At its root, cybercrime is a business like any other. Although legitimate business leaders and cybercriminals sit in opposite corners of the ring, comparisons can be made between the two groups when it comes to strategies for making money – identify opportunities, innovate solutions for your target market, and, where possible, capitalize on easy wins to make money fast.
This approach has not changed since the early days of cybercrime, when simple data theft for personal gain was the prerogative. However, as the internet has developed and our physical world converges further with the digital, methods of cybercrime have grown increasingly sophisticated. And so too have the stakes for businesses; the value of intangible assets – like the data we hold and use to conduct business day-to-day – is now outstripping the value of tangible assets – like physical property – on corporate balance sheets.
As the nature of crime changes, so too must the insurance policies and the attitude towards them. When it comes to physical property, for example, few businesses would go without property insurance just because they have locks on their doors and alarm systems in place. The same principle should be carried through to the data a business holds. Just because best practice IT security practices might be adhered to doesn’t mean that cyber insurance doesn’t play an important role in managing that risk, and helping respond to incidents when the worst happens.
An Ever-Evolving Market
Although the cyber insurance market is still in its infancy – particularly when compared to other insurance sectors – the market has evolved, and grown, dramatically in recent years, scaling with the changing, demanding needs of clients as cyber-attacks become more sophisticated. As it stands, CFC is the largest independent MGA in the UK and has been providing innovative insurance products for emerging areas of risk, with its roots planted in the first wave of the dotcoms, since the late 1990s. Being one of the early pioneers of cyber insurance, CFC now insures over 25,000 companies against cyber risk. CFC aims to be the most highly regarded specialist insurance provider in the world; combining cutting edge technology with data analytics has proven to be an award-winning formula.
The biggest concern is ransomware, a digital version of kidnapping, where data is the target rather than a person. The majority of ransomware attacks take one of two forms. The first is a widespread, scattergun approach which hopes to build up the coffers with lots of small ransom payments, and the two major outbreaks of 2017 were this type – WannaCry and NotPetya. Don’t let the small ransom demands diminish the seriousness of these kinds of events, however. NotPetya, had a catastrophic impact on a number of businesses; one client ended up with a £5m loss comprised of the costs of replacing hardware, reimaging software, weeks of decreased business production, and lost revenue.
Whilst these attacks are on the rise, both in terms of frequency and severity, cyber criminals are also increasingly pursuing businesses that possess high-worth or business critical data in targeted extortion attacks. This personalised form of ransomware is something we’ve been seeing increasingly over the last 12 to 18 months. As you might expect, ransom demands of this nature are higher, running closer to £10-20k on average (we frequently see them exceed £40k) and just like more standard ransomware attacks, they too can cripple businesses financially through brand and reputation damage, system disruption, and business interruption.
The Body Blows
In addition to ransomware, data breaches are still a major concern for businesses, particularly amongst industries such as healthcare, financial services and digital commerce. Although data breaches are a more “established” risk in this space, with insurers being better able to quantify the impact and guide companies through the process of responding to an incident of this type more easily, they still accounted for nearly a third of claims last year. The recent attacks at Yahoo and Equifax show that there is no room for complacency.
Last on our list of top concerns is fund transfer fraud. Accounting for 32 per cent of our claims last year, this attack centres on duping employees or individuals into performing wire transfers to people and organisations they believe to be making legitimate requests. It’s not ‘amateur hour’ anymore, with mass phishing emails offering to gift the recipient £10m in exchange for personal bank details. For example, cybercriminals seeking to impersonate senior business executives in attempt to coax finance departments into making transfers for a vendor. The criminals remain one-step ahead, and are strategic in targeting junior employees and companies where they know that financial transactions are made regularly.
Breach costs are constantly rising – in order to quantify damage from a cyber-attack many organisations will have a loss estimation methodology in place to try and understand risk before a breach occurs. However, there is limited data on the true cost of a cyber-attack as it varies so wildly between each case. Additionally, the cyber risk landscape is changing rapidly and cyber-weaponry is progressing at such a rate that soon these models will be obsolete for understanding risk. When quantifying damage, every claim needs to be reviewed and assessed on an individual basis, through a comprehensive process with security and insurance experts, to truly understand how the business has been affected, alongside the cost associated.
Keep your Guard Up
Regardless of how stringent a company’s countermeasures against cyber-attacks, they are never a sure thing. Although cyber insurance has become much more established over the years as another tool in the protective toolkit, many CISOs still feel sceptical towards it, or wrongly worry that having cyber insurance in place implies that networks are not being secured properly.
Currently, adoption of cyber-insurance is higher amongst large companies, partly because they feel they have more to lose if a cyber-attack takes place and are also more likely to be educated on large-scale risk than smaller start-ups. However, whether a business is just starting out, or a large corporation there are many ways in which they can protect themselves and there are steps that can be taken to help lower their cyber-security insurance premium.
When putting together an insurance policy, CFC looks at the security measures an organisation already has in place; taking a proactive and pragmatic approach to mitigating cyber risks could work in your favour, reducing costs to receive a more cost-effective insurance package. No matter the size of the organisation, all companies should be implementing a full threat prevention strategy in place, with proof that they are actively trying to protect data, whether that be through a dedicated incident response policy or with back-up systems in place.
However, the amount of data we consume each day is increasing and human factor is one of the largest risks when compromising security, therefore it is imperative that the whole workforce is risk aware and employee training is deployed by HR. If employees understand the risk of sending personal emails, or opening attachments from unsecure sources, they will be more likely to adhere to policies in place. Insurers need proof that cyber-security is a priority for the whole company, not just the C-level executives.
A New Contender – Tailored to Business Needs
The steep uptake in cybercrime has given rise to a new breed of specialist firms offering more than just a policy for indemnity. The modern breed of cyber insurance provider has taken on skilled IT and cyber security professionals to offer a range of risk management solutions and incident response services that all companies – whether large or small – can benefit from.
In an increasingly connected world, businesses need to understand that the threat of cyberattacks is very real. The swings will keep on coming in various strengths and combinations, but so long as the corporate guard remains up, the fight will go on. In the event of a major hit, the insurance industry has a vital role to play, serving as a lifeline to get a business back on its feet by avoiding a total knockout.
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.