January 23, 2022
Cyber Attacks Rising – Companies Using Cyber Insurance to Help
Harmful attacks on small/medium and large companies are rising and the costs of those attacks is high. Cybercrime is expected to grow to $10.5 trillion by 2025 up from $3 trillion in 2015. A recent study showed that the average total cost of a data breach increased in one year by nearly 10% to $4.24 million, the highest ever recorded.
Some of the most frequent attacks include ransomware, CEO fraud, supply chain attacks, stolen or hacked credentials that allow unfettered access to cloud applications, and other key data. The result is stolen funds, stolen private data, destroyed data, and loss of computer systems availability and thus idle employees and business function stoppage.
Small companies are not spared from today’s attacks since the cost to attack companies has fallen due to readily available malware kits that can be purchased on the dark web. As a result, getting smaller amounts of money from smaller (less security savvy) companies is economically viable for criminals.
More Companies Buying Cyber Insurance to Avoid Losses
The market for cyber security insurance is expected to grow by over 20% per year through 2031. The percent of companies that currently own cyber security insurance varies by size of company, but the number has increased from 26% to 47% from 2016-2020 alone.
Proving the increase in demand, the number of Cyber insurance companies grew by 35% from 2016-2019.
Incidents and Cyber Breach Claim Costs are rising for Insurance Companies
- Claims are rising so quickly that by September 2021, the number of data breaches exceeded the 2020 total.
- Average ransomware demands are up by a staggering 518% and actual payments are up by 82%.
What are Cyber Insurance Companies Doing to Reduce their Exposure
Insurance companies only have two choices, drop of the cyber insurance market or find ways to increase their profits and reduce their risk. They are doing that by:
- Increasing insurance rates – which have recently increased by 30-40%
- Reducing coverage limits especially for claims such as ransomware
- Increasing Cyber security insurance customer requirements to be accepted for coverage
Increased Customer Requirements to Qualify for Cyber security insurance
The following are typical Cyber security insurance company requirements that customers must attest to before being accepted for coverage. The requirements may vary by size of company being insured, but the goals are for companies to have at least the minimum security controls in place that address the highest occurrence security attacks.
Current cyber insurance requirements include:
- A named security risk manager or security manager in your organization
- Regular and timely patching of software and automatic updates
- Strong endpoint security and Endpoint Detection & Response (EDR)
- Use of appropriate access control methods to protect critical systems, apps and data, such as:
- Multi-factor authentication (MFA)
- Least-privilege access policies
- Securing system administrator access to key data
- Securing 3rd party access to your systems
- Use of strong PW management, etc.
- Backup and disaster recovery using cloud or off premise offline storage. Is it regularly backed
up and tested to make sure it can be restored.
- Have Financial controls to verify funds transfer and access control. At least 2 people review
- Data protection methods for personal or other private information (such as encryption, network
- Compliance with security regulations that you are subject to because of your industry,
- Use of network security methods such as network segmentation and firewalls to protect key data
- Email security
- Employee management policies to control account access
- Written incidence response plan
- Active SOC monitoring of security & IT systems (24×7)
- Do you have written privacy & security policies
- 3rd party contract management re: adherence to appropriate levels of security
requirements for access to sensitive data
How will Cyber Security Insurance Evolve in the Coming Years
Cyber security insurance requirements will migrate from trying to prevent recently identified frequent attacks (like ransomware, CEO fraud, credential theft) toward a more wholistic approach that requires that companies have “best practices” security in place.
Insurance companies must reduce the number incidences and the cost of each occurrence, or insurance policy costs will be prohibitive for companies.
Insurance Cos. will Require Compliance with Security Standard Frameworks
Companies will need to show compliance with some industry standard security framework like NIST to get insurance in the future. That way, companies will be more ready to combat new security threats and attacks.
Insurers Increasingly Want Companies to:
- Demonstrate the use of a security risk management process – identify, protect, detect, respond, recover
- Deploy solutions that secure remote users
- Deploy cloud security – securing cloud applications, cloud data, cloud servers
- Add appropriate “detection” and “response” security solutions including 24×7 monitoring
- Use Zero trust solutions – Higher levels of security to secure critical data
3 Things To Do to Prepare for 2022 Cyber Security Challenges
- Utilize 3rd party risk assessments to define appropriate security
gaps and priorities
- Use 3rd party managed security service partners to obtain:
- Management of increasingly complex security
- High levels of expertise
- Use a 24×7 SoC/SIEM solution to monitor your entire security/IT infrastructure
- Perform quarterly reviews of your security and make frequent
eSecurity Solutions can help you qualify for cyber insurance.
Companies that implement and manage using security standards, have a much lower chance of
being breached and thus ever needing to file a cyber insurance claim.