Cyberattacks are a fact of life. Every organization — in fact, anyone with an internet account — has been targeted in some manner, from a phishing email to DDoS website attacks to malicious account takeovers.
Just as a company purchases insurance to protect from physical theft and other potential loss and damages, organizations need to add protection against the financial aftermath of a cyberattack.
However, before an organization can purchase cyber insurance, it needs to meet certain criteria.
"Insurers want to know there is an organized and proactive effort to manage cybersecurity risk," said Travis Wong, VP of risk engineering and security services at cyber insurance provider Resilience.
While insurers may not ask potential clients about specific technology or processes, insurers do want to know how existing technology and internal standards are leveraged in pursuit of an effective risk management effort.
Claim payouts are costly
Data breaches and other cyber incidents are expensive to insure. The average cost to the insurer for a cyber incident for small and medium businesses (SMBs) is $145,000, according to NetDiligence's Cyber Claims Study 2021 Report, which analyzed incidents that occurred between 2016 and 2020. For large companies, the cost jumps to $10 million.
Ransomware mitigation costs are even higher, at $256,000 and $16.6 million respectively.
An analysis of almost 6,000 claims in this year's study showed just how much cyberthreats have increased in recent years, and those attacks are increasing no matter the industry sector or size of the business, according to research from data security and privacy law firm Beckage, included in the NetDiligence report.
In tandem with the rising costs of payouts comes significant rate increases.
On average, cyber insurance rates rose by 89% in the fourth quarter of 2021, according to Risk Strategies' State of the Market 2022 Report. That trend is expected to continue into 2022, which is why insurers are putting a greater emphasis on risk management.
The insurance industry has been under increased pressure amid concerns the Ukraine war and the in prevalence of ransomware will lead to a surge in claims. Nation-state threat actors and criminal ransomware groups have stepped up threat activity targeting critical infrastructure providers, financial organizations and other targets in the U.S. and Europe.
"Most insurance requirements still fall into basic cybersecurity measures, what one would expect every company operating online to have in place," said Jack Kudale, founder and CEO of Cowbell Cyber, which provides cyber insurance for small- to medium-sized enterprises. At minimum, those measures include:
- Multifactor authentication (MFA)
- Backup
- Incident response plan
- Patching
- Cyber awareness training for employees
Top concerns for cyber insurers
Proving a client has a secure backup system is a top priority as ransomware is expected to remain a top threat through 2022 and beyond.
"Cyber insurers are, hands down, most worried about ransomware, especially since doxing has become common. It is the perfect storm for an attack," said Shawn Melito, chief revenue officer at BreachQuest, a digital forensics and incident response provider.
In the midst of a ransomware attack, which can impede operations, businesses may need to:
- Pay a ransom
- Call in forensics
- Rebuild systems
- Consult PR
- And send breach notifications to clients, regulators, patients or customers.
The list of costs surrounding a ransomware attack is seemingly endless, expensive for the the insurer and the client.
But if organizations (and insurers) get caught up on ransomware, they tend to miss other weaknesses that could turn into costly problems.
"Theft of credentials either through phishing or unprotected assets exposed publicly on the internet remains the predominant approach for cyber criminals to launch an attack," said Kudale. It's why cyber insurers will focus on whether or not cybersecurity best practices are in place.
What insurers want from clients
A cyber insurer's requests are closely aligned with cybersecurity industry best practices.
"Companies that have been in tune with cyber events and have proactively matured their security programs are ideal insurance partners," said Wong.
These companies use cyber insurance requirements to build their investment in cybersecurity and also use those requirements as a way to build a compelling business case to convince decision makers and boards of directors of the importance of a strong cybersecurity program.
As with all cybersecurity systems and insurance options, there is no one-size-fits-all set of requirements.
"In my experience speaking with carriers and observing the approaches some have taken, the focus also depends on the size/maturity of the organization and the types of organizations that the carrier covers," said Melito.
That's because threat actors are able to pinpoint their attacks so well that it is now very rare if they infect random organizations.
"Regularly now, not only does the attacker know who they have on the hook but have done reconnaissance both online and within the victim's own system to find out exactly how much they can extort from the organization," said Melito.
That ability to pinpoint assets so precisely means threat actors know where the big payoffs are, so they want businesses with the most valuable assets. Sometimes this is determined by business size, but just as often as by industry. These companies will be subjected to more thorough reviews of their security systems and be held to more stringent demands by cyber insurers.
If companies have a good security system already in place and are willing to take the steps needed to meet the demands, cyber insurers are willing to develop a partnership.
"However, there are still many companies that have not worked to mitigate their cybersecurity risk, which has resulted in difficulty obtaining favorable insurance risk transfer solutions for these organizations," said Wong.
Those are the companies who find obtaining cyber insurance is much more work and much more costly than they planned.