Five worthy reads is a regular column on five noteworthy items we’ve discovered while researching trending and timeless topics. This week we are exploring cyber insurance, how it can help businesses in the event of a cyberattack, and why it is necessary for your organization.
The post-pandemic workplace has largely made the switch to remote-first or hybrid arrangements, where employees use a variety of personal devices to connect to the corporate network. Poor cyber hygiene practices, lack of adequate cyber security measures, and the widespread use of personal devices have all contributed to increased cyberattacks and data breaches worldwide. With such a worrying rise in cyberattacks, it is undeniable that the financial losses incurred due to these cyberattacks have also multiplied.
These attacks not only result in data breaches, but subject organizations to regulatory actions and often cause loss of trust among their customers and damage to the organization’s reputation.
In the event of a cyberattack, companies may be required to pay millions of dollars in damages to their customers, third-party associations, or government regulators. To help them with this, companies are beginning to choose cyber insurance as a way to obtain cyber risk coverage.
A cyber insurance policy may provide coverage for a variety of losses, such as those brought on by data loss, data extortion, data theft, or hacking. However, the specifics of each policy’s coverage may vary depending on the type and quality of cyber insurance. Cyber insurance policies tend to come with a list of items that specialize in incident response, legal counseling, IT forensics, consumer notification, and on-demand call centers. Cyber insurance also helps in the aftermath of an incident by covering digital forensics investigation costs or providing access to cybersecurity experts who can help with damage control.
A good cyber security strategy and cyber liability insurance seem like they should be non-negotiable in today’s increasingly dangerous cyber threat landscape, but a recent survey shows that only 50% of companies have cyber insurance policies. Any organization that manages and creates data, including customer information—like names, contact information, credit card numbers, and other personally identifiable information—is likely to benefit from purchasing cyber insurance policy. With that being said, here are five articles that explore the ins and outs of cyber insurance.
No organization is immune to cyberattacks. Although many larger enterprises are being crippled by cyberattacks, SMBs should be much more sensitive about considering cyber insurance as they won’t have a budget to fight or remediate an attack. The cyber insurance industry is evolving too, with cyber insurance companies updating their standards regularly and setting which security features are the standard requirement for companies to become eligible for cyber insurance.
The cyber insurance industry is booming and is predicted to reach $25 billion by 2026. Hackers now seek out data rooms to identify how much cyber insurance coverage a company has, then demand an amount that matches the policy limit. Such attacks are pushing insurance companies to come up with stringent underwriting guidelines. Improving the cybersecurity posture of the organization is becoming mandatory to be considered eligible to receive cyber insurance.
Cyber thieves gained access to Medibank’s customer base, including customer personal data, health-claims data, and international student units of over 3.9 million customers. Medibank has no cyber insurance coverage and this incident may lead to estimated costs of between $25 and $35 million, excluding costs accrued in remediation or legal fees. The numbers are a wake-up call to companies that should actively consider having their organization cyber-insured.
The high demand for cyber coverage—combined with increasingly sophisticated cyberattacks—has fueled cyber insurance companies to greatly increase the cost of their premiums. Premiums also have increased by an average of 28% in the first quarter of 2022 compared to the fourth quarter of 2021. Insurers have also become more selective about who and what gets covered. Underwriters are coming up with more stringent requirements, like mandating cyber security protocols such as multi-factor authentication, automatic software updates, and employee training.
Insurers can deny a customer cost coverage if the customer misrepresents security measures mandated by a policy. This is where the NIST cyber security framework steps in, which outlines a set of core functions that help organizations strengthen their defenses against cyberattacks and make their risk score go down, ensuring insurance eligibility.
The dangerous part of many cyber threats is that they are detected only after they have happened. All organizations, especially small and medium-sized businesses, should seriously consider having their businesses cyber insured. Along with the insurance, a robust cybersecurity strategy and an incident response strategy are important in the current threat landscape.