Aleksander Jarosz, Threat Intelligence Analyst at EclecticIQ, discusses why cyber insurance is a vital investment for businesses as the workplace becomes increasingly digital during the pandemic
Over the last two decades, the number of cyber-attacks taking place has skyrocketed, making cybersecurity one of the biggest concerns to businesses today.
Twenty-twenty began relatively well, with January seeing only 61 disclosed cyber incidents, however, this was a six-month low compared to the average of almost 80 data breaches and attacks in 2019. The pandemic has drastically impacted cybersecurity and it’s driving significant change within organisations. Government restrictions have meant that huge amounts of employees are having to work remotely in the long term and businesses across every sector have had to adapt to survive.
Working remotely creates the potential for a variety of security issues, for example, accessing work files and completing work tasks on personal devices or home networks can be risky. Conversely, staff working remotely are more likely to be using corporate devices to conduct personal activity, such as online shopping, web surfing and financial transactions, which also poses a significant threat to businesses, as it expands the surface area for threat actors to exploit. For example, our analysts also observed poor patch management of remote systems due to hasty configuration, sudden demand increase, and increased risk from video conferencing.
There are many different kinds of cybersecurity offerings that businesses can choose from to protect themselves from cybercriminals. Cyber insurance is one of the lesser-known and arguably underrated solutions on the market. Despite having been available in the UK for over 15 years now, cyber insurance still isn’t considered a necessity, especially by small businesses. For example, in 2019, only 11% of businesses had taken out a specific cyber insurance policy. That being said, over the next five years, the cyber insurance market is still expected to grow by 33% annually. So why are more businesses considering investing in cyber insurance, and why now?
What does cyber insurance offer organisations?
As the name suggests, policies usually cover a business or individual against the specific financial costs which may arise out of a data breach or cyber-attack. Potential damages can be categorised into first-party or direct losses, and third-party costs, including customers who may have also been financially impacted the breach. The specifics of coverage will vary, based on the provider and the specific needs of your business. However, most basic policies will include coverage for the following:
- The costs of a forensic analysis of the cyber-attack
- Costs resulting from business interruption and downtime
- Legal costs – either due to regulatory penalties or potential lawsuits
- Costs relating to PR and reputation management following a breach
As with any kind of insurance, businesses need to be aware of any exemptions which may exist. For example, a common exemption in cyber insurance policies is “acts of war” which may put the organisation at risk of not being covered in the event of an attack. In 2017, for instance, US Pharma giant, Merck, was denied over a billion dollars of insurance pay-out, after it was hit by a major cyber-attack. The breach took down over 30,000 laptops and desktops and 7500 servers. As a result, the company suffered significant downtime, which later hurt revenue. However, the insurance company managed to avoid paying the claim. The company claimed that the “acts of war” clause had been breached, despite this not being the case.
The Merck example should be a cautionary tale to businesses. It highlights the importance of knowing the specific kinds of cyber-attacks that they’re likely to experience and whether their policies cover this. Unfortunately for businesses, the capabilities of hackers have grown extensively over the last few years, partly due to the plethora of information readily available on the dark web. Cybercriminals are now able to share and access more sophisticated tools and malware. As a result, the frequency, variety and complexity of scams have all grown.
Why has cyber insurance become an essential purchase?
Every method of cybersecurity protection has its cons and cyber insurance is no exception. A key example of this is that businesses will often still have to cover some of their own costs. When an organisation is exposed to a cyber-attack, malicious code is often placed within its networks. As a result, the company may have to pay for baseline recovery costs (in the form of new software or hardware, for example), and often cyber policies will only cover costs beyond this ‘baseline’. Additionally, despite policies usually covering PR costs, in many cases, the company will still suffer significant reputational damage. Current customers or prospects may lose faith in the business, impacting profits later down the line.
While these are valid arguments for the use of alternative cybersecurity measures, cyber insurance should be viewed as part of an integrated cybersecurity approach. It should be invested in alongside additional and complementary cybersecurity strategies. Investing in insurance will not reduce the risk of getting hit by a cyber-attack. However, it’s important to remember that most cybersecurity tools are preventative measures and businesses need to consider what incident response measures they have in place, in the unfortunate event of a security breach. This is where cyber insurance becomes both a viable and sensible option.
What are the takeaways?
For organisations to be as safe as possible, there needs to be a cultural shift in the way that business leaders view cybersecurity. The likelihood of a data breach is now so high that leaders need to not only invest in preventative cybersecurity tools but also have a plan in place, in the event of an incident. Instead of considering whether cyber insurance is worth investing in, businesses should now be thinking about what kind of policy will provide them with the best coverage. In a post-COVID landscape, having suitable cyber insurance be the difference between a business staying afloat following a cyberattack … or not.
