With rampant cyberattacks and malicious activity at an all-time high, it comes as no surprise that the cyber insurance industry is thriving. The global cyber insurance market is projected to exceed $90 billion, at a growth rate of more than 20% CAGR through 2033. Millions of organizations across varying sectors and of different sizes are frantically trying to secure a cyber insurance premium as the financial repercussions of cybercrime reach astronomical levels. ($4.5 million was the average cost of a data breach globally in 2023..
At the onset of the cyber insurance market, premium holders had a reasonable level of coverage against potential cyberattacks. However, as the market matures, and with the availability of more data-driven analytics that provide concrete insights into risk factors and outcomes, cyber insurers have significantly tightened requirements. Research from Delinea also found that the exclusion criteria among insurance providers is evolving, with organizations now facing an extensive list of rules that can void their coverage, including the lack of security protocols, human error and acts of war or terrorism--though there is debate on whether requirements on acts of war would hold in the courtroom.
Many stakeholders, especially those within the C-suite, may initially have believed that an insurance premium could solve the most complex security risks for an organization. Yet cyber insurance premiums have limitations and a range of exclusions, including for ransomware attacks--which according to the 2023 Verizon Data Breach Investigations Report (DBIR) are involved in 24% of all breaches.
While a cyber insurance premium can often be an essential financial safety net that may effectively keep operations afloat in the aftermath of an attack, it will not prevent reputational damage, the exposure of sensitive customer data and the loss of trust. While a premium is certainly a worthwhile investment, it must be deployed in tandem with a robust cybersecurity strategy and strong procedures and controls.
See also: Cyber's Evolving Threat Landscape
Starts With Strategy
An organization's real saving grace against cyber risk is a comprehensive security program, one that strikes a balance between human expertise and the right mix of tools.
An effective strategy starts with the first line of defense: the human workforce. With the introduction of generative AI, social engineering attacks are increasing in sophistication and causing more phishing emails than ever before to pass through domain-based message authentication (DMARC) controls. In many instances, responsibility now falls on humans to identify and report cyber threats and avoid instances that could inadvertently expose sensitive data. Organizations must have tried-and-tested incident response plans in place and conduct regular simulation exercises to employees that mimic real-world attack scenarios, including those that leverage generative AI components.
Best practice security controls, such as enabling multifactor authentication (MFA), privileged access management (PAM) and a strong backup strategy are also fundamental when working to reduce an organization's attack surface. Advanced security tools and endpoint solutions that offer real-time monitoring and alerts are increasingly must-haves, as are access controls to verify and monitor any identity in the network, whether human or machine. Placing time-bound and role-based access controls around sensitive data is also a core part of any security strategy.
See also: Risks, Trends, Challenges for Cyber Insurance
Robust supply chain security controls, including remote access for contractors and vendors, is another important part of the equation. Comprehensive privilege escalation controls, which can block the lateral movement of attackers that break through an organization's defensive layers, will also help reduce the threat of ransomware attacks, something that is not covered by many cyber insurers.
Most importantly, organizations should implement security controls that are seamless and do not hinder productivity and ensure that employees are using these tools correctly. Security and governance policies will only succeed when employees know and follow these policies, and organizations enforce them. That said, in addition to building these practices into workflows through policies, companies should also try to put cybersecurity technology behind the scenes and automate processes as much as possible to ensure employee compliance.
As cyber insurance continues to evolve and mature, we may encounter an increased number of claims being challenged soon. While there is no silver bullet for navigating this challenge, implementing strong cybersecurity measures and championing best practices is an ideal place to start. As with any policy, the coverage is only meant to provide a financial safety net and critical support to recover, not to protect against every eventuality. It is everyone's responsibility to do their part to prevent a cybersecurity incident from becoming a business catastrophe.
