DUBAI, UAE — As the industry grapples with rising cybercrime, insurers are hiking premiums and becoming stricter about whom they cover. However, if organizations don’t meet even the basic security and data protection standards, insurance won’t be of much help. It should merely be one component of a comprehensive digital resilience strategy. Let’s dive deeper into the realm of cyber insurance and what businesses must do to truly ensure peace of mind.
Navigating the Wild West?
Cyber insurance has been at the forefront of cybersecurity discussions in recent times. Sensibly, enterprises are seeking protection against the growing threat of almost certain cyberattacks. A study revealed that 85% of organizations fell victim to ransomware attacks in 2022, a rise from 76% the prior year. Concurrently, the insurance sector is still trying to adapt to a menace it hasn’t fully grasped. Worldwide, cyber insurance rates surged by 28% in Q4 2022, after a 53% spike in the preceding quarter.
With escalating premiums, insurers are becoming more selective about their clientele, raising the baseline protection standards organizations must meet to qualify for coverage. The criteria for incident coverage are also evolving. For instance, a prominent London insurance market recently declared it would no longer cover disruptions stemming from state-sponsored cyber warfare. If this scenario seems reminiscent of the Wild West, it’s perhaps understandable. It’s a nascent, fluctuating industry, and the intricacies of cyber incidents present a unique challenge that both insurers and organizations are still trying to navigate. That said, businesses must be cognizant of this when considering insurance. Filing a claim can be intricate, and as the adage goes – insurers are in the business of denying claims. The claims process can be lengthy and demands substantial evidence, further straining resources in the wake of a cyber incident.
The “Best-Case” Scenario
Even with a successful payout, organizations must recognize that insurance isn’t a panacea for issues like ransomware. While this holds true for any insurance type, money can offset losses but can’t mitigate the broader ramifications of the incident. In the context of a cyberattack, the fallout is distinct and multifaceted. A significant security breach has transpired, and while financial relief is beneficial, it doesn’t single-handedly resolve the crisis.
In the immediate aftermath of an event like ransomware, the daunting task of recovery looms large, often coinciding with potential criminal investigations and insurance claims. For businesses, restoring data, applications, and system functionality is paramount, with every moment potentially costing thousands. Complicating matters, systems usually can’t be restored to their original locations (the attack’s epicenter) because it’s not only an investigative crime scene but also an environment whose security can’t be assured. Drawing a parallel, if your office were to burn down, you couldn’t instantly rebuild on the same spot. Instead, you’d need to secure an alternative workspace for your staff until it’s safe to return to the original location.
Moreover, several lingering effects can persist post-incident. Data integrity tops the list of concerns, making it vital to audit datasets for potential damage. If you’re resorting to older data and system versions for recovery, it’s imperative to update them promptly. Essentially, you must ensure everything remains cohesive and functional. Concurrently, determining the finality of such incidents is challenging, given the elevated risk of malware reinfections or the looming threats of double or even triple extortion.
Of course, this is all under the assumption that the business recovered without meeting the ransomware demands. If an organization does pay the ransom (perhaps believing insurance will cover the costs), then a slew of problems ensue. The most pressing concern is the possibility that data might not be retrievable even after paying the ransom. Even if recovery is “successful” using the provided decryption keys, the process can be painstakingly slow. Another peril for businesses that acquiesce to ransomware demands is the threat of subsequent attacks. Criminal groups often tag those who pay, making them prime targets for future extortion attempts.
What Can Businesses Do?
This isn’t to undermine the value of insurance, but to emphasize that it should be a component of a broader digital resilience strategy. An effective data protection framework incorporates robust security, backup, and recovery measures. This not only diminishes the chances of an attack but, more crucially, equips the business to react and recuperate in the face of a catastrophe. On the security front, begin by routinely testing and patching systems to identify and rectify vulnerabilities. Commit to educating employees throughout the organization about digital best practices and secure remote access. This proactive approach not only enhances your insurability but might even result in reduced premiums. The next step for businesses is to safeguard their data and ensure they can sustain IT operations during a cyber incident.
Enterprises need to pinpoint the data and systems they can’t operate without and ensure these are duplicated and securely stored in case of a ransomware attack. Organizations often presume they have this safeguard, either internally or through their cloud provider (a prevalent misconception), but this is frequently not the reality. In a survey of thousands of business IT leaders, 79% were found to have a “reality gap” between the data and systems that business units believe are protected and the actual situation. It’s also crucial to store data in multiple formats, such as off-site, offline, and immutable copies.
Moreover, businesses must implement availability protection and disaster recovery processes to minimize downtime. The same survey revealed an even larger reality gap concerning availability, with four out of five businesses lacking confidence in their IT systems’ resilience to ensure business continuity. Even with a backup available for restoration, IT teams should have a designated environment prepared to recover systems, even if only temporarily. Organizations that structure their IT infrastructure with recovery in mind will rebound more efficiently.
The cyber insurance industry will persistently evolve as the threat landscape expands. This fluidity is expected when the subject of insurance is so elusive and constantly changing. While insurance can assist organizations in recovering after a disaster, it’s merely a piece of the larger picture. As the criteria for insurability rise, enterprises shouldn’t merely strive to meet the minimum standard but should aim to exceed it with a comprehensive approach to data protection.
Dave Russell is Vice President of Enterprise Strategy at Veeam.
The opinions expressed are those of the author and may not reflect the editorial policy or an official position held by TRENDS.