How shifts in cyber insurance are affecting the security landscape
The rising cost of cyberattacks, including downtime, investigations, lawsuits, ransoms, and more are prompting cyber insurers to re-examine underwriting and encourage greater cyber resiliency in their customer bases. With the influx of cyber-insurance claims stemming from the CrowdStrike IT outage and the exorbitant price of recovering from data breaches — $4.88 million, on average, according to IBM — the cyber-insurance industry will continue to self-correct and evolve to fit market needs while maintaining profitability.
Insurers will come away from July’s widespread IT outage relatively unscathed, as the outages were caused by a vendor error, not a cyberattack, and because it was fixed fairly quickly. Still, insurer Parametrix estimates insured losses from US Fortune 500 companies will total $540 million to $1.08 billion, not even including Microsoft. Now, imagine this is a cyberattack that goes through a third-party software-as-a-service (SaaS) provider and takes down a similar swath of business, but recovery is slower, and companies must pay ransoms to recoup their data. How many billions of dollars will cyber insurers be out then?
Because cybersecurity is still a relatively new corner of the insurance market, ambiguity remains around what should be covered, the role cyber insurance plays in potentially encouraging ransom payments, etc. There’s no doubt that it’s still finding its footing, figuring out in real-time and on a world stage how to insure companies against rapidly changing and advancing cybersecurity threats.
This evolution will be what finally causes businesses to face reality and prioritize cyber resiliency to ensure data is always recoverable in the event their primary network is taken offline or data is held for ransom. Companies may not take it upon themselves to invest in better data protection practices, and the cyber-insurance market ultimately will force their hand.
Cyber Insurers Drag Us Into the Future
Over the past five years, the rise of ransomware has shifted not only an organization’s risk profile but also the estimated payouts. In many insurance policies, it’s all about risk mitigation, but unless an underwriter can accurately assess the risk or implement requirements to mitigate the threat, it becomes a financial business risk for the insurance company. Therefore, cyber-insurance prices have significantly risen along with the bar to qualify for coverage.
Many of the new requirements focus on data storage and backups. Segmented, encrypted, and immutable backups are the industry standard, but because of limited resources, unawareness, or segmented cybersecurity teams, it hasn’t always been a prioritized industry standard. Now, companies will have no choice but to up their game if they want coverage. Those who fail to adopt these requirements will be left without insurance or an effective recovery plan, unable to financially recover when the inevitable ransomware attack hits.
To read the complete article, visit Dark Reading.