Cyber insurance cannot replace robust cyber risk management
Cyber security company Fortinet says companies should invest in cyber insurance to claim back on financial loss from cyber attacks, but this is only a way to minimise damage and can make organisations more attractive to cyber criminals.
This is a key takeaway from Fortinet’s 2023 Global Ransomware Report based on a survey conducted among 569 cybersecurity leaders from 31 different locations including South Africa, the US, UK, France, India and Japan.
The survey found that while 88% of organisations reported having cyber insurance, almost 40% didn’t receive as much coverage as expected and, in some cases, didn’t receive any because of an exception from the insurer.
Fortinet says it is important for organisations to fully understand what is covered by this kind of insurance.
According to the company, a cyber insurance policy can protect organisations from the cost of internet-based threats affecting IT infrastructure, information governance, and information policy, which often are not covered by commercial liability policies and traditional insurance products.
It also covers ransomware extortion demands, including any costs related to the remediation process, such as paying for the investigation, crisis communication, legal services, and refunds to customers.
…cyber criminals are doing their homework. They are well aware that businesses that have insurance are more likely to pay out a settlement for ransomware payments.Doros Hadjizenonos, regional director, Southern Africa, Fortinet.
These policies often include first-party coverage, which means losses that directly impact an enterprise, as well as third-party coverage, which means losses suffered by other enterprises as a result of having a business relationship with the affected organisation.
Insurance can also help to drive improvements in basic cyber hygiene and the adoption of best practices such as endpoint detection and response (EDR) and security platforms, when such measures are required as prerequisites for the issuance of an insurance policy.
Doros Hadjizenonos, regional director, Southern Africa, Fortinet, comments: “Although cyber insurance generally covers the cost of a ransomware settlement, the coverage is limited. It often covers the replacement of damaged computers and possibly fines associated with the loss of personal identifying information, but cyber insurance doesn't cover operating losses, the value of lost proprietary or competitive information, or costs stemming from damage to the organisation's reputation. In many cases, these losses can significantly exceed the insurance pay-out.”
Cyber insurance can be a double-edged sword, says Hadjizenonos. “Although having the insurance company pay out a claim is beneficial to a business, cyber criminals are doing their homework. They are well aware that businesses that have insurance are more likely to pay out a settlement for ransomware payments. All the information about your organisation can be used against you to verify that you're a good financial target. Criminals include whether or not an organisation has insurance into their playbooks, and according to data from our ransomware survey, some entities are being targeted many times, especially if they pay.”
This is why the company says cyber insurance should not be considered in place of effective and robust cyber risk management.
“All companies need to purchase cyber insurance but should only consider it to mitigate the damage caused by a potential cyber attack. Their cyber insurance policy needs to complement the security processes and technologies they implement as part of their risk management plan,” Hadjizenonos continues.
Cyber insurance doesn't cover operating losses, the value of lost proprietary or competitive information, or costs stemming from damage to the organisation's reputation.Doros Hadjizenonos, regional director, Southern Africa, Fortinet.
While close to 80% of survey respondents stated they were ‘very’ or ‘extremely’ prepared to mitigate an attack, 50% fell victim to ransomware in the last year, and almost half were targeted two or more times.
Cyber criminals are taking advantage of a growing disconnect between ransomware preparedness and prevention.
The Report states: “Specifically, four out of the five top challenges to stopping ransomware were people or process related. The second largest challenge was a lack of clarity on how to secure against the threat as a result of a lack of user awareness and training, and no clear chain-of-command strategy to deal with attacks.”
The study also found that despite guidance from the cyber security industry, more organisations are paying the ransom.
“Despite most (72%) detecting an incident within hours, and sometimes minutes, the percentage of organisations paying ransoms remains high, with almost three-quarters of respondents making some form of ransom payment. When comparing across industries, organisations in the manufacturing sector received higher ransoms and were more likely to pay the fee. Specifically, one quarter of attacks among manufacturing organisations received a ransom of $1m or higher,” says Fortinet.