No cybersecurity program is invulnerable to ransomware or other form of attack. No firewall is impenetrable, no organization immune to breach.
The most sophisticated cybercriminals typically are a step or two ahead of the world’s foremost security experts and light years beyond the general public — hence the time-worn saying that an attack isn’t a matter of “if”; it’s a matter of “when.” The best we can do is to mitigate the risk of attack, protecting ourselves with cybersecurity products, policies and procedures, along with a custom-designed program of cyber insurance.
Sadly, too many organizations find this out the hard way. Some pay a steep price in time, money and reputation before implementing the risk management program they should have established before a breach. Others never recover.
Why the delays in implementation? Two main reasons:
- Insufficient information. Otherwise savvy business people often don’t understand the range and scope of cyber vulnerabilities, underestimating the number of ways hackers can extract data and currency, and failing to recognize the extent of the damage a breach can cause.
- Cost. State-of-the-industry cyber security is expensive, and the price of cyber insurance — once a greatly underappreciated bargain — has escalated significantly as attacks have become both more common and more exorbitant in recent years. In response to the number and scale of breaches, insurance carriers have become increasingly selective and restrictive in terms of capacity, forcing consumers into secondary markets, where premiums are even higher.
The first steps to addressing these issues are education and mitigation. Learning more about the exposures your organization faces and the protection available to respond to the inherent risks won’t prevent attacks, but it will put you in better position to defend against them and respond in the event an attack is successful. Preparing for attacks with the three P’s of risk mitigation — products, policies and procedures — will make you more attractive in the insurance marketplace, increasing the likelihood an underwriter will agree to coverage and positioning yourself for more favorable terms and premiums.
Just as businesses protect themselves with risk management programs for workplace safety, driver safety and property safety, they should have in place a program for cyber safety for protection against inevitable and relentless attacks.
At the very core of the rise in cyber insurance costs and reduction in carrier capacity is ransomware, the No. 1 issue in all matters cyber today. As the insurance industry publication Carrier Management explains: “Ransomware is a form of malware that enters an insured’s network (and causes) an encryption of data and systems, rendering them unusable until the victim restores their data and systems from backups, and incurs the relevant business interruption costs, or the victim pays a ransom demand to the hacker to provide safe return of the encryption key to restore access to the data and systems.”
Carrier Management cites a study by the ransomware mediation firm Coveware that shows the average ransom payment in the first quarter of 2021 approaching $221,000, up from the “low hundreds of dollars” in the third quarter of 2018. Ransomware is why on October 13-14, 2021, the Biden administration hosted a meeting of ministers and senior officials from more than 30 countries (excluding Russia) and the European Union to address such attacks and how to combat them, and it’s why businesses are finding cyber insurance both more expensive and more restrictive.
While other lines of coverage experienced rate increases amid a hard market for property and casualty insurance over the past two years, pricing for cyber insurance has increased most dramatically during the past six months. As Steve Robinson, Cyber Practice Leader of Risk Placement Services, noted in a recent video, this ransomware-driven inflation will continue, accompanied by tighter underwriting, restricted coverage terms, increased deductibles, the addition of co-insurance with lower available limits of liability.
Global summit and price mediation notwithstanding, the rise in number and scope of ransomware attacks is expected to continue, with the most frequent targets in industries including public entities, government, education, manufacturing, construction and healthcare.
Specialized Consultants and Services
Insurance is the ultimate backstop when it comes to mitigating cyber risk, but how it plays is directly related to preparedness. The level of protection cyber insurance provides, how it responds in the event of a breach, what it costs to put the protection in place – all are contingent on risk prevention and risk mitigation.
Most middle-market businesses have an IT director who focuses on maintaining the organization’s network — including protecting it with anti-virus and cybersecurity software — but not necessarily on other forms of cyber protection. Organizations need to engage outside resources to fill in the gaps, to:
- Implement penetration tests — benign breaches by ethical, so-called “white hat” hackers — and provide risk-vulnerability assessments;
- Monitor network security 24/7, just as criminal cyber organizations work around the clock;
- Educate employees on identifying potential business email compromise and the cyber social engineering tactic known as phishing;
- Design and, when necessary, implement a disaster recovery program including mandated reporting and notification, as well as public-relations response.
Cyber Risk in a Post-COVID Landscape
The COVID-19 pandemic caused a perfect storm of events that exposed organizations to increased, emerging and atypical cyber risks. Work from home (WFH), cloud computing, 5G and the Internet of Things (IoT) all existed before the novel coronavirus, but the pandemic made them ubiquitous, expanding personal and organizational vulnerabilities and exponentially expanding opportunities for cyber criminals. According to a 2021 report by Cybercrime Magazine, global cybercrime already is responsible for the greatest transfer of wealth in history, with the cost of attacks expected to grow by 15 percent annually over the next five years – up to $10.5 trillion by 2025.
To help organizations combat this wave of cybercrime, Alera Group has created a guide to best-in-class loss prevention, risk mitigation and insurance coverage placement. In our new whitepaper “Cyber Risk in a Post-COVID Landscape,” you’ll find information on topics including:
- Establishing priorities
- Recent trends and claims
- Cybersecurity plans and functions
- Risk management
- Cyber insurance market outlook
- Best practices
- Anticipated risks
- Reimagining cyber protection through a holistic approach.
To obtain the whitepaper, click on the link below.
About the Author
Stephen Paulin, CIC
Cyber Risk Strategist
Orion Risk Management, an Alera Group Company
Stephen Paulin, a Certified Insurance Counselor (CIC), has more than 35 years of experience as a risk strategist helping privately held, mid-market businesses reach their profit goals by improving risk management outcomes that optimize the insurance program’s financial efficiency and produce better long-term business performance. Steve’s innovative, results-driven approach, exacting research and diagnostic process make businesses safer, more productive and profitable by delivering a proven methodology to:
- Identify the risks facing your business
- Develop strategies to mitigate the total cost of risk
- Attain “best in class” status to create intense competition in the insurance marketplace
- Deliver personalized metrics to measure broker performance and ROI, and to achieve improved bottom-line results.