Threat actors are hitting businesses hard, and often. According to Astra Security, companies now face more than 4 000 cyberattacks every day. From data breaches to ransomware, they are constantly bombarded by digital threats. As data and IT systems are critical to keeping operations running smoothly, these breaches don’t just disrupt workflows, they also carry a growing financial burden. New research from IBM and the Ponemon Institute found that the global average cost of a data breach has surged to $4.88 million, a 10% increase from last year. Businesses are becoming more aware of the potential losses associated with cybercrime and, as a result, the cyber insurance market has grown. Munich Re, a German multinational insurance company, estimates that the market will be worth $29 billion globally by 2027. It makes sense – every organisation, no matter its size, sector or location, that relies on technology is at risk. Even the most well-prepared companies fall victim to a cyberattack. So, to avoid going out of business (which happens in an estimated 60% of small companies within six months of a data breach or cyberattack), you need some kind of safety net. And as businesses become increasingly reliant on technology, cyber insurance plays a vital role in closing the protection gap.
“What do you do when all else fails?” asks Greg Day, Cybereason VP and Global CISO. “Cyber insurance [provides] a degree of financial reassurance against cyberattacks that traditional security controls miss.”
“Make sure you have your legal team involved, be clear on what’s covered and what isn’t, and what expectations they have on your cybersecurity and incident response capabilities.”
Greg Day, Cybereason
In the face of inevitable cyberattacks, cyber insurance has become a normal part of managing risk. A global Sophos survey confirmed that 90% of organisations have some form of cyber coverage. Half have a standalone policy, while 40% have cyber as part of a wider business insurance policy, such as a general liability policy. Many security leaders are still not clear on exactly what is covered and what will be paid out. Day says that in a survey Cybereason conducted with over a thousand companies in both EMEA and the US, nearly all had cyber insurance, but only 40% were certain that a ransomware attack would be covered by their policy. “And of those that had claimed for a ransomware attack, only half recovered what they believed were the full costs,” he says.
“I’ve often experienced companies taking out multiple policies to try to mitigate the risk. They have come to their own realisation that the bigger the policy, the more scrutiny, time and effort required to achieve a payout, so they hedge their bets,” says Day. He adds that businesses often need time to develop stronger strategies for managing costs and reducing financial risks, especially when dealing with cyber insurance. By using multiple policies, companies benefit from the speedier payouts of smaller policies, while also covering larger risks that require more detailed investigations from insurers.
“The logic being the smaller policies typically pay out with less scrutiny and also pay out quicker,” says Day. Larger policies, which are more detailed and provide more comprehensive coverage, are often subject to closer examination. Taking out multiple policies allows businesses to strike a balance between quick payouts and thorough protection and it enables more effective business resilience, Day says.
Risk profile
Every organisation must carefully consider the type of cyber insurance coverage it needs, and why. Comprehensive coverage isn’t always necessary, and since these policies are highly customisable and there’s a lot of overlap between providers, it’s important to know exactly what you’re getting before making a commitment. “Make sure you have your legal team involved, be clear on what’s covered and what isn’t, and what expectations they have on your cybersecurity and incident response capabilities,” says Day. According to Ryan van de Coolwijk, product champion, iTOO Special Risks, cyber insurance policies deliberately use generic language like “unauthorised access” and “unauthorised use”. This makes it easier for insurers like iTOO to keep pace with evolving risks while formulating more fitting coverage. He says that for smaller businesses, the underwriting process has been simplified, to encourage businesses that, in the past, would have been put off buying cyber insurance because of how complex it was. “There’s a split. Proposal forms for more complex, bigger risks – based on the number of data records or nature of operations – are becoming more involved,” he says.
Accurate premiums
While the core components of a cyber insurance policy are applicable to everyone, such as incident response services, business interruption and liability, there are value-added coverage options that depend on a business’ specific risk exposure. “Things like physical damage or theft are a little bit more nuanced,” says Van de Coolwijk.
This is why Day says businesses need to be clear on what they expect their cyber insurance policy to cover. “Consider what degree of costs you are looking to insure against. What commercial impact would be too big for the business to stomach, and therefore needs underwriting,” says Day.
Strategic partnerships
Cyber insurance providers want businesses to prioritise rapid incident response (IR), architectural resilience, strong cyber-risk management and enhanced threat detection. By prioritising these areas, businesses show insurers that they are taking a proactive, multilayered approach to cybersecurity. That said, the tools a business uses are only as effective as how they’re installed, configured and managed. This is why most cyber insurers form strategic partnerships with third-party businesses that can provide up-to-date cyber risk trends, detailed reports and risk assessments. These assessments help organisations gain a clearer understanding of their security posture and maturity, enabling insurers to calculate more accurate premiums based on the specific risks presented by each business. Some insurers even include rapid response services in their policies, giving businesses access to a team of cybersecurity experts – and sometimes forensics, legal counsel and PR specialists – to help manage the aftermath of a breach. “This value add works in the insurers’ best interest as it assists in reducing their overall risk exposure through assisting clients to better manage the risks,” says Mark Sanders, GIB COO.
By the end of 2024, Gartner estimates that privacy regulation will cover threequarters of consumer data worldwide, but 60% of all regulated global entities will struggle to comply with intensifying data protection regulation and privacy requirements. Organisations typically align their security practices with established standards, such as National Institute of Standards and Technology (NIST) or ISO 27000, to make sure they have adequate safety nets in place. But the complexity of an organisation’s infrastructure – with multiple access points and integrations – directly influences its risk profile. “The more complex the environment, the greater the potential for breaches and the higher the costs involved, including direct financial losses, regulatory fines and reputational damage,” says Nemanja Krstić, operations manager, managed security services, at Galix. This is why insurers now play a crucial role in ensuring compliance with regulatory requirements, helping businesses to meet legal standards while safeguarding data, Krstić explains.
Residual risk
Ultimately, cyber insurance is a tool that when used wisely can protect businesses from significant financial harm, but it must be coupled with strong cybersecurity measures to be effective. Foolproof security does not exist. There is always a residual risk, and a policy is not a replacement, but a security net to help recover and reduce the impact should an incident occur. “This does challenge the cyber insurance underwriters to ensure that they align the cover and premiums with the robustness of the control environment, seeing a reduction in premiums where the risk posture is improved,” says Mtho Maphumulo, a senior associate and litigation attorney at Adams & Adams. Cyber insurance should just be seen as one layer among many in a comprehensive protection strategy. “A broader, multilayered safety net is most effective in combating cyberattacks and reducing their impact,” Maphumulo says.
WHAT YOUR CYBER INSURER KNOWS (THAT YOU DON’T)
Cyber insurers are sitting on a goldmine of data that sheds light on why businesses are falling victim to cyber incidents. By analysing claims, insurers have identified patterns that often lead to payouts.
According global insurance brokerage and risk advisory firm WTW, businesses mostly struggle with issues such as not enforcing multifactor authentication (MFA) for remote access, lagging behind on vulnerability management, and exposing vulnerable services to the internet. Largerscale breaches are often linked to weak Privileged Access Management (PAM), insufficient detection capabilities, and an over-reliance on local administrator accounts. To combat these risks, insurers recommend strengthening MFA, reducing local admin access, and deploying comprehensive endpoint protection. Beyond these critical measures, insurers also stress the importance of timely patching and employee training to recognise phishing attempts. While bolstering cybersecurity defences is essential, having a cyber insurance policy in place ensures financial protection and access to expert incident response when everything else fails. This dual approach is the key to staying ahead of the growing cyber threat landscape.
* Article first published on brainstorm.itweb.co.za