Technology is enabling businesses to grow further and faster than ever before, accelerated by the need to digitalise in the wake of the Covid-19 crisis. Despite the undoubted business benefits, this period of rapid change has also left companies more exposed to cyber threats than ever.
Many of these cyber risks are so new and complex that most firms aren’t prepared for them. Worse still, in the event of a cyber attack, companies’ traditional property insurance coverage won’t protect them because many of these risks aren’t implicitly included or excluded within the policy – a phenomenon known as ‘silent cyber’ or ‘non-affirmative cyber’.
And businesses often only find out they’re not covered when it’s too late, as evidenced by the WannaCry, Petya and NotPetya cyber attacks of 2017, which devastated everything from shipping ports and supermarkets to advertising agencies and law firms. These attacks can be hugely damaging, not only operationally and financially, but also in terms of reputation. According to IBM’s Cost of a Data Breach report 2021, organisations shell out, on average, $4.24m (£3.22m) per incident.
“As a risk, silent cyber still isn’t on the radar of most organisations,” says Tracie Grella, AIG’s global head of cyber risk insurance. “The problem is that they aren’t assessing the risk and working out where their exposures are, how their policies will respond and whether they would be covered for an event.”
So what are the main cyber risks companies need to be aware of and what should they do to mitigate against them? What insurance do they need to protect them if an attack occurs – and how can they plug any gaps?
Rise of ransomware
The fastest growing and most costly form of cyber attack is ransomware. Often originating in nation-states such as Russia and its neighbouring countries, ransomware attacks use malicious software to block access to a computer system and the hacker will then typically demand large sums of money – often in the multi-million dollar region – for the system to be unlocked again.
Phishing or social engineering scams are on the rise too, with victims sustaining $1.7bn in losses from business email compromise alone in 2019, according to the FBI’s Internet Crime Report. But the costs go far beyond the initial loss: they extend to business interruption, forensics, recovery and restoration expenses.
To guard against cyber attacks, businesses need to try and prevent them from happening in the first place. That requires identifying their key exposure areas to cyber risk, quantifying loss scenarios and appetites, and establishing robust cybersecurity and risk management strategies and controls that everyone in the organisation understands and follows correctly.
When a client suffers an event, often there’s a disconnect between what their policy actually covers them for and the appropriate coverage they would need
Networks and systems should be regularly updated through use of the latest security software backups on the cloud, patches and upgrades, and then tested to make sure they are protected. In addition, companies should restrict systems access to only those who need to use it to perform their duties, particularly when dealing with third-party providers, and rescind it from employees who are leaving the organisation. Firms should also encrypt data, adopt virtual private networks and use multifactor authentication.
The key to improving cybersecurity is ensuring that staff receive regular training so they can identify suspicious activity and potential problems, and take appropriate action to stop them. This includes not opening unsolicited emails, creating strong passwords and not using personal devices for work, particularly given the number of people who now work remotely.
Should the worst happen, firms also need to have cast-iron incident response, disaster recovery and business interruption plans in place to get back on their feet quickly. Insurers can help both with designing a risk mitigation plan and practices, and providing access to the necessary legal, forensic and claims teams needed post-event.
Insurance solutions for silent cyber
Insurance policies can help businesses recover their losses in the event of a cyber attack. However, many companies that previously relied on their standard property or liability policies to protect them have now found – to their cost – that they’re no longer covered under them.
“Cyber risk has implications across the board,” said Rich Sheinis, data privacy and cyber security partner at law firm Hall Booth Smith. “When a client suffers an event, whether that be a ransomware attack or a business email compromise, often their policy isn’t geared up to deal with the potential losses they will incur, and there’s a disconnect between what their policy actually covers them for and the appropriate coverage they would need.”
A common problem is silent cyber, which means that potential cyber-related events or losses are not expressly covered or excluded within traditional policies. This can lead to unexpected coverage gaps.
There is a solution. Standalone cyber insurance protects companies specifically against cyber attacks, providing emergency incident response and recovery services, ransomware negotiation and reimbursement, business income loss and follow-on liability coverages.
They will help to plug any coverage gaps, providing protection against losses caused by damage or data loss from IT systems and networks. The policy can also be used to engage a PR firm for managing a cyber incident in the media when a firm’s reputation is at stake.
If a business has more than one policy, it’s also vital to check there’s no overlap or duplication of cyber coverage.
“In order to ensure the best outcome, it’s imperative for businesses to work with a specialist cyber broker to review their coverage thoroughly to see what they need and be able to explain the risk fully to the underwriter,” says Kyle Bryant, chief underwriting officer at Resilience.
“There are plenty of innovative solutions out there to meet any company’s individual requirements and plug any gaps they may have.”
