Common perception now points to the COVID-19 epidemic as the demarcation point for our new era for cybersecurity. This expansion of remote work and cloud services has widened the attack surface significantly and placed security leaders in a position to approach cybersecurity and cyber risk more proactively.
However, the “new normal” hasn’t just affected the how IT security teams operate, as we’re seeing a hardening of the cyber insurance market. This is due to an influx of email-borne cyberattacks. According to a Forbes study, the percentage of organizations hit with ransomware attacks jumped to 66% in 2021, representing a 29% year-over-year increase.
In a recent #TrendTalks session, Vince Kearns helps security leaders make sense of the current state of the market with cyber insurance expert Andy Anderson.
Q: When looking at traditional insurance services, like auto and home, much of that is based on historical performance or location. How is the average cyber insurance plan determined?
According to Anderson, “we take a data first approach. We use a lot of fancy computers and data science. Particularly, machine learning and artificial intelligence to understand what are the things that that may influence the likelihood of an organization having a cyber incident.”
Q: Much like any insurance service, there are several tiers from which an organization can choose. How do security leaders measure coverage requirements?
“So typically, we sell most often a million dollars’ worth of coverage,” explains Anderson. “But then there is the overall limit of the policy. But then there are sub-limits on specific types of events. So, a cyber policy is sort of multiple insurance policies in one. and it covers the different types of events.”
Q: We’re seeing these tiered services falling into two categories, those with comprehensive policies but with more requirements and those with less requirements but higher premiums and deductibles. What makes for a good cyber insurance plan?
Anderson discusses what security leaders should look for in an insurance provider. “You really want to be understanding kind of what’s the cost per that much coverage, what’s known as the rate and particularly looking at the sub limits here, like ransomware, email compromise or what’s known as cybercrime, the actual theft of money.”
“The second would be the deductible. In commercial insurance policies, it’s known as retention,” says Anderson. “So, you want to think about, what’s my limit? What’s the cost of that? What am I actually going to be on the hook to pay? Maybe you have a full million dollars of cyber coverage for a ransomware event, but there’s 20 or even 50% co-insurance. So essentially then you’re on the hook for your half of that.”
Anderson explains there are “two flavors of how these carriers will pay.” One is a reimbursement policy where it is assumed the organization is responsible for paying unless it is specified to be pay-on-behalf. In this regard, the carrier will cover the cost on behalf of the organization. Pay-on-behalf is the preferred policy for businesses because it takes the pressure off having to come up with hundreds of thousands of dollars in Bitcoins to pay a ransom.
Q: With Forrester predicting that cloud-native adoption would rise to half of all enterprise organizations, it’s important to know what exactly you’re receiving when partnering with a cyber insurance company. What does a typical plan cover?
When describing areas in which organizations suffer from cyber incidents, Anderson urges security leaders to examine each of the following when choosing an insurance partner.
“The one that people historically have thought about are these data breaches. And that means really just the loss often of confidential or sensitive data. They can be expensive, particularly when it’s a lot of records.” With IBM Security reporting that 83% of organizations studied have had more than one data breach, Anderson gives caution, “a lot of the focus in the last couple of years and what have been driving lost trends are really business interruption, cyber extortion, and then cybercrime.”
According to a recent NetDiligence Cyber Claims Study, the average cost of a ransomware attack was USD 4.54 million, while business email compromise (BEC) attacks cost an average of USD 4.89 million.
This leads Anderson to stress the need for organizations to possess a good security posture. “Particularly XDR and MDR can really do that. You might have something happen on a single device, but it’s not going across the entire network. It’s not leading to one of these catastrophic type of outcomes.”
For more information about reducing cyber risk, check out the following resources:
Read More HERE