When you buy car insurance, you do so on the promise that you will demonstrate good behavior. You would not expect your car insurer to pay out if you broke the speed limit, never had your brakes or tyres checked, or left your pride and joy unlocked overnight. There is a mutual pact between you and your insurer. You take responsibility for your car’s safety and your own actions, and they pay out when bad things happen that you could not have foreseen, prevented, or mitigated against.
The same principle applies with cyber insurance. As an organization, you are 100% responsible for your own cybersecurity, and the insurance providers are there in the event of the unthinkable and unpreventable. For some businesses, especially small and medium-sized, having cyber insurance could mean the difference between staying open and going bust. That is reflected in the market’s growth, with Munich Re estimating cyber premiums will reach a value of $22bn by 2025.
However, as the volume of cyberattacks increases, insurance cover is now harder to get. That is because the financial losses from a breach have become disproportionate to the premiums that insurers charge. According to the 2022 Cost of a Data Breach Report by IBM and Ponemon, a data breach costs an average of $4.35 million, a growth of over 12% in just two years. The average ransom paid in a ransomware attack is $812,360, and the average total cost of recovery is $1.4 million.
According to Check Point Software’s Threat Intelligence Report, it was reported that India suffered an average of 1,783 attacks per organisation in the third quarter of 2022. In India, several insurance organisations have already witness a key increase in the number of corporate cyber policies in the last few years, especially within the areas of commercial cyber insurance and corporate cyber liability, which amongst other factors, could be attributed the ever increasing number of cyberattacks on organisations. According to an online insurance platform in India, Policybazaar.com highlighted that since cyber security insurance was introduced as a standalone product in India in 2014, it has continued to grow with the expectation of organization spend of up to $3billion in 2022.
In response to these increased cyberattacks, insurers have started to increase premiums to cover the growing sizable claim payments for ransomware attacks and for business interruptions. Such increased attack numbers have also led cyber insurers to become more cautious when examining a company’s internal security controls and risk procedures and the risks represented by third parties with whom they work and contract. Such increases in premiums and reduced cyber insurance limits with limits being reduced to now US$1 – 3 million even at renewal, is forcing businesses to instead consider taking on a more significant role in managing their cyber risk.
Navigating the Harsh Insurance Market
To offset pay-outs, some insurers have taken steps to exclude certain costs. For example, Lloyds of London no longer includes nation-state attacks in its cyber insurance policies because it “exposes the market to systemic risks that syndicates could struggle to manage”. Meanwhile, in Australia, insurance giant Chubb won its case against automotive services firm Inchcape who was trying to claim for costs incurred in the clean-up and recovery of a ransomware attack. The court deemed it to be an indirect financial loss, and therefore not covered by the policy.
You may wonder then what your cyber insurance actually covers. Would you get compensation for losses as the result of an employee clicking on a phishing email? Would your provider honor a payout if you voluntarily pay a ransomware demand? This issue could become problematic when you consider that the Australian government is thinking about making it illegal to pay ransoms to cyber hackers.
It was common that a cyber insurance policy would mostly cover the Incident Response (IR), forensic investigation and recovery costs. Most businesses are happy to insure on this basis, as the cost of that investigation could adversely impact cash flow. However, many have not considered the actual financial impact, like loss of market share and the influence that has against share price. It is for this reason that organizations should consider having retained IR teams who can manage the cash flow issue while the company directs the investigation to cover risks that are most impactful to them. This could be regulatory and legal risk, regaining confidence of the investors and market, preparing evidence for use in an insurance claim, third party litigation or defense of claims in a litigation.
When a cyber insurance company covers the investigation and recovery following an attack, they may bring in their approved legal and IR teams, who are specifically there to determine if any of the risks can be covered, and the cost of that. They are not seeking to perform the IR in a way that encompasses all the potential business risks mentioned above.
There are also increased penalties for data breaches, which may make some organizations look immediately to cyber insurance to try and help cover those costs. However, it is unlikely any underwriters would include these fines. This will be in the realm of legal counsel and law firms, which means the IR and investigation will need to be prompt and accurate, and the findings be defensible in a legal hearing.
Avoid a Claim with Preventative Cybersecurity Measures
The details of what is and is not covered by a policy will largely depend on the insurance provider, but across the board you should expect underwriters to take a thorough look into your security practices. They need confirmation that you have implemented preventative measures to mitigate risk and stop an attack from happening in the first place. They will check everything from email security, multi-factor authentication status and backup procedures to endpoints, encryption, firewalls, and user awareness.
However, as the number of cyberattacks increase, businesses need to augment their stable of defense options, in addition to relying on cyber insurance to help survive these incidents. More proactive processes, such as pre-emptive IR measures, ensuring preparation for such attacks with tabletop exercises, and compromise assessments, as well as considering implemented a formalised and well-practiced Incident Response Plan can support organizations to prepare or even respond to incidents before they become a loss that may or may not be covered by cyber insurance.
In reality, the best insurance you have is to be more proactive in putting the tools, processes, and skills in place to do everything you can to avoid a breach such as implementing proper MDR/MPR (Managed Detection Response/Managed Prevention Response) solutions. Ultimately, prevention will be the most effective way to demonstrate how seriously you take your responsibility when it comes to warding off cyberattacks.
Cyber Insurance and Cyber Security Working in Harmony
Check Point can help you optimize your security investment with products that enhance cybersecurity resilience and meet the strict requirements set out by insurance underwriters.
Our portfolio includes:
- Quantum Network Security: Check Point Quantum Next Generation Firewall Security Gateways™ combine SandBlast threat prevention, hyper-scale networking, a unified management platform, remote access VPN and IOT security to protect you against the most sophisticated cyberattacks.
- CloudGuard for Cloud Native Security: From code to cloud, Check Point CloudGuard offers unified cloud native security across your applications, workloads, and network-giving you the confidence to automate security, prevent threats, and manage posture-at cloud speed and scale.
- Harmony Email & Collaboration: Harmony Email & Collaboration deploys as the last line of defense before the inbox and secures inbound, outbound, and internal emails from phishing attacks that evade platform-provided security.
- Check Point Harmony for Remote Users: Check Point Harmony is the industry’s first unified security solution for users’ devices and access. It protects devices and internet connections from the most sophisticated attacks while ensuring zero-trust access to corporate applications.
- Unified Management and Security Operations with Horizon: Horizon offers XDR, MDR, and events management solutions for complete coverage of networks, endpoints, cloud, email and IoT, from one pane of glass.
- To reduce their premiums, or even be eligible for a policy in the first place, you must demonstrate that you have cybersecurity controls, policies, and procedures in place that would reduce the probability and impact of a potential cyberattack, especially with a preventive –first approach to cybersecurity.