3 minute read
PROTECTING YOUR BUSINESS
from Outlook 2023
by cxoinsightme
Why You Should Consider Cyber Insurance
The increase in ransomware attacks and other malware has made organisations of all sizes to invest in cyber insurance to mitigate their risk exposure. Many CISOs see it as essential to their risk management strategy though policy costs are going through the roof and insurers demanding stringent security measure as a pre-condition for cyber coverage.
Advertisement
What should a cyber insurance policy cover?
Generally speaking, cyber insurance covers first and third-party financial costs and reputational damages. First-party coverage protects a company against the direct damages caused by a cyber-attack. In case of third-party coverage, the insurer covers the cost of the claims that customers, vendors, partners, or other parties could make for the damages they have suffered as a consequence of the cyber incident at your company.
When signing up for a new cyber insurance policy, it’s essential to have a clear understanding of what the policy will cover, as insurers don’t have a standard way to refer to cyber incidents and packages may vary considerably,” says Mohammad Ismail, Regional DirectorMiddle East, Delinea.
For example, in 2021 ransomware accounted for 75% of all cyber insurance claims, forcing the insurers to drastically reduce the coverage to stay profitable and a Recent research conducted by Delinea found that only about 30% of organisations say their policy covers critical risks including ransomware, ransom negotiation, and decision on ransom payment, he says.
“First of all, cyber insurance follows the same principles and criteria of insurance in general. So like any other kind of insurance, it’s about “selling a risk” to a third party (the insurer) who will indemnify the insured in case the risk materialises. That said there is a certain level of risk avoidance and mitigation that the insurer will expect from the insured.
This is to give the insured the possibility to access cyber insurance, at an affordable premium, if adequate security controls are in place,” says Paul Baird, CTSO, Qualys.
Christopher Hills, Chief Security Strategist at BeyondTrust, says over the past year, cyber insurance has evolved and matured far beyond what we have seen in the past. Although cyber insurance continues to be a human involved process for determining coverage, deductibles, and how much risk is too much for both brokers and carriers, one of the biggest changes in cyber insurance is how the carriers and brokers are focusing on writing “Exclusions” or “Fine Print” into their policies, in order to protect both the brokers and carriers in the event of a breach or compromise.
How can users assess their cyber insurance needs?
“With the advent of rapid digital transformation, industry experts anticipate an explosion of digital identities. Threat actors will try to exploit this to inflict attacks that extract high financial returns and cause havoc through data exfiltration. By performing a comprehensive cyber risk assessment, organisations can gauge their security postures and understand their pain points. With knowledge about a company’s potential for risk exposure, insurers can zero in on the risk premiums and avail the required coverage,” says Debanjali Ghosh, Technical Evangelist at ManageEngine.
Brian Neuhaus - CTO, Americas at Vectra AI, says there are a few key factors to consider when determining how much cyber insurance coverage is necessary. He says larger businesses with more complex systems and a larger volume of sensitive data may require more comprehensive coverage. This should include merger and acquisition strategies to make sure the policy covers the business at it materially changes in size and scope. There should be a tight coordination between executive leaders, particularly the CFO and CISO, as they are both mitigating similar risks but looking through unique and sometimes uncoordinated lenses. And some industries, such as healthcare and finance, may be at a higher risk of cyberattacks and may require more robust coverage.
Is cyber insurance worth it in the long run?
“Yes, but cyber insurance is not a silver bullet and will not instantly solve all cybersecurity issues, and it will not prevent a cyber breach/attack,” says Anton Shipulin, Industrial Cybersecurity Evangelist at Nozomi Networks. “Just as homeowners with household insurance are expected to have adequate security measures in place, organisations must continue to put measures in place to protect what they care about. However, cyber insurance is an effective part of enterprise risk management strategy that might help transfer residual cyber risks and protect the business against losses resulting from a cyberattack.”
Ghosh from ManageEngine says with advancements in AI and ML-based technology proliferating, cyberattacks have become smarter and more threatening. Organisations, irrespective of their size, must be prepared for security incidents that are potentially debilitating. Cyber insurance is an important resort for companies to not just brace for impact, but also to neutralise the effect of an attack and ensure business continuity.
Aaron Turner – CTO, SaaS at Vectra AI, says it depends on the specific needs and circumstances of the business or individual. For businesses, the costs of responding to a cyber incident can be significant, and in some cases, a cyber insurance policy may provide much-needed financial protection. For individuals, the decision to purchase cyber insurance may depend on the amount and sensitivity of the personal data they have online and their willingness to bear the costs of a potential cyber-attack. Ultimately, it’s important for businesses and individuals to carefully consider their cyber insurance needs and weigh the potential costs and benefits of coverage.
“It’s important to include your insurer during all phases of an incident, from tabletop exercises including communication to them in a mock incident, to early on in an investigation. Having clear and frequent communication with the insurer makes it much easier when filing the ultimate claim,” he concludes.
