Over the past twenty years, data has become the new gold, providing valuable insights across IT infra, AI and automation, and support functions. At the same time, cybersecurity risks have increased in volume and evolved from simple trojans and malware to ransomware, commodity malware, and pre-ransomware behaviors as well.
Organizations are constantly faced with the risk of data theft, data leakage, compromised data , and ransomware. Ransom groups do not only prevent stakeholders from accessing their data by shutting down their systems, but impact their business continuity as well, which can take down the most resilient and secure companies too. In 2021, cyber-attacks brought one out of five European and American organizations down, bankrupting them with ransomware.
However, this comes with its own set of challenges.
Chinks in the insurance armor
Cyber insurers need to have a complete understanding of the business challenges, current and future risks, the organization’s IT infrastructure and its mapping, and its market specifications. Armed with this information, they can arrive at an appropriate insurance premium that does not seem overpriced for applicant organizations.
However, insurers are still unsure about how to quantify these premiums and decide on coverages, primarily because of the following reasons:
- Lack of history: Cyber insurance is a relatively new domain, and the lack of historical data does not allow to build a reliable statistical model. Modern cyber attacks are — attackers use tooling, automation and organized teams to perpetrate their attacks. Zero-day attacks occur within a few hours after a 0-day vulnerability is disclosed, allowing the attackers to reach a large number of potential victims in a short timeframe.
- Evolution of the threat: Attackers refine their tactics to glean more benefits from their attacks. These have evolved from basic ransomware encrypting files where they demand a ransom payment to restore them, to maximized return on investment tactics with stealth activities which even compromise the backup infrastructure. In addition, data is exfiltrated to be used as money change or exploited in further attacks like social engineering.
- Lack of common baselines: It is difficult to define what a good level of control is. While larger corporations can implement state-of-the-art controls like multi-factor authentication (MFA), endpoint detection and response (EDR), 24/7 security operation centers (SOC) and security incident response teams, it is still difficult for mid-size companies to define a fair level of control.
Cyber insurance and its impact on your security operations
Several insurance companies have thus strengthened their cyber risk assessment process. For instance, one company increased its questionnaire from 4 to 24 pages — a sign that cyber insurers are much more meticulous in the evaluation of the initial security posture and state of the insured than they have ever been.
All security aspects are thoroughly assessed before a company is insured. This focuses on key drivers for cyber-attacks. Here are some of these drivers that companies are expected to pay particular attention to:
- Employees’ awareness including phishing simulations: In Q2 2022, phishing and application exploitation were the preferred vectors for attacks, and these get more sophisticated over the years. Consider vishing (voice calls) attacks to impersonate security companies.
- Active directory setup and protection, as his is a key target in attacks to spread over the organization. This is managed by a limited number of administrators from dedicated workstations amidst tight monitoring
- Service accounts, which are often less monitored than regular accounts
- Systematic enforcement of two factors’ authentication as a counter measure to credential leakages
- Deployment of EDR solution to enable detection of suspicious activity
- Prompt correction of vulnerabilities, in particular VPN gateways, as patching is expected to be performed within one week after publication
- Security of (remote) backups, including safeguard of encryption keys
- Email security with enforcement of protection mechanisms like sender policy framework (SPF) and domain-based message authentication reporting and conformance (DMARC)
- Security Operation Center with 24/7 capabilities
- Crisis simulations, including cyber incidents to limit the impact of a cyber attack.
Once assessed and insured, the coverage usually includes reimbursement of the following costs:
- Costs of restoring data
- Loss of revenue due to failed IT systems
- Notification costs in the event of a data breach
- Claims for damages from customers
- Costs of mitigating reputational damage.
Leveraging lessons from France and Germany
In the last few years, cyber insurance has seen an uptick in France and Germany. Using these examples, we would like to showcase key learnings for your reference:
France: A growing market with government interventionism
Following a report by the French Treasury’s General Directorate on the cyberinsurance market, the Minister of the Economy and Budget proposed a draft law on September 7, 2022, that includes a suggestion that French organizations may receive a compensation in case of a ransomware attack, conditioned by filing a complaint.
This draft law strongly revived the polemic on cyber ransom payment. Currently, there is a blur in this area: the guideline from French authorities and the French National Information Systems Security Agency (ANNSI) is to refrain from paying ransoms. While there is some uncertainty regarding the effectiveness of this payment, attackers may not enable to retrieve the encrypted data or may use stolen data later.
Additionally, by allowing the reimbursement of ransom, some professionals fear that this may increase the attractiveness of French organizations as targets for attackers as there is an increased certainty of the ransom being paid. It is also dilute the importance of organizational security and vigilance, as the negative consequences will anyway be reimbursed by insurance.
Germany: A mature self-regulated market
In Germany, on the other hand, it is the market that regulates the practice for refunding the costs in case of a cyber extortion.
The extent of the insurance cover depends on the provider. The basic insurance usually covers both own damage and third-party damage. In the event of damage, the cyber insurance against extortion covers the so-called own damage, i.e., the financial damage incurred by your own company. It also covers liability damage to third parties, for example if delivery timelines are delayed due to the attack, and if business partners claim compensation.
In addition, most insurance companies for cyber extortion and cybercrime, which come as an extension to their basic insurance package. Finally, the costs for crisis management and PR measures to control and counter any damage to brand reputation caused by a cyber-attack may also be covered in the package.
The expenses of the aftermath may also be included. Insurers can even offer to cover the costs of commissioning external computer forensic analysts to zero in on the perpetrator.
As stated earlier, cyber insurers will issue coverage of an organization based on an initial report. It enables insurers to check if the applicant organization meets all the prerequisites and undertakes appropriate measures to protect themselves from cyber-attacks. The assessment is based on the security criteria tested by cysmo®, based on technical recommendations and industry standards, such as the BSI or the VdS. However, in Germany the assessment does not contain any organizational elements.
Another common prerequisite is that customers must provide yearly cyber security awareness trainings for their employees. This is important to note as many German insurers also reimburse preventive measures to protect the system against hacker attacks.
Cyber insurance: A safety net for the future
Overall, even if cyber insurance is facing many challenges and uncertainties, continuous discussions with leading insurance companies indicate that the market is quickly maturing and starting to normalize. Along these lines, cyber insurance is quickly gaining momentum, reassuring us that this is a very viable safety net in the face of ever-growing cyber threats.