Coalition found that both claims frequency and severity rose for businesses in early 2023 across all revenue bands. Companies with over $100 million in revenue saw the largest increase (20%) in the number of claims as well as more substantial losses from attacks – with a 72% increase in claims severity from 2H 2022.
“The cyber threat landscape has become more volatile, and, as a result, we’ve seen claims become more severe and more common than ever,” said Chris Hendricks, Head of Coalition Incident Response.
“To help prevent these costly and disruptive incidents, organizations need to take an active role in improving their security defenses and make risk management a top priority,” added Hendricks.
Coalition’s report also saw a resounding increase in ransomware claims frequency in 1H 2023, which grew by 27% from 2H 2022. Claims severity also reached a record high, increasing 61% from the previous half and 117% over last year.
Moreover, cybercriminals increased their demands: the average ransom demand was $1.62 million, a 47% increase over the previous six months and a 74% increase over the past year.
Email security remained critical to claims reduction
The company also recovered an unprecedented $23 million in stolen funds — all of which went directly back to policyholders. Notably, Coalition’s total FTF (funds transfer fraud) recovery amount was nearly three times greater than 2H 2022. The average recovery amount was $612,000 per FTF claim, representing 79% of all FTF losses in instances where recovery was possible.
FTF claims frequency increased by 15% in 1H 2023, and FTF severity increased by 39% to an average loss of more than $297,000. This half, Coalition negotiated ransomware payments down to an average of 44% of the initial amount demanded.
Businesses using Google Workspace for email were markedly more secure than those using Microsoft Office 365 (M365) and on-premises Microsoft Exchange. M365 users were more than twice as likely to experience a claim compared to Google Workspace users. On-premises Microsoft Exchange users were nearly three times more likely to experience a claim than businesses using Google Workspace.
Overall, companies using Google Workspace experienced a 25% risk reduction for FTF or BEC claims and a 10% risk reduction for ransomware claims.
The cybersecurity insurance sector is experiencing swift expansion, with its value surging from around $13 billion in 2022 to a projected $84 billion by 2030, reflecting a robust 26% compound annual growth rate (CAGR). However, insurance providers are encountering challenges when it comes to accurately assessing the potential hazards associated with providing coverage for this category of risk.
Conventional actuarial models are ill-suited for an arena where exceptionally driven, innovative, and astute attackers are actively engaged in orchestrating events that lead to insurable incidents. Precisely gauging potential losses holds utmost importance in establishing customer premiums. However, despite a span of twenty years, there exists a substantial variance in loss ratios across insurance providers, ranging from a deficit of 0.5% to a surplus of 130.6%. The underwriting procedures lack the necessary robustness to effectively appraise these losses and set premiums that reflect a reasonable pricing.
Why is the insurance industry struggling with this?
The problem is with the nature of the threat. Cyber attackers escalate and adapt quickly, which undermines the historical-based models that insurance companies rely on. Attackers are continually shifting their maneuvers that identify victims, cause increasing loss, and rapidly shift to new areas of impact.
Denial of service attacks were once popular but were superseded by data breaches, which cause much more damage. Recently, attackers expanded their repertoire to include ransomware-style attacks that increased the insurable losses ever higher.
Trying to predict the cornerstone metrics for actuary modelers – the Annual Loss Expectancy and Annual Rate of Occurrence – with a high degree of accuracy is beyond the current capabilities of insurers. The industry currently conducts assessments for new clients to understand their cybersecurity posture to determine if they are insurable, what should be included/excluded from policies, and to calculate premiums. The current process is to weigh controls against best practices or peers to estimate the security posture of a policyholder.
However, these rudimentary practices are not delivering the necessary level of predictive accuracy.
The loss ratio for insurance firms has been volatile, in a world where getting the analysis wrong can be catastrophic. Variances and unpredictability make insurers nervous. At maximum, they want a 70% loss ratio to cover their payouts and expenses and, according to the National Association of Insurance Commissioners Report on the Cyber Insurance Market in 2021, nearly half of the top 20 insurers, representing 83% of the market, failed to achieve the desired loss ratio.
In response to failures to predict claims, insurers have been raising premiums to cover the risk gap. In Q4 2021 the renewals for premiums were up a staggering 34%. In Q4 2022 premiums continued to rise an additional 15%.
There are concerns that many customers will be priced out of the market and the insurance industry and left without a means of transferring risk. To the detriment of insurers, the companies may make their products so expensive that they undermine the tremendous market-growth opportunity. Additionally, upper limits for insurability and various exception clauses are being instituted, which diminish the overall value proposition for customers.
The next generation of cyber insurance
What is needed are better tools to predict cyber attacks and estimate losses. The current army of insurance actuaries has not delivered, but there is hope. It comes from the cyber risk community that looks to manage these ambiguous and chaotic risks by avoiding and minimizing losses.
These cybersecurity experts are motivated by optimizing limited resources to prevent or quickly undermine attacks. As part of that continuous exercise, there are opportunities to apply best practices to the insurance model to identify the most relevant aspects that include defensive postures (technology, behaviors, and processes) and understanding the relevant threat actors (targets, capabilities, and methods) to determine the residual risks.
The goal would be to develop a unified standard for qualifying for cyber insurance that would adapt to the rapid changes in the cyber landscape. More accurate methodologies will improve assessments to reduce insurers’ ambiguity so they may competitively price their offerings.
In the future, such calculations will be continuous and showcase how a company will benefit by properly managing security in alignment with shifting threats. This should bring down overall premium costs.
The next generation of cyber insurance will rise on the foundations of new risk analysis methodologies to be more accurate and sustain the mutual benefits offered by the insurance industry.
Security chiefs should shop early for coverage and prepare for long questionnaires about their companies’ cyber defenses, industry professionals say
Insurers are scrutinizing prospective clients’ cybersecurity practices more closely than in past years, when underwriting was less strict. PHOTO: GETTY IMAGES/ISTOCKPHOTO
For many businesses, obtaining or renewing cyber insurance has become expensive and arduous.
The price of cyber insurance has soared in the past year amid a rise in ransomware hacks and other cyberattacks. Given these realities, insurers are taking a harder line before renewing or granting new or additional coverage. They are asking for more in-depth information about companies’ cyber policies and procedures, and businesses that can’t satisfy this greater level of scrutiny could face higher premiums, be offered limited coverage or be refused coverage altogether, industry professionals said.
“Underwriting scrutiny has really tightened up over the past 18 months or so,” said Judith Selby, a partner in the New York office of Kennedys Law LLP.
In the second quarter, U.S. cyber-insurance prices increased 79% from a year earlier, after more than doubling in each of the preceding two quarters, according to the Global Insurance Market Index from professional-services firm Marsh & McLennan Cos.
Direct-written premiums for cyber coverage collected by the largest U.S. insurance carriers—the amounts insurers charge to clients, excluding premiums earned from acting as a reinsurer—climbed to $3.15 billion last year, up 92% from 2020, according to information submitted to the National Association of Insurance Commissioners, an industry watchdog, and compiled by ratings firms. Analysts attribute the increase primarily to higher rates, as opposed to insurers significantly expanding coverage limits.
Companies buying insurance are subject to tight scrutiny of internal cyber practices. This is different from past years, when carriers poured into the cyber market and competition produced less-stringent underwriting, Ms. Selby said.
Now, insurers aiming to limit their risk are putting corporate security chiefs through lengthy lists of questions about how they defend their companies, said Chris Castaldo, chief information security officer at Crossbeam Inc., a Philadelphia-based tech firm that helps companies find new business partners and customers.
“Prior to the questionnaires, you just gave them the coverage amount you wanted and the industry you were in, and that was it,” Mr. Castaldo said, referring to interactions with cyber insurers.
Discover Financial Services has a third party validate the robustness of its cybersecurity program, which helps with insurance, said CISO Shaun Khalfan. “Insurers want to have confidence that you are making the right investments and are building and maintaining a robust cybersecurity program,” Mr. Khalfan said.
Some of the questions insurers ask—and the level of detail required—can depend on the carrier, the size and type of the business seeking coverage and the amount of coverage desired.
Around 18 months ago, underwriters asked companies whether they required multifactor authentication when administrators accessed their system, said Tom Reagan, cyber practice leader in Marsh McLennan’s financial and professional products specialty practice. Today there’s an expectation that multifactor authentication is used throughout the organization, not just by administrators, he said.
Insurers also expect organizations to have planned and tested for a cyber event, such as through tabletop exercises, Mr. Reagan said: “They are not just interested in your smoke alarms, they want to hear about the fire drills.”
Carriers want to know what kind of backup plans companies have if a ransomware attack strikes and how those plans are tested. Insurers also diving deeper into whether a company’s networks are segregated to limit the spread of malware, Ms. Selby said. Other important criteria some insurers consider, she said, include endpoint protection, or monitoring and protecting devices against cyber threats, and incident-response exercises.
Some companies will need to work with more carriers than in the past to get the desired level of coverage because no single insurer wants to carry so much risk, Ms. Selby said.
Amid the changing landscape, Mr. Reagan recommended that companies start to re-evaluate their cyber-insurance needs as early as six months before a policy comes up for renewal. Starting earlier to identify possible holes allows businesses to make changes to their cyber defenses, if necessary, and gather information that carriers require, he said.
When security fails, cyber insurance can become crucial for ensuring continuity.
Cyber has changed everything around us – even the way we tackle geopolitical crisis and conflicts. When Einstein was asked what a war will look like in the future, he couldn’t have predicted the importance of digital technology for modern societies.
According to a report by IDC, by the end of 2022, nearly 65% of the global GDP will be digitized — reliant on a digital system of some kind. This shift to digital technology has created a new class of digital risks that are constantly evolving and strike faster and often with more severity than traditional risks. The events of the past two years have made this shift clear: from ransomware attacks to the challenges of managing distributed workforces, digital risk is different.
Our reliance on digital technology and the inherited risk is a key driving factor for buying cyber risk insurance. If the technology were to become unavailable, the resulting business impact could be mitigated with cyber insurance. Even if businesses invest in cybersecurity protections, as they increasingly do, security controls are not impenetrable. When security fails, cyber insurance can become crucial for ensuring continuity.
While traditional insurance has served mainly as a hedge against loss only after an incident, insurance designed for the digital economy needs to look at risk from a different angle, providing value before, during, and after an incident that could lead to a loss. This is essential for all businesses, as the analysis of security incidents that led to claims during 2021 reveals.
Ransom demands continue to increase. The ransomware business model has begun to mature, and the average ransom demand has increased by 20%.
The frequency of other attack techniques also rose as hackers expanded to new tactics. This heralds an era of omnidirectional threat. While ransomware may be the most newsworthy, no attack vector can be ignored.
Small businesses are disproportionately impacted. As attacks become increasingly automated, it has become easier and more profitable for criminals to target small organizations.
“We are noticing a drastic increase in both likelihood and severity of all types of cyber-attack,” says Isaac Guasch, cyber security specialist at Tokyo Marine HCC International. “Whether you are a small independent business or a large, international organization, the increasingly interconnected nature of the businesses that form our economies, is a key threat. Even if you are confident that your cyber security measures are up to date, those of your partners may not be, so you may need to constantly redefine your perimeter,” Guasch adds.
Evolving global risk environment alters the cyber insurancelandscape
However, not all risks are technology-related. Businesses operate in a hyper-connected environment where turbulences in one part of the world may have dire consequences in many remote markets. Geopolitical conflicts, societal upheavals, and financial cracks may put the stability of the business environment in question.
As digital technology and interconnectedness blur the boundaries with the physical world, it also becomes more difficult to calculate risk and set premiums. However, it is true that in times of global crisis, premiums do increase. For example, the Council of Insurance Agents & Brokers reported in March 2022 an average premium increase of 34.3% for cyber, marking the first time an increase of this magnitude is recorded since the events of 9/11.
As the global risk environment evolves and changes almost every day, the insurance industry needs to evolve as well. This level of evolution should not only cover cyber insurance but other forms of “traditional” insurance. For example, what happens if a facility is damaged or even destroyed because of a cybersecurity incident targeting a connected IoT device? What is the level of risk that each connected OT device exposes critical infrastructure to?
“With respect to insurance, cyber-attacks are not just affecting cyber liability policies. They are affecting many, if not all policies that are carried by a company,” Rick Toland, executive vice president at Waters Insurance Network, told Industrial Cyber. “Further, it is difficult to quantify where the cyber loss begins, and the property, automobile, GL, pollution or other policy begins and how the financial responsibility of each insurer will be allocated to pay the resulting loss,” Toland added.
Cyber insurance is not a panacea
Within a flux financial, technological, and geopolitical environment, many businesses, especially small-and-medium ones, tend to rely heavily on cyber insurers for answers to their cybersecurity posture challenges. However, buying cyber insurance cannot become the answer to all their security problems.
Instead, businesses can partner with an experienced managed security services company to guide and counsel them through the actions and best practices that can undertake now to better protect themselves against cyberthreats. Shaping a proactive and holistic cybersecurity strategy will better equip businesses in the event they need to submit a claim for losses or damages resulting from a ransomware attack or similar malicious activity.
Above all, it comes down to the basics. Organizations should start by analyzing the security controls they have in place to ensure adherence to guidelines developed by agencies like CISA, FBI, and ENISA, including multifactor authentication, employing antivirus and anti-malware scanning, enabling strong spam filters, updating software, and segmenting networks. Either way, failure to implement basic cyber hygiene measures is a no-go for buying cyber insurance.
About the author: Viral Trivedi
Viral Trivedi is the Chief Business Officer at Ampcus Cyber Inc—a pure-play cybersecurity service company headquartered in Chantilly, Virginia. As a CBO at Ampcus Cyber, Viral leads many customer-facing initiatives, including market strategy, channel partner programs, strategic accounts, and customer relationship management. He specializes in all aspects of managed security services, in both hands-on, and advisory roles. Viral has also held executive and senior management positions with small, and large organizations, and is also a Smart Cities & Critical Infrastructure Professional, as well as an active member of Infragard.
For these and other reasons, organizations are increasingly opting for cyber insurance coverage and paying higher premiums year after year. According to the U.S. Government Accountability Office, the number of companies opting for cybersecurity coverage grew from 26% in 2016 to 47% in 2020, and most saw breach insurance premiums increase by up to 30%.
Given the clear financial stakes, it is time security leaders understand the risks before adding cyber insurance to their strategy for ransomware prevention and recovery.
Successful breaches breed more attacks
Ransomware typically enters a company via a phishing attack or a compromise of a vulnerable system deployed on a network’s perimeter. From there, the infection proliferates via exploits or open shares, encrypting important data as it jumps from machine to machine, after which cyber criminals withhold the encryption key and threaten to publish sensitive data unless a ransom is paid.
The attackers, many of whom are part of sophisticated and organized groups, often provide a step-by-step guide for the targeted company to transfer ransoms in cryptocurrency, sometimes in the hundreds of thousands or millions of dollars. Sadly, when faced with costly downtime and/or the downstream effects of having sensitive data made public, many companies end up complying with the attackers’ demands. Paying the ransom, in turn, incentivizes more attacks, perpetuating the cycle of crime.
It’s important to note that cybersecurity insurance is also incentivizing attacks rather than serving as protection for the rarest of breaches. While U.S. law enforcement has typically urged companies not to pay the ransom, it has yet to decide to ban such payments altogether (though the US Department of the Treasury’s Office of Foreign Assets Control regulations prohibit U.S. companies from paying up if they suspect the attackers of being under its cyber-related sanctions program).
Governments and law enforcement hate it when ransomware victims pay the blackmail demands that almost always follow a ransomware attack, and you can understand why, given that today’s payments fund tomorrow’s cybercriminality.
Of course, no one needs to be told that.
Paying up hurts in any number of ways, whether you feel that hurt in your head, in your heart or even just in the pit of your stomach.
“I was happy to pay up for a job well done,” said no ransomware victim ever.
However, it’s easy for people who aren’t looking down the wrong end of the cybercrime barrel to say, “You should never, ever pay. You should let your entire business implode, and let everyone in the company lose their job, because that’s just the price of failure.”
So, if your back’s against the wall and you DO pay up in the hope that you’ll be able to restart a business that has ground to a total halt…
…how well will it all go?
Guess what? You can find out by tuning into a fun but informative talk that we’re giving twice this week.
You need to register, but both events are free to join. (They’re both 100% virtual, given that the UK is still in coronavirus lockdown, so feel free to attend from anywhere.)
We’ll give you a clue by sharing a key slide from the talk:
As you can see, paying up often doesn’t work out very well anyway, even if you have no ethical qualms about doing so, and enough money burning a hole in your pocket to pay without flinching.
And remember that if you lose 1/3 of your data, like 1/2 of our respondents said they did, you don’t get to choose which computers will decrypt OK and which will fail.
Murphy’s law warns you that the laptops you could have reimaged easily enough will probably decrypt just fine, while those servers you really meant to backup but didn’t… probably won’t.
We’re going to try to make the talk amusing (as amusing as we dare be when talking about such a treacherous subject), but with a serious yet not-too-technical side.
We’ll be giving some tips you can use both at work and at home to reduce the risk of getting ransomed in the first place.
No cybersecurity plan will ever be perfect, no defense is impenetrable. With the dangers and costs of a successful ransomware attack on an organization increasing daily, it is important for cybersecurity and business leaders to have a prevention and recovery plan before disaster strikes.
In Ransomware Protection Playbook experienced penetration tester and cybersecurity evangelist Roger Grimes lays out the steps and considerations organizations need to have in place including technical preventative measures, cybersecurity insurance, legal plans, and a response plan. From there he looks at the all important steps to stop and recover from an ongoing attack starting with detecting the attack, limiting the damage, and what’s becoming a trickier question with every new attack – whether or not to pay the ransom.
No organization with mission-critical systems or data can afford to be unprepared for ransomware. Prepare your organization with the Ransomware Protection Playbook.
AXA’s branches in Thailand, Malaysia, Philippines and Hong Kong have been hit by a ransomware attack, with hackers claiming they have accessed more than 3-terabytes of sensitive data.
Included in that trove of data, according to the hackers, are customer medical reports – which is also said to expose their sexual health problems – as well as identification documents, bank account statements, payment records, contracts and details of individual claims.
In addition to the ransomware attack, AXA has also been hit by a series of distributed denial of service (DDos) attacks on its global websites that made the insurance giant’s website completely inaccessible for a number of hours.
A ransomware group by the name of Avaddon has taken responsibility for the ransomware attacks launched against AXA, just days after the company announced it would stop underwriting policies that included payouts in the event of a ransomware attack.Â
The group told AXA that the insurance giant has around 10 days to get in contact and meet their demands, otherwise risking the publication of massive amounts of sensitive information on their customers.
AXA has responded to the claims, telling Bleeping Computer that there is “no evidence” to suggest that data beyond one of its Thai operations was accessed.Â
“Asia Assistance was recently the victim of a targeted ransomware attack which impacted its IT operations in Thailand, Malaysia, Hong Kong and the Philippines.”
The insurer continued to explain that “a dedicated taskforce with external forensic experts is investigating the incident. Regulators and business partners have been informed.”
“As a result, certain data processed by Inter Partners Assistance (IPA) in Thailand has been accessed. At present, there is no evidence that any further data was accessed beyond IPA in Thailand.
“AXA takes data privacy very seriously and if IPA’s investigations confirm that sensitive data of any individuals have been affected, the necessary steps will be taken to notify and support all corporate clients and individuals impacted,” the company spokesperson said.
AXA is yet to address any specific demands of the hacking group Avaddon.Â
It might seem logical to try to negotiate the ransom demand down to an amount that isn’t going to break the bank but would still be enough to satiate cybercriminals’ thirst for cash. Unfortunately, this isn’t a good idea, because negotiations can backfire and even cause ransomware gangs to increase their ransom demands.
This recently happened to Acer when they attempted to negotiate a $50 million ransomware demand down to $10 million. As retaliation, the REvil gang threatened to double the ransom if they didn’t receive the $50 million.
Another example is the Egregor ransomware gang, which often threatens to publish their victims’ data online if they negotiate or fail to deliver on ransom payments. If you’re not looking to add your company’s name to the list of failed negotiations, keep reading to find out some do’s and don’ts of planning for ransomware incidents.
DO: Create a plan before crisis strikes
A ransomware attack affecting your business in today’s digital economy is a matter of “when,” not “if.” Cybersecurity is an arms race, and as technological innovation grows, cybercriminals are also constantly innovating to develop new and more damaging attack methods. That’s why it’s essential to prepare for an attack as if it were as sure as the fact that the sky is blue – hopefully enabling you to avoid any negotiations altogether.
The core functionality of ransomware is two-fold: to encrypt data and deliver the ransom message. This encryption can be relatively basic or maddeningly complex, and it might affect only a single device or a whole network.
Ransomware is the fastest-growing malware in the world. In 2015, it cost companies around the world $325 million, which rose to $5 billion by 2017 and is set to hit $20 billion in 2021. The threat of ransomware is not going to disappear, and while the number of ransomware attacks remains steady, the damage they cause is significantly increasing.
The limited availability of data on cyber incidents has made it difficult to develop full probabilistic models for use in pricing cyber insurance cover. While a few insurance companies, brokers and other companies have developed pricing models that provide quantifiable probabilistic estimates of potential losses based on Fair methodology, the vast majority of insurers still continue to use scenario-based approaches for estimating the potential frequency and severity of cyber incidents. Assessments of frequency and severity are usually based on publicly available data on past incidents. There are a few commercial companies that collect and market data on past incidents.
The insurability of a given risk is usually economically viable only where Risks must be quantifiable: the probability of occurrence of a given peril, its severity and its impact in terms of damages and losses must be assessable.
In the case of data confidentiality breaches, data on past breaches provides insurance companies with a basis to assess the level of risk based on different company characteristics and estimate the per record cost of a breach. Therefore, part of the underwriting process involves understanding the business activities and number and types of information records held by the company. Given the longer experience with data breach notification laws and the more developed stand-alone cyber insurance market, much of the available data is based on experience in the United States.
Insurance companies also focus significant attention on the company’s security practices and policies, depending on company size and amount of coverage being sought. For smaller companies/coverage amounts, the underwriting process will focus on basic cyber security practices such as use of a firewall, anti-virus/malware software and data encryption, as well as frequency of data backups and use of intrusion detection tools. In some cases, applications may ask about compliance with specific standards, such as the International Organization for Standardization standard on Information Security (ISO/IEC 27001); the US National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity; or the UK Cyber Essentials. Companies that hold payment card information might also be asked about their compliance with the PCI Data Security Standard while US companies with health records might be asked about their compliance with Health Insurance Portability and Accountability Actsecurity requirements. Some stand-alone cyber insurance applications also request information on plans and policies, such as data protection policies, network access policies, internal auditing policies, disaster recovery plans, etc., as well as governance processes in place for those policies. Larger companies would face additional scrutiny, potentially involving on-site interviews, security audits and/or penetration testing. Risk and vulnerability assessments by external security consultants are offered by some companies as an additional service included as part of the insurance policy.
Insurance companies use the information gathered through the underwriting process to determine premium levels or deny the coverage. Some insurers may also establish minimum security standards that must be maintained through the coverage period in order for coverage to be maintained or sustained, such as timely patching of vulnerabilities and/or other software updates.
Cyber-insurance is an insurance product used to protect businesses and individual users from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Cyber insurance purchased by an insured (first party) from an insurer (the second party) for protection against the claims of another (the third party). The first party is responsible for its own damages or losses whether caused by itself or the third party.
Cyber insurance may offer services products and countermeasures to protect business from known and unknown risks. There are now mandatory breach notification state laws (in many states) and regulation (HIPAA) which require breach notification. In services area cyber insurance may help organization to cover the cost of notifications and sometime may notify on behalf of an organization. The breach notification service may be necessary for SMB’s to acquire due to lack of necessary in-house resources. Depending on your business, few other items you may want to consider under cyber insurance are data restoration cost, payment of ransom, identity theft protection and reissuing of cards, potential downtime due to DDoS and potential regulatory fines.
How does a second party, an insurance company determine that first party premium (an amount to be paid for an insurance policy) and even decide that first party is insurable. The insurance company will look at organization’s security posture maturity based on industry standards and regulations (ISO, NIST, CSC, CSF) and determine if their Security Program is worthy of cyber insurance. Based on the existing security posture of an organization the second party will determine the risk they are willing to take and first party will determine the cost they are willing to pay for the premium. In the some cases insured might be able to absorb losses of the breach which were not covered by insurance but for some SMB’s these losses may be business limiting.
A point–in-time evaluation of an organization’s information security posture in constantly evolving, threat landscape only increases the challenge of insurance company to determine the first party premium. The insurance company may require a continuous feed to an organization security posture dash board which may also include but not limited to monitoring of security incident response on regular basis. Before making a decision on cyber insurance premium, an insurance company should utilize an in-house expertise or collaborate with InfoSec consulting organization to evaluate the frequency and severity of cyber threats facing an organization information security management system.
At end of the day, cyber insurance is a proactive security measure to counter potential data breaches and network security failures. Routinely, organizations are willing to spend money on security initiatives after the breach which is reactive action. Proactive security measures such as (developing sound security policies, compulsory cloud security, continuous monitoring, strong security awareness, effective BCP, proactive patching, resilient incident response plan…) may help not only to reduce the overall risk landscape but can assist in lowering the cyber insurance premium.
Proactive information security program which include but not limited to the basic cybersecurity measures may require acquiring cyber insurance. Insured organization (first party) may need to keep up with the basic cyber security measures to prevent voiding the coverage. When a functional and operational information security program which has a clear definition of an organization risk threshold becomes a priority, it can minimize potential risk of security breach and should be able to absorb losses for future security breach with cyber insurance as a part of risk management strategy.
DISC InfoSec assist in acquiring the cyber insurance which is aligned with business objectives and based on organization risk threshold. Before coverage is issued by the underwriter, in some cases, organization is asked to mitigate some risks to lower the premium. DISC InfoSec assist in compliance with standards, coverage inclusion/exclusion and risk mitigation process for organization acquiring cyber insurance. Â Â Â
When IT and security professionals plan how to respond, they must not underestimate the degree to which many of the transformative changes to our working patterns enacted due to COVID-19 have already changed our risk of ransomware attacks.
After the first “shelter in place” orders were issued, many organizations swung into action to accommodate work-from-anywhere policies. The ability of these teams to accommodate their businesses and the flexibility in modifying working practices which, in some cases, had been set in stone for years, was remarkable.
Now, many organizations are assuming a more distributed and hybrid workforce as their new normal in order to provide resilience, agility and a far broader reach in the battle for talent. However, this change has led to an uptick in focused ransomware campaigns by targeting the “human attack surface” of such organizations in a more subtle, insidious manner.
Are war exclusion clauses fit for purpose under International Humanitarian Law as cyber-attacks?
When UK and US said it was Russia, they weren’t thinking of the litigators!
Among the victims was US food giant Mondelez – the parent firm of Oreo cookies and Cadburys chocolate – which is now suing insurance company Zurich American for denying a £76m claim filed in October 2018, a year after the NotPetya attack. According to the firm, the malware rendered 1,700 of its servers and 24,000 of its laptops permanently dysfunctional.
In January, Zurich rejected the claim, simply referring to a single policy exclusion which does not cover “hostile or warlike action in time of peace or war” by “government or sovereign power; the military, naval, or air force; or agent or authority”.
Credit rating agency Equifax is to be fined ÂŁ500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.
A 2017 cyber-attack exposed information belonging to 146 million people around the world, mostly in the US.
The compromised systems were also US-based.
But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data.
It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.
Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.
A further 14.5 million British records exposed would not have put people at risk, the company added last October.
The ICO, which joined forces with the Financial Conduct Authority to investigate the breach, found that it affected three distinct groups in the following ways:
19,993 UK data subjects had names, dates of birth, telephone numbers and driving licence numbers exposed
637,430 UK data subjects had names, dates of birth and telephone numbers exposed
Up to 15 million UK data subjects had names and dates of birth exposed
Guard let down
Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.
And appropriate steps to fix the vulnerability were not taken, according to the ICO.
And the fine of ÂŁ500,000 is the highest possible under that law.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce,” said information commissioner Elizabeth Denham.
“This is compounded when the company is a global firm whose business relies on personal data.”
An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.
“As the ICO makes clear in its report, Equifax has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
“The criminal cyber-attack against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”
Advancement of technology is deriving proliferation of threat landscape rapidly which extend attack vectors. With proliferation of automated tools available for cyber criminals; it’s not a matter of “if” but “when” there will be a security breach. There are two types of organizations in this category, those who’ve been hacked, and those who don’t know they have been hacked. The likelihood that your organization is next is not very unlikely. Is your organization prepared for a target of information security breach?
That will depend on if you have an operational Security Program which is functional enough to manage risk of a potential security breach. Now, the million-dollar question may be, is your Security Program resilient enough to sustain the risk and can it afford to absorb losses for future security breach. The security threats are evolving on daily basis and there are unknown threats like zero day threats where you need to add cyber insurance (which provides coverage from losses resulting from data breach or loss of confidential information) as a part of risk management strategy to tackle unnecessary disruptions to your business. As a part of risk management program, organizations regularly determine which risks to avoid, accept, control or transfer. This where transferring risk to cyber insurance take place and it can compensate for some residual risk.
Some may argue that they got liability insurance, which should cover security breach. Those days are behind us when organizations thought liability insurance were enough to cover the security breaches. Sony thought their general liability insurance covered them, but the court confirmed that policy did not have specific clauses to cover the security breach which was estimated $170M. Another highly publicized security breach of Target cost the retailer about $348M but the retailer had only $100M in cyber insurance coverage from multiple underwriters.
AXELOS’s new guide RESILIA™ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle
Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIA™ portfolio.
RESILIA™ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.
The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.
Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
Aligned with ITIL®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBIT® and organization-specific frameworks.
Target market
Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.
Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
It’s a scenario that every small online business fears: site security is compromised, hackers steal customer data including credit-card details, and your brand and your reputation are left in ruins. No wonder then, that many small online businesses are looking to insure against hackers and the resulting financial impact of a security breach. But is insurance really the answer and could it even be part of the problem?
The insurance brokers are, naturally, presenting such insurance as pure common sense. A chap who works in the insurance business used car insurance as a counter argument to my suggestion that surely the best IT security insurance policy was to remain secure in the first place.
“We all appreciate the need for car insurance” he told me. “No matter how careful a driver you may think you are. The simple fact is that you never know when a drunken idiot is going to crash into you”.
The argument being, as with all insurance policies, you are paying a premium to cover you for that worst-case scenario should it ever happen. “When it comes to online security,” Mr Insurance assured me, “the chances of the worst-case scenario becoming a reality are increasing day by day, as criminals develop ever more sophisticated methods of hacking your site. To not insure against the risk of being hacked is bad business, and that’s the bottom line”.
“Unlike driving a car, running a secure web business is pretty much about how safe you are, rather than how unsafe other people are”
exposed information belonging to 146 million people around the world, mostly in the US.
.
to investigate the breach, found that it affected three distinct groups in the following ways:
(GDPR) in May this year, the investigation took place under the 
instead.
,” said information commissioner Elizabeth Denham.
has successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and it acknowledges the strengthened procedures which are now in effect.
against our US parent company last year was a pivotal moment for our company. We apologise again to any consumers who were put at risk.”
