they need to secure a cyber insurance policy. They also need help with assessment, implementation, and ROI evaluation.”

Adaptive Advice

In addition to the mentioned cyber security measures, there are several other steps SMBs should take to enhance their overall cyber security posture, prevent cyber attacks, and be prepared to quickly recover in the event of a cyber breach…

  • Regular Employee Training: Conduct regular security awareness training for all employees to educate them about the latest cyber threats, phishing techniques, and best practices for handling sensitive information. Employees are often the weakest link in the security chain, and well-informed staff can help prevent social engineering attacks.
  • Strong Password Policies: Implement strong password policies that require employees to use complex passwords and change them regularly. Consider using password managers to assist with password generation and management.
  • Regular Software Updates and Patch Management: Keep all software, operating systems, and applications up to date with the latest security patches. Many cyber attacks exploit known vulnerabilities for which patches are available but have not been applied.
  • Network Segmentation: Segment your network into separate zones with restricted access to sensitive data. This way, even if an attacker gains access to one part of the network, they will have a harder time moving laterally to other critical areas.
  • Regular Data Backups: Perform regular data backups and store them securely offline. In case of a ransomware attack or data breach, having backups can help restore business operations quickly without paying the ransom or losing valuable data.
  • Incident Response Plan: Develop a comprehensive incident response plan to handle potential cyber security incidents. This plan should include procedures for identifying, containing, eradicating, and recovering from a cyber attack.
  • Vendor and Third-Party Risk Management: Ensure that your vendors and third-party partners adhere to robust security practices. Weaknesses in their systems could also expose your organization to cyber threats.
  • Mobile Device Security: Implement security measures for mobile devices used within the organization, such as password protection, encryption, and remote wipe capabilities.
  • Regular Security Assessments: Conduct regular security assessments, vulnerability scans, and penetration tests to identify and address potential weaknesses in your network and applications proactively.
  • Employee Access Control: Limit access privileges to only what employees need to perform their jobs. Regularly review and revoke unnecessary access to reduce the potential attack surface.
  • Monitor Network Activity: Implement network monitoring and intrusion detection systems to detect suspicious activities and potential breaches in real-time.

Remember that cyber security is an ongoing process, and it requires a proactive and layered approach to be effective. By combining the measures mentioned earlier with the additional recommendations, SMBs can significantly reduce their risk of falling victim to cyber-attacks.

Conclusion

The digital landscape, once heralded as a gateway to convenience and efficiency, has evolved into a breeding ground for chaos and cyber exploitation. Cyber insurance emerged as a solution promising protection against the rising tide of cyber threats, but delving into its realm reveals a darker reality marred by disappointment, deception, and disillusionment.

The mid-2000s to early 2010s witnessed a surge in the cyber insurance market, with policies offering a false sense of security, only to hide exclusions and loopholes that leave policyholders exposed to unforeseen risks. Moreover, cyber insurance’s potential to breed complacency is concerning, as businesses may forgo robust cybersecurity measures, relying instead on insurance to mitigate the consequences of cyber attacks.

The current state of cyber insurance is marred by soaring premiums and stringent security requirements, as insurers seek to manage the growing frequency and cost of cyber breaches. However, this trend can create challenges for businesses, leading them to reevaluate the role and worth of cyber insurance.

While cyber insurance remains a viable risk mitigation option for some organizations, it does not absolve them of the responsibility to fortify their cybersecurity measures. Implementing robust security controls, threat-led testing, and advanced tools become essential steps in facing evolving cyber threats.

For small businesses, obtaining cyber insurance coverage necessitates the deployment of specific security solutions, including enterprise-grade email security, data loss protection, multi-factor authentication, and next-generation firewalls. These measures not only improve cybersecurity but also help businesses qualify for cyber insurance policies.

Bottom line… the messy reality of cyber insurance exposes the need for businesses and individuals to approach this financial instrument with caution and awareness. While it may provide some level of protection, it should not replace comprehensive cybersecurity measures to combat the ever-changing and ever-escalating threats in the cyber realm.

At Adaptive Office Solutions, cybersecurity is our specialty. We keep cybercrimes at bay by using analysis, forensics, and reverse engineering to prevent malware attempts and patch vulnerability issues. By making an investment in multilayered cybersecurity, you can leverage our expertise to boost your defenses, mitigate risks, and protect your data with next-gen IT security solutions.

Every single device that connects to the internet poses a cyber security threat, including that innocent-looking smartwatch you’re wearing. Adaptive’s wide range of experience and certifications fills the gaps in your business’s IT infrastructure and dramatically increases the effectiveness of your cybersecurity posture.

Using our proactive cybersecurity management, cutting-edge network security tools, and comprehensive business IT solutions, you can lower your costs through systems that are running at their prime, creating greater efficiency and preventing data loss and costly downtime. With Adaptive Office Solutions by your side, we’ll help you navigate the complexities of cybersecurity so you can achieve business success without worrying about online threats.

To schedule a Cyber Security Risk Review, call the Adaptive Office Solutions’ hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca

Categories
Archives