Businesses today are grappling with an increasingly complex cybersecurity environment and a challenging geopolitical landscape that leaves many wondering, “What cyber protection do I need?”
It’s a worthwhile question as businesses’ cyber resilience can be make or break. A cyberattack can be devastating; the average U.S. data breach last year cost $9.36 million; the average amount demanded in a ransomware attack was $2.5 million. Simultaneously, cyberattacks are becoming more frequent and sophisticated. All businesses, big and small, are at risk while recognizing smaller businesses often face more severe consequences.
“The question is, ‘Does my business have the ability to cease all digital operations [and still function], and I don’t know many that can,” says Ryan Wessels, director of cybersecurity at Acuity Insurance.
Cyber resilience requires a two-pronged approach, emphasizing strong cybersecurity measures as well as cyber insurance to protect businesses from the devastation accompanying attacks.
“We try to impress on companies to look at [both] the risk insurance side but also the risk control side. You may feel like your security posture is prudent, but what about the third parties you’re contracting with?” says Alex Moen, central region broking leader – cyber solutions at Aon, a risk management and insurance firm. “As companies continue to leverage third-party providers to conduct their operations, it is no longer just a data privacy liability; it’s about operational cyber exposure.”
The number of businesses recognizing the value of cyber insurance is on the rise.
“We’re definitely seeing an increase year over year of customers signing up for cyber coverage because it’s a matter of when, not if, a [cyber event] will occur,” says Toni Apatira, senior commercial lines consultant at Acuity.
Job number one: prevention
Having specific controls in place from a cyber resilience perspective is job number one, and part of the reason Allan Vogel joined the Aon team about three years ago.
“It’s so important to understand the risk of not having specific controls in place, guiding [clients] on the controls to protect them from a cyber resilience perspective,” says Vogel, cybersecurity consulting leader – cyber broking at Aon. “Today, everyone is susceptible to a threat, and we’re seeing more social engineering. Social engineering can be very sophisticated and very targeted.”
In its Q1 report, Aon noted that clients continue to mature and make key investments to improve controls as they strive to become more resilient against social engineering. Some key areas of focus for Aon clients include multifactor authentication (MFA), endpoint detection and response, protecting privileged credentials, cybersecurity and phishing training, and vulnerability management.
“It’s beneficial for an organization to not only look at where its security posture is, but also is the best dollar spent on insurance or on risk control?” Moen says. “Making a company more cyber resilient will ultimately lead to better outcomes on the insurance transactions over time.”
Employees can truly be the weakest link, even with regular training exercises, MFA and complex passwords.
“Threat actors will try every avenue they can to get into an organization, and all they need is for one person to slip up and get them access,” says Brandon Vincent, security manager at KI.
This should be addressed by internal processes and policies for employees that outline their obligations as well as investing in endpoint monitoring software to perform penetration testing, says Molly A. Arranz, certified privacy professional, recognized privacy law specialist and chair of Amundsen Davis’s cybersecurity & data privacy service group.
“It’s the people and vendors who can be your weakest link and expose you to significant risk and liability,” she says.
Job number two: cyber insurance
Cyber Insurance is a must for all sizes of businesses, regardless of their online presence.
“Fifty-seven percent of our cyber incidents and litigation activity [in Q1] were in mid-sized organizations, which we define as $100 million to $2 billion,” Moen says.
When evaluating cyber insurance coverage, consider these factors:
Work with a trusted broker who specializes in cyber insurance. Aon reviews loss modeling going back to 2013, including data around frequency-related events. The organization has invested significantly in data and analytics and a suite of analyzers, including one for cyber risk, that overlays loss potentials with insurance coverage.
“That way, we can determine if we are getting value from how [the policy] is structured today or [find] a better option,” Moen says.
Expect the cyber insurance conversation to get into a lot of detail, Wessels says.
“It’s like getting any kind of insurance: You have to provide data — but expect the conversation to get technical and ask what are you doing to protect, detect and respond to incidents,” he says. “It’s a different type of conversation from other commercial insurances.”
Being forthright and vulnerable with the broker matters.
“It’s really finding an organization that has stability, a track record of cyber insurance and someone you’re comfortable with,” Wessels says.
Consider policies that address both first-party and third-party losses. First-party coverage provides coverage for the direct losses to the business. These range from forensic investigations, data recovery/replacement, business interruption, crisis management, legal fees and regulatory fines to cyber extortion and ransomware payments (where legal; this varies by state), data breach notification costs, credit monitoring and identity theft repair.
At Aon, first-party coverages include breach event expenses, cyber extortion, digital asset protection, business interruption and dependent business interruption.
Third-party coverage is for claims against your company by others, including network security liability (if a security failure in your systems causes damage to others), privacy liability, regulatory defense and penalties, and media liability. This may come into play when a third party, such as a payroll vendor, is hit with a ransomware attack or other vulnerability and a bad actor accesses data the vendor is holding on behalf of your company.
“Then, the duty/obligation can bleed into you as a company as it’s your employees and contractors’ information,” Arranz says, adding that’s why she emphasizes the importance of carefully crafting vendor master service agreements to include defining if the vendor has your company as an additional insured on its policy.
“It’s critical to vet those vendors, and frankly, I tell clients to have vendor management protocol in place before you engage vendors and share data with them,” she says.
Moen says that a common misconception his company hears is that businesses don’t need third-party coverage if they’re not a “data-rich company.”
“There is still a large exposure related to operational cyber risk with third-party suppliers and vendors,” he says. “While you may outsource that technology, you likely still have a liability to protect that information and impact.”
Review policies in detail for exclusions, deductibles, limits and policy language.Moen says that each insurer can have very different coverage and language, and while definitions may look similar, the mechanics of coverage may be very different. In addition, sublimits should be reviewed very carefully, Arranz says.
“A $1 million policy may look like it covers any kind of attack, but there may be a sublimit that limits [coverage] to half a million dollars for a ransomware attack, for example, or is limited for a phishing email or social engineering attack,” she says.
For example, something her practice sees happening in ebbs and flows is ACH wire transfer fraud, which cyber insurance doesn’t cover.
“In these instances, if a business partner changes its bank and you don’t jump through hoops to confirm it’s the right account and wire $500,000, only for them to follow up a month later and say they never got the money because threat actors infiltrated the system with conversations and emails, you’re out half a million dollars,” she says.
Arranz has also witnessed a difference between coverage for a ransomware attack versus an extortion-only attack, she says.
“These are two prevalent types of attacks that look similar, but trying to navigate them can be challenging and includes a lot of Googling words in the policy,” she says. “Brokers can help to ease this and help you protect yourself to the highest degree possible.”
As with all insurances, do your research. In Q1, Aon noted both an increase in ransomware events and in the average payment amount that has kept the cyber threat landscape challenging. And yet, despite an increase in claims frequency, market conditions for cyber insurance remain buyer friendly.
