Introduction:
The pandemic-induced work from home culture has opened the door to increased cybersecurity breaches. Although most businesses, especially those operating in regulated industries, have a prevention and response plan in place, they remain susceptible to breaches. Cyber liability insurance is one of the best investments a business can make in their multi-pronged strategy to protect themselves if a cybersecurity breach occurs. Unfortunately, increased cyberattacks have triggered significant cybersecurity insurance rate hikes and decreased availability of coverage. The recent growth in cyberattacks has forced insurers to become highly proactive in limiting coverage and in understanding their aggregate cyber risk exposures. Moreover, as businesses scramble to maintain profit margins in the face of these enhanced costs, the opportunities for breaches continue to expand, perpetuating what seems to be a vicious cycle with no end in sight.
Where are breaches coming from:
In March 2020, the international work force went remote. The FBI reports that online scams increased 400% in 2020.
Cybersecurity measures were not designed for remote work arrangements. This causes holes that are susceptible to criminal activity.
Zoom rooms were hacked, personal wifis were compromised, and employee stress caused poor responses to phishing. For businesses, risks are coming from:
- Increased employee stress, which results in sidestepping protocol for convenience or to save time.
- Employees have less supervision and less technical controls while working from home and may unknowingly be dragged into criminal activity.
- Hacking is a household name, and newbies on the block are testing out their skills on small to medium-sized businesses that don't have cybersecurity preventions in place.
The stats are in! 10% of attacks are motivated by espionage, while 86% are financially motivated.
Can breaches be avoided?
As remote work has become the norm, multi-factor authentication (MFA) techniques have increased. However, even MFA is not a fail-safe approach to protecting data as there are countless ways to bypass it. If the MFA code is between 4-6 digits, it is susceptible to a brute force attack. Social engineering techniques have also been shown to be effective (phishing to have the MFA on the wrong screen) or session management in which attacks use the password reset function, since MFA is not triggered once it has been changed.
What is the cost of Cybersecurity?
It is cheaper to prevent a cyberattack than it is to repair the injuries. It is estimated that businesses spend 10.9 percent of their IT budget on cybersecurity and .48% of their overall budget. According to Deloitte, this investment is to protect businesses from the $4.2 billion that was lost in 2020 from cybercrime. [1]
Even a business heavily invested in assuring cybersecurity and protected by appropriate insurance coverage is not “attack-proof.” Human error remains an inevitable liability and contributes to 95% of all cybersecurity breaches.[2]
Financial loss, liability for breaches of privacy, and decreased customer trust from even a single attack can cripple a business. Cyber liability insurance can both reimburse for these losses and allow a business to quickly mobilize remediation techniques to close gaps and mitigate losses associated with a breach. Additionally, businesses need to seek advice from qualified insurance professionals on the nature of the coverage and an evaluation of risk exposure to assure the coverage purchased provides the appropriate level of protection. This analysis requires an understanding of the industry in which the business operates and the scope of coverages available in the marketplace as well as its limitations. For example, general liability insurance likely does not cover cyber-related damages due to policy exclusions which have become common place. Further, legal malpractice insurance policies likely will exclude liability incurred due to cyber breaches.
The right Cyber Insurance program should provide:
- Data restoration
- Loss of income
- Extortion
- Notification costs
- Crisis management
- Sub-limits for responses to and defense in regulatory investigations
Cyber liability insurance: A Changing Marketplace
The pandemic has contributed to a hard market with significant premium escalation. As noted above, the pandemic has resulted in an increasing number of cyberattacks and the resulting impact on underwriting and increased accumulated risk exposure. As the risk of attack increases, so too are the prices and limitations of cyber liability insurance. For example, AIG has tightened its cyber liability insurance terms due to the uptick in breaches and has increased its rates by 40%. “We continue to carefully reduce cyber limits and are obtaining tighter terms and conditions to address increasing cyber loss trends, the rising threat associated with ransomware, and the systemic nature of cyber risk generally," CEO Peter Zaffino.[3]
How can a business contain the expense of insurance? The cost of insurance depends on the risk. If your company has implemented both prevention and response strategies, then insurance costs will be lower, and higher policy limits may be offered. For small and medium-size businesses, comprehensive coverage is easier to obtain. Insurance can be acquired for large, multinational corporations but must be part of a larger cybersecurity strategy.
Underwriters are interested in what mechanisms are in place to prevent cyber breaches and how quickly remediation can be employed to contain the losses. As the frequency of attacks exponentially increases, insurance underwriters and company risk managers have changed their analyses by including an impact-based cyber risk modeling framework accounting for the financial quantification of the potential damage caused by the attack. These models will also take into consideration the new vulnerabilities associated with remote work, video conferencing and increased risk associated with virtual, private networks and remote desk top protocol used to keep business connected.
Many insurers focus on whether insureds or prospects have ransomware installed, but remote work arrangements have created other vulnerabilities which together could create claims higher than any single ransomware attack. Video conferencing can allow an uninvited guest access to sensitive information which could then be made public. Further, while the COVID-19 pandemic may be nearing its end, it has demonstrated to many businesses in the US and abroad that video conferencing can be a valuable business tool. Hence it is likely here to stay as is remote work and thus, decreased cybersecurity.[4]
The question is not if, but when a business will be attacked. No single strategy will save a business from an attack. A cybersecurity plan involves prevention, response, and a hardy cyber liability insurance policy tailored to your business.
[1] See “How Digitization and the Covid-19 Pandemic are Accelerating Cybersecurity Needs at Many Large Financial Institutions” by J. Bernard and M. Nicholson, Deloitte Insights, July 24, 2020 available at https://www2.deloitte.com/us/en/insights/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html
[2] See “IBM X-Force Threat Intelligence Index” IBM Security, February 2021, available at https://www.ibm.com/security/data-breach/threat-intelligence
[3] “AIG Is Reducing Cyber Insurance limits as cost of coverage soars” Reuters Staff, Reuters, August 6, 2021 available at https://www.reuters.com/article/aig-results-cyber-idCNL1N2PD1AJ
[4] “The WFH Impact on the Cyber Insurance Market” Yakir Golan, NJPropertyCasualty360, July 22, 2021 available at https://www.propertycasualty360.com/2021/07/22/the-wfh-impact-on-the-cyber-insurance-market/?slreturn=20210925163656