Effective cybersecurity requires more than an insurance plan – InsuranceNewsNet
With the constant headlines about major cyberattacks – from SolarWinds to Colonial Pipeline – and growing evidence that criminals, nation states and other malicious actors are rapidly building up their cyber capabilities, companies are deeply concerned about the possibility of being attacked.
They recognize that the potential costs of the cyber threats they face will only increase, and they are looking for solutions that will protect them from those costs.
This is why cyber insurance has become popular among companies that want to protect themselves against the financial fallout from a successful cyber attack. While it’s a good sign that businesses are focused on limiting their cyber risk, it’s a mistake to rely on insurance as the primary defense against the devastating consequences of a cyberattack.
Beyond the fact that cyber insurance premiums are rising and coverage limits are getting tighter, businesses need to do everything possible to avoid suffering a cyberattack in the first place.
Cyberattacks not only have a destructive financial impact on their victims, they can also cause permanent damage to a company’s reputation. Consumers are already concerned about how companies collect and manage their data, and when they have concrete reason to believe the data is at risk, they are likely to take their business elsewhere.
That’s why companies need to build their cybersecurity platforms around breach prevention, which means establishing effective monitoring and reporting processes, generating stakeholder support at all levels of the organization, and implementing an effective cybersecurity awareness training program.
The cyber insurance industry is growing
It’s no surprise that businesses want to reduce their exposure to the financial consequences of cyberattacks at a time when such attacks are becoming more frequent, costly, and difficult to contain. According to the most recent FBI IC3 Internet Crime Report, the total number of reported cybersecurity incidents and the resulting financial losses have increased steadily and dramatically between 2017 and 2021.
In 2017, there were more than 301,000 complaints that totaled $1.4 billion in losses — numbers that jumped to more than 847,000 and nearly $7 billion, respectively, four years later.
The FBI report is an approximation of the number of cyberattacks that occurred in a given year – many attacks go unreported to the office, so the totals are understated. IBM reports that an average data breach costs $4.24 million and takes 287 days to contain.
These are the reasons why, as a recent report by AM Best Market Segment explains, cyber insurance has become a “core element of a company’s risk management and insurance purchasing decisions.” AM Best also found that the number of cyber insurance policies increased by 28% in 2020, while total claims increased by 18%.
According to the Hiscox Cyber Readiness 2022 report, the proportion of companies reporting a cyberattack in the past year increased from 43% to 48%, while 62% said the prevalence of remote working made their business more vulnerable. As attacks continue to escalate and more businesses purchase cyber insurance, so do the payouts. This is pushing insurance companies to raise their rates and raising questions about the sustainability of cyber insurance in general.
Cyber insurance providers and customers face significant challenges
Over the past few years, businesses have prioritized cyber insurance like never before. According to a 2021 report from the US Government Accountability Office, the proportion of insurance customers paying for cyber coverage increased from 26% in 2016 to 47% in 2020.
Despite the greater number of cyber insurance customers, premiums have skyrocketed over the same period – GAO reports that a recent survey of insurance brokers found that more than 50% of customers saw prices go up between 10% and 30% in 2020 alone.
Even with higher premiums, insurance companies still saw a sharp increase in their loss ratios between 2019 and 2020, from just under 45% to almost 68%. The GAO says cyber insurance providers face a number of systemic issues, such as a lack of historical cost data related to cyber attacks and conflicting definitions of key policy terms. The rise in premiums coincided with coverage limits, especially for sectors particularly vulnerable to cyber threats such as healthcare and education.
All of these factors have created a difficult environment for cyber insurance providers and their customers, and there are not many signs that these issues will be resolved in the near future. While cyber insurance can provide an additional layer of protection in the event of a successful cyberattack, effectively managing cyber risk requires much more than buying an insurance policy and hoping for the best.
Cybersecurity starts with cyber awareness
Many companies are investing heavily in cybersecurity. PwC recently reported that nearly 70% of companies plan to increase their cyber budgets in 2022, while more than a quarter expect double-digit spending growth. With unprecedented attention and resources being devoted to cybersecurity, businesses need to focus on using those resources wisely by identifying the most effective strategies to reduce their risk.
Security awareness training programs are among the best ways to protect your business against cyberattacks. In fact, 85% of data breaches involve a human element: cybercriminals often use social engineering methods such as phishing to steal login credentials or other information that will help them infiltrate a business (or they use these methods to directly steal money and sensitive data). .
When employees know what warning signs to look out for and how to report potential cyberattacks in progress, businesses will be in a much better position to thwart these attacks. An effective SAT program is able to help employees retain critical information with engaging and relevant cybersecurity content, consistent reinforcement, and robust assessment forms that allow companies to determine how much employees are actually learning.
While cyber insurance can ease the burden after an attack, cybersecurity must always be proactive. Ninety percent of companies say they provided training to their employees after a successful ransomware attack, but it’s a reminder that it’s a mistake to wait until a financial and reputational blow has already been inflicted to improve your SAT platform. The same logic applies to cyber insurance – while it makes sense for your business, don’t rely on it as a core part of your cybersecurity platform.
Matt Lindley is Chief Information Security Officer at NINJIO. Matt can be contacted at [email protected].
© All content copyright 2022 by InsuranceNewsNet.com Inc. All rights reserved. No part of this article may be reproduced without the express written consent of InsuranceNewsNet.com.