Ransomware, man-in-the-middle (MITM) attacks, and denial-of-service (DoS) attacks all made major headlines during 2021. It was a year of major cyber attacks, and experts agree – cyber crooks are not going anywhere, and cybercriminal activity will increase in the upcoming years. It will no longer be a question of if you get attacked but rather of when.
Contents:
These developments have businesses raising serious questions: what can be done to mitigate risk and improve the odds of surviving an attack? Partly, the answer could be cyber insurance, which was the topic of our latest webinar. Here’s a recap of the webinar, which comprised Andrew Lipton, Vice President, Head of Cyber Claims, AmTrust Financial Services; Alexander Cherry, UK Insurance Research Lead, Accenture; Dan Burke, Senior Vice President and National Cyber Practice Leader, Woodruff Sawyer; and Bryan Falchuk, founder and managing partner, Insurance Evolution Partners. The moderator was Patricia L. Harman, Editor-in-Chief, PropertyCasualty360 group.
Not a matter of “if” but “when”
Numbers don’t lie. They tell us that throughout 2021 we saw a 50% increase in cyber attacks per week on corporate networks compared to 2020. The trend is alarming and suggests that for today's businesses, which leverage internet and network technology, it is a question of when a cyber security challenge will present itself rather than if.
Vice President, Head of Cyber Claims, AmTrust Financial Services
Attacks on small businesses have been pretty highly prevalent in the last couple of years. If I had to single out a sort of smaller sector of attacks that I would say have been popping up some more affecting small business that folks should pay attention to, it would really have to do with what I would call business function attacks.
Andrew Lipton
Vice President, Head of Cyber Claims, AmTrust Financial Services
Lately, as the panelists noted, small businesses have seen a steep increase in ransomware attacks. This is in large part due to the rise of RaaS (ransomware as a service). Essentially, it is a business model between ransomware developers and affiliates, who pay for an attack on developers. What’s even more alarming is that RaaS allows for custom-made attacks, meaning that ransomware developers will purpose-build a malicious application to attack a specific business taking into account it’s IT infrastructure and other variables.
What is cyber insurance and why is it important?
Today, it is important to understand that cybercriminals act much like the companies they attack. They are sophisticated in their approach and diligent in their planning processes. It is no longer a one-person operation.
Recovering from a cyber attack is a resource-consuming process that can easily drive organizations out of business. Even a single attack is capable of damaging a business beyond repair. Just think about the costs you'd incur in your organization in the aftermath of a cyber attack. You’d most likely be hiring attorneys and forensics investigators, setting up call centers to respond to customer queries, and much more.
The issue with cyber is that it’s one of the things that really can break small businesses. They usually don’t have such costs that are required to recover after the attack.
Alexander Cherry
UK Insurance Research Lead, Accenture
With so much on the line, more companies than ever are securing cyber-insurance policies to mitigate the potentially deadly consequences.
Generally, when we talk about cyber insurance, we refer to a form of insurance policy that is designed to protect your business from cybersecurity-related risks. While businesses are responsible for their security, in the event of a cyber attack, an insurance policy will provide critical support to help the organization stay afloat.
Usually cyber insurance covers everything from data breaches to network instructions, social engineering attacks, fraudulent fund transfers, ransomware and more. Of course, the exact conditions of the policy depend on the specific terms established between the company and the issuer.
Cyber insurance is one tool that helps businesses stay in business.
Dan Burke
Senior Vice President and National Cyber Practice Leader, Woodruff Sawyer
Do companies with cyber insurance face more cyber attacks?
There’s a common misconception that having a cyber-insurance policy makes the company a more attractive target. This misconception is rooted in the belief that hackers can know whether the company is insured prior to the attack. However, in reality, hackers can only find out about a company’s cyber-insurance policy after an attack, which by extension means that the attacked company was the target regardless of its insurance policies.
There’s no national registry of cyber insured entities.
Bryan Falchuk
Founder and Managing Partner, Insurance Evolution Partners, Moderator
There’s never been an event I’ve seen on the carrier side or when I was an outside counsel before where the basis of the attack was the attacker’s discovery that insurance existed.
Andrew Lipton
Vice President, Head of Cyber Claims, AmTrust Financial Services
Preparing for cyber insurance: what you need to know and do
Buying cyber insurance for the first time can be a challenging task. Understanding your coverage and how your business’s cybersecurity infrastructure and practices factor into the underwriting of your policy can be overwhelming. Here are some of the important points that you should take into account while trying to secure a cyber-insurance policy for your business.
The insurance sector is changing. In the past, insurance providers focused on how few questions they ask. If you were doing good security practices, you were getting a premium discount. Today, due to the number of attacks and losses, carriers are requiring specific security controls just as a minimum baseline: a password manager, like NordPass, employee training, MFA, removing local admin access from all employees, having endpoint detection response tools deployed across all the endpoints in the organization.
Dan Burke
Senior Vice President and National Cyber Practice Leader, Woodruff Sawyer
You need to sit down with the experts and hear their expectations so you can then translate that into actionable items when you come to the underwriting process. It’s all about making sure you have the right tools implemented that would secure your weakest links. It will be easier to be insurable when you better understand cyber insurance carriers' concerns.
Andrew Lipton
Vice President, Head of Cyber Claims, AmTrust Financial Services
We need people to be more vigilant about leaving their devices behind or their password hygiene, etc. Are there tools that can help you with that? We’re all here today from a provider of one of those tools, and to be fair, that stuff really works.
Bryan Falchuk
Founder and Managing Partner, Insurance Evolution Partners, Moderator
The main point that all panelists tried to get across is the importance of cybersecurity tools for business. The tools, such as NordPass Business, not only mitigate actual security risks but can also help organizations qualify for a cyber-insurance policy.
Closing remarks
It is all about readiness at the end of the day. When businesses set out to get cyber insurance, security infrastructure and practices reign supreme. It is the deciding factor between securing a policy or being turned down, which by extension could have existential consequences for an organization.
Think of the coverage as not nice to have, but it’s part of that total picture, and all of those mentioned things must be actively engaged.
Bryan Falchuk
Founder and Managing Partner, Insurance Evolution Partners, Moderator
The market is still quite immature. We’ve had this massive hardening in recent months, and to look beyond that and see it as a more long-term commitment. ... Continue to invest into the best practice even if you don’t feel like you’re being massively rewarded for it right now. In two or three years, when insurers have the data to properly price the mitigations you’re putting in place, you may reap the rewards from this work a bit further down the line.
Alexander Cherry
UK Insurance Research Lead, Accenture
The future of cyber insurance is going to be where the cyber insurer is a trusted partner in your cyber security risk-management strategy, and if you approach the conversations with the cyber insurer. That way, you get favorable responses. There will be favorable outcomes.
Andrew Lipton
Vice President, Head of Cyber Claims, AmTrust Financial Services
Cyber insurance is one piece of the puzzle, and there’s a ton of work to be done on the security side, a ton of work to be done in organizing your business and protecting it yourself. Cyber insurance is a tool on the back end, and that safety net for you. And it’s a very valuable tool to help your business recover from an event.
Dan Burke
Senior Vice President and National Cyber Practice Leader, Woodruff Sawyer
In today’s world, when a majority of business operations take place online, organizations need to realize the importance of cybersecurity. Fail to do so and risk being put out of business in the near future. Advanced security tools, such as NordPass Business, help organizations to mitigate external cybersecurity risk as well as secure a cyber-insurance policy.
For an in-depth discussion about all things related to cyber insurance, please check out the full recording of the webinar. You can also find more cybersecurity tips and tricks, as well as other discussions, on our LinkedIn page.