David Corlette, VP of Product Management at VIPRE Security Group
In today’s digital landscape, the rising cost of cybercrime is putting immense pressure on the cyber insurance market. With global cybercrime expenses projected to reach a staggering $23.8 trillion within four years, insurers are grappling with profitability challenges. This has led to concerns about the future insurability of cyber risks.
The repercussions are already evident. Skyrocketing premiums are making cyber insurance increasingly unaffordable. Many are even opting to cut back on the insurance to make bigger investments in their won cybersecurity instead. Simultaneously, insurers are tightening policy coverage while regulatory compliance requirements become more stringent. In the UK, the Information Commissioner’s Office (ICO) has taken to publicly naming organisations that suffer data breaches.
Despite these challenges, forgoing cyber insurance is not a viable option for any business, let alone a financial services organisation. It remains crucial for economic survival. Cybercriminals are leaving no stone unturned in their ruthless pursuit of breach tactics. In the event of a security breach, companies need immediate coverage for remediation costs and, ideally, protection against indirect expenses that may arise due to supply chain and ecosystem impacts.
So, how can financial organisations ensure they remain insurable while keeping premiums manageable? The key lies in demonstrating a robust security posture to insurers.
Prove security credentials
Cyber insurers are becoming increasingly discerning in their risk assessments. Many are now excluding state-sponsored attacks from their policies and scrutinising existing security measures. Inadequate protection can result in policy refusal or significantly higher premiums. Some insurers even insist on evaluating breaches with their own forensic experts before releasing funds.
To secure affordable premiums, organisations must provide a comprehensive view of their security defenses. This includes evidence that all types of security models have been evaluated and best-in-class solutions implemented across infrastructure, data management, mobile, network, application, endpoint, and email security. Well-documented vulnerability management procedures and incident response plans are also crucial.
When selecting security solutions, it’s important to choose those that have been stress-tested and highly rated by reputable independent software rating agencies. This provides both organisations and insurers with assurance regarding the efficacy of the installed products.
Resource allocation and expertise
One key criterion in insurers’ risk assessments is the level of resources allocated to IT security. Recognising that in-house IT expertise can be prohibitively expensive, insurers often view outsourcing to reputable managed service providers favourably. This approach ensures access to specialised, up-to-date cybersecurity expertise cost-effectively.
Application security and deployment
As the focus shifts towards defenses like API protection, cloud security, and bot management, organisations should highlight the pedigree of their application security solutions and their ease of maintenance. Insurers are wary of difficult-to-patch solutions as they pose greater breach risks.
It’s crucial to emphasise that even the best security solutions can be compromised, if not optimally deployed. For instance, implementing multi-factor authentication only for desktop and key applications while neglecting seemingly lower-priority servers can create vulnerabilities that sophisticated attackers can exploit. Only recently, a new Phishing-as-a-Service (PhaaS) platform known as ONNX Store has been seen in the wild, specifically targeting financial institutions. Utilising Telegram bots, this service allows cybercriminals to execute phishing campaigns and circumvent multi-factor authentication security measures.
Combating phishing through technology and training
With email-led phishing driving almost every attack, organisations need to invest in cutting-edge technology to counter evolving threats like QR codes, QakBot, and URL redirection. This could involve adopting new products or leveraging existing solutions from vendors with robust development roadmaps. Thorough due diligence, proper implementation, and rigorous testing should underpin any technology adoption.
Increasingly, insurers are recognising the true risk of phishing, as evidenced by the detailed information they now require on endpoint and email security measures. To demonstrate genuine risk reduction intent, organisations will do well to provide evidence of comprehensive security awareness training programs for all users.
The relentless nature of phishing attacks necessitates constant vigilance from employees. Professional criminals are employing advanced techniques and AI technologies to craft increasingly sophisticated scams. By showcasing a proactive approach to pre-empting and mitigating the impact of such phishing attempts, organisations can gain leverage when negotiating insurance premiums.
Intertwined cybersecurity measures and insurance premiums
As cyber threats evolve and intensify, the relationship between cybersecurity measures and insurance premiums becomes increasingly intertwined. Organisations that demonstrate a comprehensive, proactive approach to security – encompassing technology investments, expert resources, and user training – are better positioned to secure favourable insurance terms.
By focusing on these key areas and providing insurers with compelling evidence of their security posture, financial businesses can not only protect themselves against cyber threats but also ensure they remain insurable at affordable rates. In an era where cyber risks are becoming ever more complex and costly, this approach is essential for long-term resilience and economic survival.
