The State of Cyber Risks and Insurance
The World Economic Forum’s (WEF) 2022 Global Cybersecurity Outlook reported that cyberattacks increased 125% globally in 2021. The trend has continued, as detailed in the WEF 2023 Outlook. The report also ranks cybercrime and cyber insecurity among the top 10 global risks in the next two to 10 years.
There is still a financial incentive to cyberattacks, but “the character of cyberthreats has changed,” the report noted. “Respondents now believe that cyberattacks are more likely to focus on business interruption and reputational damage.” If a business cannot operate and customers or the public lose faith, revenues will plunge.
The evolving sophistication and motivation of cyberattacks are making organizations more vulnerable to breaches. The frequency and severity of attacks are also driving the rates of cyber insurance policies, making affordable plans hard to find. But businesses with preparedness strategies can help identify weak spots and overcome the challenges in finding the right cyber policies.
Cyber Insurance
Policyholders had some early success filing cybersecurity claims under traditional crime and commercial general liability policies. As cyberattacks like business email compromise (BEC), phishing, malware, and ransomware became more prevalent, litigation began over coverage. Insurers responded by inserting cyber exclusions into their policies.
This has presented a new financial problem as the cost of a cyberattack has climbed. IBM’s Security Cost of Data Breach 2022 Report lists the current average data breach cost at nearly $4.35 million, a 12.7% increase since 2022.
And though Fitch Ratings noted in April 2023 that average cyber renewal premium rate increases have “decelerated,” stand-alone cyber coverage, which represents approximately 70% of industry premiums, increased by 62% in 2022.
Furthermore, carriers are changing their underwriting process to reflect the new “character of cyberthreats,” particularly in the past three years as “business interruption” became a buzzword in mainstream dialogue due to the pandemic. Limited coverage is the common scenario for many businesses, particularly for small and newer ones.
Since large private organizations have the resources to strengthen cybersecurity measures, malicious actors shifted their focus and began targeting small companies, healthcare systems, and school districts. It is better to assume that no sector (nor company size) is off-limits to malicious actors. Insurers need assurance that companies are taking the necessary steps to mitigate these risks.
BEC Training To Strengthen Insurance Policies
According to Abnormal Security, BEC attacks increased by 81% in 2022 and 175% over the past two years, while 98% of employees failed to report the threat. This trajectory is unsurprising, considering how many companies switched to remote settings.
Risk managers need to collaborate with their IT groups and technology officers to develop a cybersecurity awareness training program that tackles BEC and other malware attacks. Depending on the size and scope of the enterprise, risk managers might alert employees that simulations will take place and that everyone is essentially being tested.
Before simulating the attacks, provide the tools and skills employees need to combat BEC or ransomware, such as:
Hovering over a hyperlink to authenticate its validity before opening it.
Previewing an attachment before opening.
Reaching out (via phone or a new email) regarding the message’s authenticity before taking action.
Risk managers can compile the data results to demonstrate the Total Cost of Risk (TCOR) to leadership. Next, they can communicate to employees on how they fared. Reveal how many people used the techniques to detect fraud and how many did not.
Though some employees will fail the test, use those instances as opportunities to explain what would have happened after an attachment was opened and accessed; how a ransomware attack could encrypt company data by releasing a RAT Trojan, keylogger, or Virtual Basic scripts (.vbs) which installs remote access capabilities on the network.
From there, risk managers can implement and enforce new policies and regularly (and subtly) retrain employees to remain consistent in cybersecurity efforts. These actions will demonstrate to insurers the organization’s commitment to prevention, which will help justify claims.
Looking Ahead
Cybercrime seems inevitable. The WEF’s 2023 Outlook found that 91% of business and cyber leaders believe a far-reaching, catastrophic cyber event is somewhat likely in the next two years.
This problem is compounded by the fact that cyber insurance as a product is still relatively new. In contrast with automobile and property insurance, where decades-worth of claims data exists, cyber insurance claims data is extremely limited. But this limited data reduces the ability of insurers to actuarially predict the frequency and severity of loss with any high degree of accuracy. As claims probability remains uncertain, insurers will seek to maintain high premium rates, limit the degree of coverage offered, or make it more difficult for many companies to secure.
Continuous training, consistency, and awareness of market trends will keep your organization ahead of cyber threats. With that momentum, collaborate with an insurer to customize a cyber insurance policy that correctly addresses one’s exposures and vulnerability to loss. A policy tailored to an organization’s needs is one of the most critical initiatives and investments that will meaningfully reduce the financial impact from a cyber risk loss.
Tools To Help Risk Managers Engage With Their Data
By taking the time to review and implement the practices mentioned above, risk managers can help their companies minimize risks and exposures and build resilience in the face of cyberattack attempts.
LineSlip can help locate your cyber coverage details, limits, and source documents, and answer your CISO or CFO on your annual spend and overall performance.