With constant headlines about major cyberattacks – from SolarWinds to Colonial Pipeline – and the increasing evidence that criminals, nation states and other bad actors are rapidly building their cyber capacities, companies are deeply anxious about the possibility of being attacked.
They recognize that the potential costs of the cyberthreats they face will only continue to rise, and they’re searching for solutions that will insulate them from these costs.
This is why cyber insurance has become popular among companies that want to hedge against the financial fallout from a successful cyberattack. Although it’s a good sign that companies are focused on limiting their cyber risk, it’s a mistake to rely on insurance as their main defense against the devastating consequences of a cyberattack.
Beyond the fact that cyber insurance premiums are surging and coverage limits are becoming more stringent, companies must do everything possible to avoid suffering a cyberattack in the first place.
Cyberattacks don’t just have a destructive financial impact on their victims – they also can cause permanent damage to a company’s reputation. Consumers already are concerned about how companies collect and manage their data, and when they have concrete reasons to believe that data is at risk, they’re likely to take their business elsewhere.
This is why companies should build their cybersecurity platforms around preventing breaches, which means establishing effective monitoring and reporting processes, generating support from stakeholders at every level of the organization, and implementing an effective cyber awareness training program.
The cyber insurance industry is growing
It’s no surprise that companies want to reduce their exposure to the financial consequences of cyberattacks at a time when those attacks are becoming more frequent, expensive, and difficult to contain. According to the most recent FBI IC3 Internet Crime Report, the total number of reported cybersecurity incidents and the resulting financial losses consistently and dramatically increased between 2017 and 2021.
In 2017, there were over 301,000 complaints which totaled $1.4 billion in losses – numbers that jumped to over 847,000 and almost $7 billion, respectively, four years later.
The FBI report is a proxy for the number of cyberattacks that have occurred in any given year – many attacks aren’t reported to the bureau, so the totals are underestimated. IBM reports that the average data breach costs $4.24 million and takes 287 days to contain.
These are the reasons why, as a recent AM Best Market Segment Report explains, cyber insurance has become a “primary component of a corporation’s risk management and insurance purchasing decisions.” AM Best also found that the number of cyber insurance policies increased by 28% in 2020, while total claims rose by 18%.
According to the 2022 Hiscox Cyber Readiness Report, the proportion of companies that reported a cyberattack over the past year increased from 43% to 48%, while 62% said the prevalence of remote work has made their businesses more vulnerable. As attacks continue to increase and more companies purchase cyber insurance, payouts are rising as well. This is putting pressure on insurance companies to hike their rates and raising questions about the sustainability of cyber insurance in general.
Cyber insurance providers and customers face significant challenges
Over the past several years, companies have prioritized cyber insurance like never before. According to a 2021 report from the U.S. Government Accountability Office, the proportion of insurance clients that pay for cyber coverage spiked from 26% in 2016 to 47% in 2020.
Despite the larger number of cyber insurance customers, premiums exploded over the same period – the GAO reports that a recent survey of insurance brokers found that more than 50% of customers saw prices jump between 10% and 30% in 2020 alone.
Even with higher premiums, insurance companies still saw a huge spike in their loss ratios between 2019 and 2020 – from just under 45 percent to almost 68 percent. The GAO explains that cyber insurance providers face a number of systemic problems, such as a lack of historical data on costs related to cyberattacks and conflicting definitions of key policy terms. Rising premiums have coincided with coverage limits, especially for sectors that are particularly vulnerable to cyberthreats such as healthcare and education.
All these factors have created a difficult environment for cyber insurance providers and their customers, and there aren’t many signs that these problems will be solved in the near future. While cyber insurance can offer an added layer of protection in the event of a successful cyberattack, effectively managing cyber risks requires much more than purchasing an insurance policy and hoping for the best.
Cybersecurity starts with cyber awareness
Many companies are making significant investments in cybersecurity. PwC recently reported that almost 70% of companies planned to increase their cyber budgets in 2022, while over a quarter expect double-digit growth in spending. With unprecedented resources and attention being devoted to cybersecurity, companies need to focus on putting these resources to good use by identifying the most effective strategies for reducing their risk.
Security awareness training programs are among the best ways to keep your company safe from cyberattacks. This is because 85% of data breaches involve a human element – cybercriminals often use social engineering methods such as phishing to hijack login credentials or other information that will help them infiltrate a company (or they use those methods to steal money and sensitive data directly).
When employees know what warning signs to look out for and how to report potential cyberattacks in progress, companies will be in a much stronger position to thwart those attacks. An effective SAT program is capable of helping employees retain critical information with engaging and relevant cybersecurity content, consistent reinforcement, and robust forms of assessment that allow companies to determine how much employees are actually learning.
While cyber insurance can relieve the burden after an attack, cybersecurity should always be proactive. Ninety percent of companies say they provided employees with training after a successful ransomware attack, but this is a reminder that it’s a mistake to wait until a massive financial and reputational blow has already been inflicted to improve your SAT platform. The same logic applies to cyber insurance – even if it makes sense for your company, don’t rely on it as the core component of your cybersecurity platform.
Matt Lindley is chief information security officer at NINJIO.Matt may be contacted at [email protected].