The Definitive Guide to Cyber Risk: How Your Clients Stack Up Against Industry Peers
Experts believe cybercrime will cause $9.5 trillion in damages globally by the end of 2024.
Yet despite this substantial threat, few have the insurance and risk management tools they need. In fact, 12% of U.S. organizations do not purchase any cyber liability insurance. While those that do are facing significant rate increases. Cyber insurance prices rose 11% in the first quarter of 2023 compared to the preceding year, though rate increases moderated as the year went on. By the end of the year, cyber rates were at a 3% decrease globally.
Companies of every size and sector are vulnerable to cyber attacks as hackers cast a wide net, trying to victimize as many companies as possible. Businesses lost an average of $4.35 million in data breaches in 2022.
Facing a market that has been tough for years, brokers are leveraging new tactics to educate their clients on risk management and assess their cyber vulnerabilities. Using analytics, they can compare their clients to peer organizations, allowing them to assess the types of cyber risk management protocols and transfer solutions that meet the needs of their insureds.
Why Cyber Attacks Are Becoming Increasingly Frequent (And More Severe)
For years now, phishing and ransomware attacks have been among the most common cybersecurity threats faced, and businesses are likely to continue being plagued by them into 2024. Last year, 72% of businesses worldwide were affected by ransomware attacks.
For many cybercriminals, hacking isn’t a side hustle; it’s their career. Most business leaders will be familiar with the term software as a service (SaaS), where companies purchase needed digital tools, often on a subscription basis. Let us introduce you to malware as a service (MaaS), where cybercriminals create malware systems and offer them to other attackers for a fee.
There are also ransomware gangs to contend with. Groups of attackers work together to enact a high volume of attacks. One gang, known as LockBit, was responsible for 40% of all attacks in May 2022.
Gangs often resort to double-extortion, encrypting a company's data and threatening to leak it unless the ransom is paid. This tactic emerged as a response to companies improving their data backup practices after initial ransomware incidents. Consequently, businesses now face the risk of data breaches rather than just focusing on network re-entry.
These practices could lead to a dramatic uptick in ransomware attacks. In the first six months of 2022, there were 236.1 million ransomware attacks globally.
Many risk managers discover the inadequacy of relying solely on employees to defend against cybersecurity threats. Attackers frequently exploit employee vulnerabilities by using deceptive emails to extract passwords and sensitive information. According to a Stanford study, 88 percent of data breach incidents result from employee errors. Brokers must collaborate with clients to institute ongoing cyber hygiene training programs, empowering employees to recognize and thwart attacks. Regular updates to these trainings are essential for maintaining effectiveness.
Increased Sophistication of AI Attacks
Even if companies have cybersecurity training (and that’s a big if — one survey of U.S. and UK companies found that a quarter of businesses have no education at all), the curriculums need to be continually updated and reinforced so employees are prepared for new social engineering attacks.
That problem’s going to get worse before it gets better. Many business leaders have heralded artificial intelligence as a boon. It makes mundane tasks easier and more efficient. But AI is also making it easier for hackers to create seemingly realistic emails — sometimes impersonating managers and CEOs — that lure employees into handing over the confidential information needed to hack a company’s system.
Additionally, cybercriminals can use AI and machine learning tools to monitor an employee’s social media profiles, trawling for details that could make a cybersecurity attack more effective or moments — like stressful periods in a worker’s personal life — when they might be more vulnerable to an attack.
On top of everything else, cybercriminals use automated malware that intelligently adapts, making it harder for a company’s cybersecurity tools to detect. AI has undoubtedly empowered bad actors to orchestrate increasingly intricate and sophisticated cyber attacks.
Compliance and Regulation
If brokers and insureds didn’t have enough to juggle with, regulators in both the U.S. and Europe are increasing regulations on cybersecurity measures.
In December 2023, the SEC’s rules on cybersecurity and breach disclosures took effect. They introduced mandatory incident reporting and cyber risk management disclosure in Form 10-K and Form 20-F filings. These disclosures will likely bring increased scrutiny from cyber underwriters, who may use them to determine whether a company is sufficiently prepared for a given attack.
According to Reuters, these rules will affect not only the public companies that must adhere to them but also their third-party software and supply chain partners. If a third-party partner is attacked, cyber criminals could access information from their public company clients, resulting in a breach of sensitive information or further security threats.
Businesses may encounter difficulty adhering to these rules as cybersecurity threats are ever-morphing. They may not be able to detect newer, more sophisticated attacks immediately, which could complicate reporting. Added to that problem is the issue of disclosing what cyber resilience training company boards are undertaking. The elusive nature of cyber risk means it can be challenging for risk managers and their brokers to know whether the cybersecurity education curriculums they’re implementing are effective.
On the EU side, regulators have developed cyber resilience guidelines for product development and design for all digital and Internet of Things technologies. They’re also developing the European cybersecurity certification scheme, which would allow tech and software companies to voluntarily have their products evaluated for cyber resilience. In the U.S., major Federal departments, including the Department of Energy and the Department of Transportation, have issued cybersecurity regulations and guidelines, and states are beginning to roll them out, too.
Risk managers will certainly appreciate these tools as they will help them determine whether the third-party software and technology systems they use are sufficient defense mechanisms against cyber breaches. They can’t allow these regulations to allow them to become lax in their own cybersecurity risk management efforts, however. Cybercrime changes so quickly it can be challenging for regulators to keep up, so it may not be enough to meet their minimum standards.
How Does Your Client’s Cyber Hygiene Stack Up?
With fluctuating cyber exposures and new regulations, brokers want to make sure their clients have the best possible cyber protections in place. Companies are embracing tools, like two-factor authentication, that help prevent common phishing attempts.
Employee security training and tabletop exercises outlining how to get through an attack are also gaining traction. Since most cyber attacks can be traced back to worker error, training your workforce to protect against these attacks is perhaps the best defense.
It is also helpful for brokers to understand how their client’s defenses and insurance coverage stack up with comparable companies in the industry. Brokers can easily do this by using LineSlip’s cutting-edge Peer Comps tool to compare an insurance program against expected cyber losses with industry peers with respect to limits, retentions, and premiums by line of business.
Cybercrime isn’t going away. Brokers and risk managers need to make sure their clients are prepared to respond to attacks while also taking proactive measures to prevent cyber incidents from occurring. Brokers can encourage clients to adopt the latest risk management controls and stay up-to-date on best practices ahead of renewal while also encouraging them to purchase adequate cyber insurance coverage.