While not a ‘jail free card’ for your business, cyber insurance can help protect it from the financial impact of a cyber incident
Cyber risk is increasing as the combined impact of soaring threat levels, expanding attack surfaces and shortages of security skills puts organizations at a disadvantage. Faced with the increased possibility that they may experience a catastrophic security breach, many may want to shift the responsibility onto a third-party operator. But those who believe they can use cyber insurance as a substitute for investing in best-practice cybersecurity may be wrong. In fact, the latter is increasingly becoming a prerequisite for coverage.
So if cyber insurance isn’t a ‘get out of jail’ card for business, what’s the point?
What is cyber insurance?
At the most basic level, cyber insurance helps protect companies of all sizes from the financial impact of serious incidents like data breaches and leaks. Depending on the policy, this may provide:
- Access to pre-breach assessments, vetted vendors, and information to help increase resilience before an incident
- Assistance with post-breach notices, forensic investigations, legal services, and crisis management expertise
- Financial support for legal fees and damage claims against your company
- Includes costs incurred to maintain business operations and recover data, as well as lost revenue
Policies can vary widely, but there are two main types of coverage:
- First party coverage: Related to the direct impact on your business from cyber incidents. This includes costs of lost or damaged software, legal bills, forensics, customer notifications, stolen money, etc.
- Third party coverage: This relates to claims filed by other people against your company for losses they have suffered as a result of cyber incidents. This includes things like legal settlements with customers, attorney and accountant fees, etc.
It is important to note that cyber attacks against your company that are assessed as “acts of war” may not be covered by your policy. Lloyd from London take controversial steps to force its insurers to include cyber war exclusion clauses, to reduce carriers’ liability for state-sponsored attacks. However, proving that a threat actor is carrying out an act of war can be very challenging.
Why do I need cyber insurance?
Most companies will have no doubts about why cyber insurance is expected to an industry worth US$64 billion by 2029. The combination of soaring cyber threats and associated costs, plus increased scrutiny from regulators, is forcing companies to find tried and tested ways to mitigate their risk exposure.
The move to hybrid work, combined with cloud and digital investments during the pandemic, has helped drive productivity and more agile business processes, but has also increased the cyber attack surface. Unpatched work-home endpoints, misconfigured cloud systems, and mobile-borne threats are just the tip of the iceberg. One claim 2022 report that (79%) organizations feel that recent changes to work practices have negatively impacted their organization’s cybersecurity. In another, 43% of global organizations agree that their attack surface is “over the top”. The attack surface also extends to complex supply chains, and potentially negligent employees. Estimated 98% global companies experience breaches through their suppliers in 2021, for example.
As a result:
- US suffers from a a near-record number publicly reported data breaches by 2022
- Two-fifths of England surveyed organizations in 2022 reported suffering a security breach in the previous 12 months
- More than a quarter (27%) of the UK’s technology and business leaders expect business email compromises (BEC) and “hack and leak” attacks on the rise in 2023, and 24% said the same about ransomware
Not only are serious security incidents more likely to happen these days. They also cost more victims. In 2021, the cost of cybercrime incidents reported to the FBI was US$6.9 billion. A year later, the total was $10.3 billion – an increase of 49%. That brings the total for the five years to 2022 to $27.6 billion.
How do I qualify for coverage?
The cyber insurance market has undergone dramatic changes over the last few years. The spike in ransomware breaches and subsequent claims during the pandemic led to a number of reasons blame sector because it indirectly encourages threat actors to launch attacks. The losses suffered by many operators lead to corrective actions – a significant improvement in premium rates and reduced coverage. Fortunately, price now starting to stabilize so that policies become affordable again.
Partly because of more detailed policies that demand more potential customers. In this way, we can see the role of cyber insurance evolve – from lender of last resort to a security partner who encourages good behavior. In short, by requiring companies to implement best practice security controls and cyber hygiene measures, insurers can actually drive basic improvements in cyber risk management.
Depending on the policy, these steps may include:
What happened next?
SMEs and large businesses still rank cyber incidents as their number one threat. As costs increase, they will hand over larger amounts to cyber insurance. That in turn will lead to increased security, lower risk, and more affordable coverage. But there is still a long way to go: around half (48%) of SMEs still lack outreach, compared to 16% of large organizations, according to World Economic Forum (WEF). To optimize your future use of insurance, reading the fine print of a policy will be more important than ever.