Death, Taxes, and Cyberattacks
“In this world, nothing is certain except death and taxes,” said Benjamin Franklin in 1789. To bring us into the 21st Century, just add cyberattacks. Because, when it comes to cyberthreats, no industry or company is immune.
When attack is virtually inevitable and resulting costs can run high, how can insurers offer a viable cyber insurance product that is affordable to all sizes of business?
The Real Cybersecurity Threat Landscape
In the BlackBerry 2022 Threat Report, our research noted that small and mid-sized businesses (SMBs) are currently experiencing 11 to 13 attacks per day, per device. Meanwhile, the increase in connected endpoints, working from home, and continued digital transformation of businesses makes the threat surface broader and more complex by the day.
The most widely publicized cyber events of late involved sophisticated ransomware attacks on critical infrastructure and technology companies. The ransomware threat group REvil attacked Acer, JBS Foods, and others, while DarkSide crippled Colonial Pipeline, and Avaddon infiltrated AXA. Governments responded to the attacks, with G7 countries and NATO allies putting cybersecurity at the top of the public policy agenda.
But what of the smaller businesses comprising 99% of the economy? These companies are facing a relentless barrage of attacks using a range of less sophisticated, but no less effective tools including phishing, denial of service, data theft, and malware. Emerging cybercriminal tactics such as “ransomware-as-a-service” (RaaS) mean smaller, even niche, organizations are viable targets with a low-cost, scattergun approach.
Weighing Risk Versus Cost of Insurance
The impact of a cyberattack can be devastating. One day it’s business as usual; the next, the organization can’t process card payments, restock shelves, or perform even the simplest of automated tasks. Customers, partners, and suppliers could all be victims in the chaos that follows.
Many industries today are highly connected both internally and amongst suppliers, and an attack just needs a poorly protected endpoint, smartphone app, point of sale (POS) system, or digital connection somewhere along the supply chain. The IoT-enabled warehouse, supply chain software, or even the electric delivery van are all possible entry points of entry. It’s a cybercriminal’s playground and a lack of security comes at a price.
Most companies – regardless of size and sector – are not prepared for cyberattack, even though the aftermath of costs can run high in terms of remediation, loss of business, and impact on reputation. SMBs are typically worst affected with many not able to recover from a serious attack and ultimately having to close their doors.
Yet, in the U.K. 29% of SMBs cancelled their cyber insurance cover in 2021 citing the rising cost of insurance premiums. When weighing up the risk versus cost of cover, almost a third of businesses opted to take the risk.
Pricing Businesses – and Insurers – Out of Cybersecurity Protection
The risk of cyberattack is increasing and the cost of remediation is rising, creating an untenable market for cyber insurance provision. Insurers are tightening their underwriting standards and exclusions, while raising premiums to cover escalating risk and potential remediation costs.
Furthermore, public pushback against paying ransomware so as not to incentivize the activity is mounting, putting pressure on insurers to consider their provisions for cover.
Commenting on the European insurance sector in 2022, analyst firm Forrester predicted that at least one major insurance provider would exit the cyber insurance market altogether. In fact, last year, AXA France – France’s largest general insurer – announced that it would no longer cover the cost of ransomware payments.
The result is a gap in the market for affordable insurance for the very real cyber risks facing businesses today.
Prevention is Better than Cure
Creating a more sustainable future for cyber insurance means balancing the perceived risk to businesses with the premiums that are being charged, and the actual marketplace cyber risk with the exposure that insurance companies are willing to accept.
Adopting a prevention-first approach to cybersecurity across industries and businesses paves the way for this balance to be achieved. Businesses can no longer apply an outdated detection and response approach to cybersecurity, which relies heavily on detection of known threats. This still exposes businesses – and insurers – to all the chaos that data hacks, malware programs, and ransomware can reap. Instead, a prevention first approach stops threat actors at the door using artificial intelligence (AI) powered machine learning models to determine a threat before it’s run, and before it’s known.
For companies with limited in-house IT resources – particularly vulnerable SMEs – managed services support can also help by adding security specialist resources on a monthly subscription plan. Coupled with the prevention first approach, managed services support can augment a company’s ability to detect, monitor, respond to and prevent security breaches to maximize operational uptime and reduce risk of exposure to attack.
Preventing breaches before they happen would pave the way for a dampening effect on the rise of premiums for cybersecurity insurance more effectively and over the long term. The result would be a more affordable product for a greater pool of companies that choose to cover their cyber risk, and a more attractive, sustainable market for insurers.
Read the full article in Insurance Edge Magazine.