While cyber insurance is not a cyber protection method, it might have its place in your company's overall security strategy.
As the costs of cybercrime and ransomware increase each year, companies are being blackmailed into paying millions of dollars to hackers and cybercriminals. Cyber insurance companies reflect these facts in their efforts to motivate their clients to adopt preventive measures, so they can ideally avoid those situations altogether.
You might now wonder whether cyber insurance is the right solution for you. Especially for small business owners, it might seem like an extra expense they can't afford. However, according to Allianz, the most important global business risk for 2024 is the threat of cyber incidents.
Unfortunately, in the event of a successful cyberattack, cyber insurance might be the last measure standing between you and the complete financial collapse of your company. So, it is crucial to consider both the benefits and limitations of cyber insurance.
What coverage does cyber insurance provide?
While details differ, depending on the provider, cyber insurance is a policy that covers various areas, such as dependent business interruption, system damage, rectification costs, loss of profit, increased cost of working, consequential reputation harm, hardware replacement costs, and more. Essentially, it addresses the consequences of a cyberattack once it has occurred.
However, as the threats become more prevalent and sophisticated, cyber insurers are protecting themselves by changing their policies. These changes include lowering the payout limits for different classes of losses, increasing the amounts the policyholder must pay out-of-pocket before coverage is provided, and carefully selecting the risks they will cover, and the industries they will serve. They also continue to emphasize proactive cybersecurity controls to drive down the cyber risk.
Therefore, always carefully read all the terms and conditions of your policy to understand which risks are covered, and which are not.
What might not be covered?
Financial fraud resulting from social engineering attacks - If an employee voluntarily disburses funds due to a spear phishing or business email compromise attack, the funds may not be recoverable.
The cost of hardening an organization's cybersecurity posture following a successful attack.
Potential loss of future profits - Because these are difficult to tie exclusively to the attack, they are typically not covered.
Diminished value of intellectual property - The losses of your company's proprietary know-how or technology solutions are typically not covered.
Nation-state attacks or acts of war.
Geographical restrictions - Operations outside the home country may not be covered.
One common misconception among businesses is that cyber insurance equates to cyber protection. The key difference is that, while insurance manages the consequences, protection focuses on preventive measures. It is much less demanding to incorporate preventive measures than it is to deal with the consequences of an attack. Even cyber insurance companies highlight the importance of prevention, and require their clients to adopt preventive measures.
Hence, a good first step before applying for insurance is to assess your cyber risk. You can do this by completing standardized questionnaires, or participating in trusted cybersecurity rating systems such as SecurityScorecard or Shared Assessment's Standardized Information Gathering (SIG). Whichever you choose, you will be able to benchmark your security posture against your peers, identify vendors and supply chain partners that are lacking in security measures, and get an idea of the pricing you can expect from the insurer, based on your rating.
To improve your rating and obtain better pricing, consider focusing on the following areas:
- Firewalls: To monitor and control network traffic.
- Encryption: To protect data both in transit and at rest.
- Multi-factor authentication: For added security beyond passwords.
- Best-practice password policy that is enforced: To prevent credential-based attacks.
- Regular software updates and patch management: To close security gaps.
- Intrusion detection and prevention systems: To identify and mitigate threats.
- Employee training and awareness programs: To reduce human error.
- Email filters, and anti-spam solutions: To prevent phishing attacks.
- Endpoint security: To protect individual devices.
- Regular security audits and assessments: To identify vulnerabilities.
- Backup and recovery solutions: To ensure business continuity.
- Physical security measures: To protect critical infrastructure.
- Incident response planning: To respond effectively to cyber incidents.
How much does cyber insurance cost?
The amount you pay for cyber insurance is based on the risks your company may face. The better your preventive measures, the less you pay for the insurance. Cyber insurance companies may conduct thorough assessments of your business's security measures before setting the price, so you want to make sure the preventive measures are in place. Solutions like ESET PROTECT and its modules align well with these requirements, and offer great preventive care.
Is cybercrime a business?
At the ESET World 2024 global cybersecurity conference, Tony Anscombe, chief security evangelist at ESET, emphasized that cybercriminals operate like regular businesses. "I don't think they're sitting in darkened rooms in hoodies. I think they sit in offices. I believe they have campaign managers, data analysts, and they run a business. I think they have benefits and salaries. It's a different game than what we're used to." Much of their income comes from ransoms paid by cyber insurance companies on behalf of their clients. Knowing that insured customers are more likely to pay the ransom, attackers may choose those with insurance as victims of their crimes.
Some countries have even made it illegal to pay ransoms to cybercriminals, based on the premise that, by giving them money, victims are supporting cybercrime. If a company pays the ransom, the attackers are likely to find another company in the same industry, and launch another attack. Before deciding to pay the ransom, companies should always check the sanction lists and laws of their respective countries to ensure that they will not face further penalties, or even imprisonment, if they decide to cooperate with the attackers. ESET recommends not paying the sum demanded.
While having a safety net like cyber insurance is essential for when your company becomes a target, focusing on robust preventive measures is even more important. These measures not only prevent digital attacks, but they also reduce your cyber insurance costs by lowering the risk of having to use the insurance in the first place. By combining prevention and cyber insurance, you can rest assured that your company is as safe as it can be.