Growing increasingly tired of the operating environment – and in particular, the never-ending flood of ransomware infections – are the insurers whose role it often is to help victim organisations pick up the pieces and pay for much of the damage done.
In 2022 changes to how insurers assess risk and determine premiums and coverage could become a problem for some organisations. So which organisations are most at risk, and why?
It’s worth examining what is driving insurance companies to change their collective tune on cyber security protections and payouts.
First, too many organisations are being compromised. Nearly 500 reports were received by the Australian Cyber Security Centre last financial year, an average of more than one per day.
Second, these breaches are increasingly costly. IBM puts the average cost of an infection at US$4.62 million (A$6.45 million). This excludes any ransom payment, which is often an additional six- or seven-figure amount, and which – by some accounts – the majority of infected businesses wind up paying on the quiet.
Third, insurers don’t want to pick up the bill for this never-ending stream of compromises indefinitely.
In response, payout limits have halved in some cases, while premiums have skyrocketed; industry body the Council of Insurance Agents & Brokers (CIAB) saw cyber premiums rise 27.6% in the three months to September 30, on top of increases of 25.5%, 18% and 11.1% in the prior three quarters.
The types of attacks covered by cyber insurance policies may also become narrower: exclusions on cyber policies are being tested before the courts, and this could have ramifications for future cover.
Insurers expect organisations seeking cover to be able to demonstrate a minimum standard of security and resiliency against an attack. That requirement has steadily increased over time. When insurers mandate strong baseline security protections, everyone wins, because it raises the bar that almost every organisation must meet. As a former White House administration said, “With widespread take-up of insurance, these requirements become de facto standards.”
CIAB notes that multi-factor authentication (MFA) on all enterprise accounts and proactive staff training are now considered a baseline standard by insurers. While not having MFA is unlikely to result in cover being refused, it is likely to affect the premium and excess associated with a policy. Being priced out of cover in today’s insurance market is a real possibility if security baselines are unmet.
We note some insurers are taking this concept further by incorporating elements of compliance-based security frameworks and standards like the ASD Essential Eight, NIST, or the Centre for Internet Controls (CIS) 18 into the tests they use to pre-qualify customers for cyber insurance policies. This won’t be an issue for more forward-thinking organisations that already use these frameworks to guide their security activities.
For organisations not already on this path, however, a cyber security review by Tecala can be used to test your organisation against these standards. It can also be used to develop a strategic technology roadmap to bridge any gaps in capability or coverage that could have flow-on impacts for insurability.
Our assessment follows 3 Steps:
We enter a new cybercrime world as cooperative cybercrime experts become far more efficient than what most organisations are prepared for.
Ransomware is one of the biggest threats to any organisation today - period. As such, organisations must do everything in their power to reduce the impact of an attack.
