A cyber insurance policy is no excuse for complacency against the threat of digital attacks, says Max Vetter of Immersive Labs
Coronavirus has become a fertile ground for cyber criminals to exploit. With heightened security risk, more businesses are looking for cyber insurance to shield themselves from coronavirus-themed cyberattacks. This makes it a very expensive time for insurers who claim that the crisis will cost the industry more than $200bn – with half of that in payouts. The scale of these losses have resulted in insurers increasing scrutiny of company defences against existing insurance policies. Companies are now expected to supply more details than before regarding how they would respond to a data breach and what action they would take if hit by a cyber attack. This information will make the difference between a payout or denial of cover.
On top of this, the introduction of policies such as the General Data Protection Regulation, which imposes heavy penalties for businesses falling victim to an attack, has driven huge demand for insurance cover. Insurance companies see a real growth opportunity in cyber, with the global market for cyber insurance expected to grow from about $6bn of premiums a year to $15bn by 2022, according to RBC Capital. However, compared to calculating risk in other business areas, the industry is still in its infancy in being able to calculate risk stemming from cyber.
Insurers and businesses at a crossroads
The growing complexity of cyber criminals’ methods and techniques to execute attacks has opened up questions and scepticism within the cyber insurance market about pricing and measuring digital risk. Cyber risk is pervasive, which means there are disparities in what is defined as a cyber attack that make it difficult for insurers to assess risk. Although the insurance market offers a broad range of coverage across different cyber risks such as social engineering, ransom, extortion, business interruption and data breaches, cyber attacks aren’t so clear cut. This means that “what is covered” within a policy can be open to interpretation. The insurance company’s interpretation of cyber attacks might differ between companies.
Even before the pandemic, there was a disconnect between insurers and businesses in terms of defining cyber attacks that impact the cost of policies and reveal gaps in insurance coverage. This has been highlighted ™弝
in a number of high profile court cases brought by insurance companies against their own customers in efforts to avoid paying out. The battle between Merck and its insurers is a good example of this. Insurers denied coverage on grounds that NotPetya was an act of terrorism, which are explicitly excluded by their policies.
With volumes of cyber security insurance claims surging, businesses need to be more careful now than ever before and understand what their policies do and don’t cover. The reality is that one policy will differ to another, which can make all the difference between payment of the claim or denial of cover. This means businesses need to assess their level of preparedness against attacks, so if they fall victim, they can evidence to insurance companies that they did everything in their power to protect themselves.
Problems with insurance payouts
If we look at ransomware in particular, more victims are recovering their stolen data by paying up, which in some cases is covered by insurance. Earlier this year, a ransomware attack crippled foreign exchange firm Travelex. The losses from the attack were said by insurance industry sources to be covered by its cyber insurance policy.
Paying out in some cases is viewed as the cheapest way to minimise the losses for affected parties rather than relying on back ups. However, insurers who are encouraging businesses to give in to the demands of hackers are making matters so much worse in the long run.
Caving into demands doesn’t mean you will get the stolen data back and be able to restart operations. Instead, it fuels criminal activity. Criminals are increasingly putting two and two together and recognising that businesses with cyber insurance are more likely to pay up and it’s not hard for them to find out for themselves. They can be lurking on systems for weeks or months before being detected, giving them enough time to look into a company’s recovery and response plan. They can know a company’s next step before it’s even actioned.
Whilst it may be tempting to pay up and rely on the policy to cover any losses, it’s not as simple as that to get back into action. Hackers are changing their tactics and no longer simply stealing data, but encrypting and destroying that data. That means there is no guarantee that after the money is paid that a company will even get its data back or what it once was before being infiltrated.
This reinforces the need for businesses to regularly assess their security capabilities but also the wider threat landscape to be able to anticipate and defend against attacks. Threat intelligence on criminal activity is very powerful in enabling businesses to make informed and practical decisions to reduce their company’s exposure to emerging threats.
Insurance is one piece of the puzzle
The bottom line is that businesses cannot rely solely on insurance policies to protect them in the event of an attack. Insurers are expecting businesses to provide detailed evidence to show they took reasonable steps to protect themselves. 70% of organisations are seeing the value of increasing their investments in cybersecurity solutions. However, it’s important to bear in mind that one of the greatest weapons that companies have to protect themselves is their people.
Security professionals need to demonstrate they are able to detect and respond to threats and vulnerabilities or risk being denied coverage. Continuous training based on real-world scenarios is a great way for security teams to practice and re-evaluate the strength of their security posture. With this in mind, risk assessments should not be done annually but on an ongoing basis, because the threat landscape continues to change. This means annual reviews of security strategies quickly become outdated.
By understanding the strengths and areas of improvement of their teams, businesses will be able to tweak their security controls, processes and technologies and better respond to an attack. In the event of an attack, this information can be used as evidence to insurers to show that the business took all the necessary precautions to ensure business resilience.
In addition to security teams, businesses need to also ensure employees across the entire organisation are adopting good cyber hygiene. There needs to be a basic level of awareness amongst employees, because even the most robust cyber security strategy can be breached at its weakest link.
Despite insurance cover acting as a safety net, it’s important that businesses look beyond this as part of their strategy to recover from an attack. Whilst it may shield a business from financial consequences of an attack, the impact on reputation won’t be so easy to recover.
For more cybersecurity news, follow The European