05/10/2022 | Press release | Distributed by Public on 05/10/2022 08:26
By Dr. Sally Eaves
With new threats emerging daily and increasing in complexity and sophistication too, cyber security has become a critical focus for all organisations - with every single company, irrespective of its size and location, at risk of a cyber-attack. As a result, most have started opting for cyber insurance to cover the losses that such attacks may incur, sometimes together with a specific ransomware warranty, catalysed by this type of threat accounting for some 75% of cyber insurance claims (AM Best 2021). Outside of ransomware, cyber insurance can cover areas including extortion demands and remediation efforts.
But this is a market under strain, with the ratio of losses to premiums earned at 73% in 2021 according to Fitch Ratings and difficulty in diversifying the risk as cyber-attacks have no boundaries. Further, the absence of historical data complicates the capacity for the type of risk forecasting that the insurance industry typically employs to set pricing rates. In combination, this is ultimately threatening the profitability of the industry and thereby the protection it affords - and fuelling rising premium prices for customers too.
Headline grabbing ransomware warranties are also an area that further investigation and small print reading is required. What may look an attractive proposition (and often a no brainer) in many cases will never pay out and could lead to dangerous complacency.
Additionally, clauses around cybersecurity insurance are increasingly tightening, as highlighted by the recent announcement by Lloyds of London on coverage limitation, for example its insurance products will no longer cover the fallout of cyber-attacks exchanged between nation-states. Many insurers are also imposing stricter safeguarding requirements, which although helping to support increased levels of cyber security defences, this can also leave some organisations and especially SMB's exposed, as they are less able to meet the new minimum threshold limits.
This makes knowing exactly what is covered in any policy you have today, or are contemplating purchasing in the future, a business and technology imperative. Companies should know that cyber insurance policies and ransomware protection warranties do not cover every aspect of attacks and in most cases, there will be varying triggers, limits, conditions and coverages for different types of claims which can lead to denial or a reduced claim, creating an expectation and actualisation gap. Education and awareness here is key - you must be fully aware of what is not covered by your cyber insurance today, to avoid any surprises later. Roy May does a great job of covering exactly this point.
Let's explore some of the key issues in turn to support exactly that.
Everything right from collecting raw materials to shipping the final products happens through automated systems. In the scenario of a cyberattack taking place during any part of this process, it would lead to a catastrophe. If any company ends up in any such situation, cyber insurance will likely not cover the (extent of) the need.
The resiliency of a business is tied to its cyber resilience, making a sustained and organisation wide focus on cybersecurity critical, right across technology, process, culture and skills. As part of this, cyber insurance plays a role in protection by necessitating advances in security by design within increasingly stringent terms - and by supporting organisational recovery in the event of a breach when all such obligations were fulfilled. But not all cyber insurance policies are made equal, with material differences in coverage and conditions. So you must fully understand both your requirements and your obligations before making a final decision.
Start-ups and SMB's having small portfolios or minimal digital assets might not be able to justify the expense of cybersecurity insurance, with a better return on investment likely achieved by focusing on security defence, for example Zero Trust practices and employee training and awareness. For large enterprises managing a significant volume of sensitive financial information or PII for their customers, then investment in a reputed cyber insurance policy can be well justified - but only as part of a holistic cybersecurity strategy. No policy will prevent nor spontaneously solve issues related to security but rather, they can form the final piece in a proactive defence program that focuses on both early identification of risks, and expedient recovery when (not if) an attack of some form inevitably occurs.
Carry on the cybersecurity conversation by joining Sally, Commvault Customers and experts for our May 25th webinar.
Dr. Sally Eaves is the Chair for Global Cyber Trust at leading Think Tank GFCYBER and Digital Decentralization, Democracy and Security Advisor for the Centre for a New American Security (CNAS) reporting to the United States Government. A highly experienced Chief Technology Officer by background, Professor in Advanced Technologies, and a Global Strategic Advisor on Digital Transformation, Sally specialises in the application of emergent technologies, notably AI, Security, 5G, Cloud and IoT disciplines, for Business and IT transformation, alongside enabling Social Impact at scale.
An international Keynote Speaker and Author, Sally was the inaugural recipient of the Frontier Technology and Social Impact award, presented at the United Nations, and has been described as the "torchbearer for ethical tech", founding Aspirational Futures to enhance inclusion, diversity, equity and belonging in the technology space and beyond.