As the number of cyberattack incidents on organisations continues to increase, cybersecurity and insurance seems like the best solutions to retrieve your data and protect your business from disasters. However according to the Veeam Ransomware Trends Report, around 1 in 4 organisations (25 per cent) who pay the ransom in an attack, never get their data back.
At a glance, cyber insurance may seem like an obvious, quick fix solution to a never ending problem but it does have its downfalls. The cost of cyber insurance for example, has steadily increased as more companies report incidents of getting hacked. According to global insurance broker Marsh, a small or medium-sized business wanting to buy $10 million of cover would face an average premium of $60,000. Larger companies can expect to pay about $350,000 to cover $20 million of cover.
Having cyber insurance is only meant to be a financial cover for revenue loss – it does not confirm the cause of the hack or retrieve lost data and. Customers who lose vital information from a data leak may lose their trust in businesses and may result in people opting out of its services in favour of competitors.
With this in mind, it is important to educate companies in best practices to secure data and putting in the work to protect critical resources. Businesses can include cyber insurance component as part of their plans but should also include other forms of protection that stop potential threats and back up their data.
What is cyber insurance?
Cyber insurance is a relatively new type of coverage with insurance companies rolling out their first policies in the early 2000s. This was implemented to protect themselves against malware, ransomware and distributed denials of service (DDOS). There are different policies available in Australia that cover liability, such as theft of third-party data, the cost of business interruptions and the cost of services to investigate the breach.
The main benefit cyber insurance provides to businesses is the ability to not only cover damages related to malicious cyberattacks but also costs associated with remediation, including payments for legal investigations, investigators and customer refunds or credit. For example, Optus spent over $140 million to help customers renew their documents and commission a report into the 2022 breach.
Companies that implement cyber insurance are still considered early adopters. A recent study showed that 30-75% of larger businesses have taken out cyber insurance policies. According to security.org, cybersecurity insurance’s global market was $7.6 billion in 2021 and by 2027, is expected to rise to $20.4 billion. Such predictions indicate that businesses are recognising that the frequency and sophistication of cyberattacks are increasing and are acting as a result.
Not all businesses have cyber insurance due to cost and over the past five years, cyber premium increases have risen exponentially. A 2022 report states that premiums in Australia have doubled since 2020 and is expected to jump even further from $480 million to $815 million by 2024. Plus, there are limitations to what a company can claim based on the terms and conditions of the policy. Insurers paying out cyber threats often require extensive documentation to do so, from cyber access reports to traffic logs. These documents are difficult to collect and even more challenging post-incident, as IT departments are prioritising to restore services, extending response times for insurance requests.
After an attack, companies can still be faced with the arduous task of restoring their IT servers and implementing cybersecurity measures to avoid another attack. On average, IT departments take three weeks to recover from an attack and for others, it can take several months.
The bottom line is that cyber insurance plans can help businesses, but they also need to protect themselves against threats and be prepared to solve and block problems before it’s too late.
Here are a few ways they can do so.
- Patching – it is critical to create a broad patch management process to maintain an organisation’s IT infrastructure. This aids in repairing vulnerabilities quickly after a new feature has been released, helps a business protect its assets and avoids potential downtime.
- Employee training – A study from 2022 concluded that human error was responsible for 41% of data breaches through phishing, stolen credentials and ransomware. This highlights the importance of employee training. Common security mistakes should be reviewed often to ensure employees are using strong passwords, recognise phishing attempts and protect important information.
- Refining incident response plans – when a cyber-attack hits, things need to move quickly. Most businesses don’t have a response plan in place that outlines the chain of command and the actions to be taken. Organisations that do have an existing plan must ensure it is reviewed regularly and kept updated.
- Implementing proper data backup – the last line of defense against a ransomware attack is secure backup infrastructure. To ensure protection from outside threats, the combination of data protection within a strong cyber-attack preparedness strategy ensures a business has a quick and effective way to ensure stability if a cyber-attack were to occur.
Cyber insurance helps businesses recover from a breach however this is not enough. By implementing this as a part of a broader ransomware strategy, businesses can achieve a level of protection needed in today’s age of growing cyber threats.
Dave Russell is Vice President of Enterprise Strategy at Veeam. Rick Vanover is Senior Director Product Strategy at Veeam.
