It’s no secret that cyber risks are an increasing concern for all organizations. Business leaders have a lot to contend with from a data security and privacy perspective. Cybercrime is on the rise. In 2020, Canada saw $3.12B in losses(1). Ransomware continues to be a leading source of losses with extortion attacks increasing 158% a year into the pandemic, when so many were working remotely. Impersonation attacks, which were once easy to recognize, have become extremely sophisticated. And human errors might not get as much attention these days but let’s not forget these continue to result in privacy breaches which expose organizations to litigation as well as fines and penalties from regulatory bodies.
As can be expected, cyber insurance has been booming over the last few years. Uptake for cyber insurance has exploded, from only a minority of companies carrying the coverage five years ago to over 60% benefiting from coverage today(3). We believe Cyber Insurance can provide significant benefits, some of which might not be well known. Here are some of the most valuable benefits in our opinion.
1. Prevention and Mitigation Tools
When purchasing Cyber Insurance, you gain access to a wide range of services aimed at improving your security resilience. This includes access to security posture checklists, white papers, loss calculators, and employee awareness training. Potentially even more valuable, a growing number of insurers are providing real-time monitoring of your external facing network, identifying potential vulnerabilities. For example, with the discovery of the open source Apache Log4j vulnerability, policy holders were automatically notified if their network contained related vulnerabilities and how to address them. That’s a huge benefit.
2. Access to a Cyber Response Team
When hit by a cyber crime, such as a ransomware attack, many businesses or staff do not immediately know what steps to take and which external resources to engage. Insurance companies provide 24/7 access to a Breach Coach service. Further resources get deployed as appropriate, including IT forensic experts, legal counsel, and public relations. For businesses who do not have a formal disaster recovery plan, the incident response service provides critical resources and guidance during otherwise debilitating circumstances. As dedicated experts, cyber response teams help navigate complex cyber events, minimizing the impacts on your business and restoring your operations as quickly as possible.
3. Protecting your Balance Sheet
Financial impacts of a cyber incident can escalate quickly. Depending on the nature of the loss, you could incur significant expenses from forensics, data recovery, legal counsel, public relations, notifications, credit monitoring, as well as suffering a loss of revenues. Should the cyber incident lead to litigation against your organization, costs could be debilitating. All these costs can be massive and are thankfully covered under a Cyber Insurance policy.
4. Coverage for Most Loss Scenarios
A Cyber Insurance policy provides extremely comprehensive coverage, protecting your organization against most scenarios, shielding your balance sheet from what could otherwise be debilitating expenses. This includes coverage for ransomware/cyberextortion related expenses as well as social engineering attacks (impersonation fraud including vendor invoice manipulation). Organizations of all sizes and industries are being targeted. Small businesses were particularly hit hard in 2021. The insurer Coalition Inc., who focuses in cyber insurance, reported an average loss of $149,000 for small businesses (under $25 million revenue), a 56% increase from 2020(4).
5. Risk Management Best Practices
Insurance companies have great visibility in evolving threats and the most effective mitigation measures. Equipped with this data, Insurers will recommend or mandate certain risk management measures. Implementing these measures will help secure more favorable insurance terms and, more importantly, will minimize losses, expenses, and downtime for your business. Some of the best practices currently being mandated by insurers include Multi-Factor Authentication (MFA) for email and VPN/remote access, implementing on-going phishing and security training for employees, and adopting a call-back policy to verify third party banking coordinates via a second means of communication.
Final Thoughts
What does this mean for you and your operations? Ultimately, cyber events represent a growing exposure across all industries. Adopting best in class prevention measures and carrying comprehensive cyber insurance should be a priority for all organizations. Also, although most Cyber insurance policies provide very broad coverage, these policies are highly customizable, and we recommend reviewing your policy to understand if your key exposures are adequately addressed. You should pay specific attention to the ransomware and social engineering limits as this is where most claims are landing, and limits vary widely between insurers.
If you need any assistance around Cyber Insurance, either exploring an initial policy or reviewing existing coverage, the team at Risk Balance would be happy to help. You can reach out to Serge Paquette at spaquette@riskbalance.com or Jordan Thompson jthompson@riskbalance.com.
(1) IBM Cost of a Data Breach Report, 2020
(2) SonicWall Cyber Threat Report, 2021.
(3) CIRA 2021 Cyber security survey
(4) Coalition Cyber Claims Report, 2021.