- Tags:
- cyber insurance
Cyber insurance: an umbrella for a cloudy IT security climate
Once primarily seen as a technical subject for IT pros, managing cybersecurity risks and the potential financial impacts are now concerns for top business managers. This article explains why CISOs and CFOs should consider cyber insurance an essential component of overall risk management.
In short
- The growing number of damaging cyberattacks and new stringent IT security regulations have changed the IT security climate.
- Cyber insurance is now seen as a financial umbrella providing crucial protection in today’s cloudy IT security environment because it helps mitigate the costs of recovering from theft, damage or loss to electronic data even when strong defensive measures are in place.
- While executives now see cyber insurance as an essential component of business risk management, CISOs, CIOs and CFOs have different priorities and requirements for technical, operational and financial coverage.
In this second part of our series on cyber insurance we focus on the responsibilities of CISOs and CFOs. In Part 1 we took a closer look at the important role IT admins play when organizations seek or renew insurance coverage.
2023: the changing IT security climate
The facts are clear: the number of companies of all sizes falling victim to cyberattacks is increasing significantly worldwide.
- According to CVEdetails.com, the number of vulnerabilities found worldwide rose to 29,065 in 2023 from 25,083 in 2022.
- The IBM 2023 “Cost Of A Data Breach” report found that the average cost of a data breach was $4.45 million or €4.11 million. The World Economic Forum reported that the cost of cybercrime worldwide totaled $11.5 trillion or €10.6 trillion in 2023, and estimated that costs will rise to $23.8 trillion or €22 trillion in 2027.
- Cybersecurity software vendor Malwarebytes reported that the number of known ransomware attacks surged 68% in 2023, and that the average ransom demand climbed precipitously, led by an $80 million demand following an attack on Royal Mail in the UK.
- There were more than 420 million attacks on critical infrastructure in 2023 – more than 13 attacks per second – a 30% increase from 2022, according to Forescout Research.
Operators of critical infrastructure and associated businesses face increased government scrutiny and requirements for cybersecurity and reporting of incidents. In the U.S., the National Institute of Science and Technology (NIST) published the “Guide to Operational Technology(OT) Security” in September 2023 to guide OT operators on improving OT security. That followed passage in 2022 of the Cyber Incident Reporting for Critical Infrastructure Act, which granted rule-making and enforcement authority to the Cybersecurity and Infrastructure Security Agency (CISA) and mandated incident reporting for critical infrastructure providers.
In the EU, the new NIS2 EU directive has tightened requirements for business IT security and holds corporate leaders responsible for ensuring that the company’s cyber defenses meet the latest standards. NIS2 affects companies with more than 50 employees and €10 million in annual revenue in banking, healthcare, energy, transport and many other sectors. The expanded range of businesses affected by the requirements and increased fines for non-compliance prompted the President of the Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or BSI) to recommend that companies set aside at least 20 percent of their IT budgets for cyber security measures.
Cyber insurance: a different kind of “umbrella” policy
One way for companies to obtain a reliable rescue package in the event of a cybersecurity incident emergency is to take out cyber insurance. This differs from traditional business liability and professional indemnity insurance which covers claims resulting from product or service errors, malfunctions or limitations. Cyber insurance covers costs incurred as the result of an attack affecting the confidentiality, integrity or availability of electronic data despite the implementation of compliant security practices. Cyber insurance should be considered an integral part of business and IT risk management today.
Accurate reporting to find the right insurance
Most insurers provide cyber insurance questionnaires for companies to complete. The self-disclosure also determines insurance eligibility and how the policy should be
individually structured. It includes questions about security guidelines, risk management, protection of information systems, vulnerability assessments, data backup and employee
training. Business must answer these questions as accurately as possible because insurers will verify if the criteria have been met if a claim is filed.
Ultimately, the more secure a company is the better that insurers can assess specific risks and offer more favorable insurance policies.
Comprehensive unified endpoint management (UEM) software such as the baramundi Management Suite (bMS), can help companies maintain a
current and accurate overview of their systems and security status and document compliance with applicable requirements.
Priorities vary when choosing coverage
The process of applying and qualifying for cyber insurance now involves several company executives and departments. The CISO (Chief Information Security
Officer), for example, prefers cyber insurance that covers specific risks such as data theft, data breaches and business interruption. The scope of coverage and the extent of
incident response services also are priorities.
The CIO (Chief Information Officer) is focused on coverage for damage to the company’s IT infrastructure and data, including protection against malware and physical damage.
That includes the technical details of and coverage requirements for hardware and software.
The CFO (Chief Financial Officer) is interested in coverage for cybersecurity-related losses including business interruptions and liability claims. Cost-benefit analyses
and the potential financial impact of security incidents take precedence.
Protection for a more secure future
One thing is clear: The CFO is not the only one keeping an eye on costs. The costs of cyber insurance is rising, driven in part by an increase in geopolitical conflicts and
state-sponsored and organized cybercrime groups. For example, Microsoft became a victim of a Russian state-sponsored hacker group resulting in exposure of emails of numerous top managers.
Investing in cyber insurance requires thorough preparation and analysis, but in an emergency it can make the difference in the extent of damage and the speed of recovery. Insurance
provides financial protection in the event of a cyberattack by paying compensation and the costs of forensic investigations and business interruptions.
Insurance can also provide access to expertise to help with risk assessment and prevention. CISOs and CFOs must ensure that they strike the right balance between insurance costs and the
cost of providing security measures that meet their requirements. Even if cyber insurance doesn’t replace the need to implement appropriate and compliant IT security measures, it
offers protection against damages from a cyberattack. As new regulations and the changing, often ominous-looking IT security climate make clear, cyber insurance has
become an integral part of modern business and IT risk management.
- Tags:
- cyber insurance
Read more
Digital back pain? How network performance influences your DEX strategy
Between malware and NIS2: improving IT security & compliance
- Tags:
- nis2,
- cybersecurity
Windows 11's new group policies: The benefits for IT admins
- Tags:
- windows11,
- win11