Cyberattacks are becoming increasingly sophisticated and devastating, especially for small and medium-sized enterprises (SMEs). With ransom demands on the rise and the cost of data breaches skyrocketing, companies are investing heavily in building their cyber defenses. However, cybersecurity is not bulletproof. Purchasing a cyber risk insurance program can help outsource residual risk and deploy multi-factor authentication is a prerequisite not only for obtaining coverage, but also for reducing premiums.
Cyberattacks are becoming an existential problem
Throughout 2021, public and private organizations have felt the significant impacts of the ever-changing cyber threat landscape. Ransomware dominated the threat landscape in 2021. The targeted nature of attacks coupled with the growing sophistication of cybercriminals has resulted in massive losses for organizations around the world. The threat will increase with ransomware as a service expanding its scope and reach.
In the first six months of 2021, the US Treasury Department’s Financial Crimes Enforcement Network reported that value of suspicious ransomware activity was $590 million compared to $421 million for the whole of 2020. Meanwhile, the UK’s National Cyber Security Center (NCSC) reported that in the first four months of 2021 alone, it handled the same number of ransomware incidents as in all of 2020 – which was triple the number the NCSC faced in 2019.
According to the IBM 2021 Cost of Data Breaches Report, the average cost of a ransomware breach has risen to $4.62 million, while the total cost of a data breach has increased by 10% between 2020 and 2021. The costs are linked to four groups of activities. associated with data breaches: detection and escalation, notification, loss of business and post-breach response. Lost cases account for the largest share of breach costs (38%).
As cybercriminals mature and perfect their tactics, small and medium businesses become the most vulnerable because they lack the capacity (staff, technology, budget) to put strong cyber defenses in place. SMBs can quickly become the low-hanging fruit of criminals who want to target larger companies through complex supply chains. If you add the expanding regulatory landscape with extensive security and privacy requirements, you can see why cyber insurance coverage is an existential issue for small and medium businesses.
Why buy cyber insurance?
As businesses become increasingly digitized, they are exposed to greater cyber risks. Cyber insurance could mitigate the resulting business impact if the technology becomes unavailable due to a cyber incident. While investing in building cybersecurity controls is essential, those controls are not impenetrable. Cyber attacks are a matter of when, not if, so cyber insurance becomes crucial to ensure business continuity.
Compliance is another key reason to get cyber insurance. Highly regulated industries such as healthcare and finance are no longer the only industries at risk of penalties for cybersecurity and privacy breaches. All companies are subject to state-specific data breach laws for the collection, processing, and storage of personal data. Cyber insurance can help cover the costs of complying with state, federal, and international laws, as well as cover regulatory fines and penalties.
All in all, having cyber insurance coverage is a show of due diligence. With cybersecurity being a top priority for many executives, cyber risk insurance is a priority for a diligent board.
What are the critical security requirements for securing cyber insurance?
When you contact a cyberinsurer to discuss the possibility of obtaining insurance coverage, they will first assess your current cybersecurity situation. If your posture is considered too risky, you will probably be refused insurance. Insurers want to help you mitigate residual risk, but they also want to secure their investment.
During their assessments, they look for four critical security requirements, the absence of which precludes further discussion, says Nikos Georgopoulos, Cyber & Information Privacy Risks Insurance Advisor at Cromar. These four essential prerequisites are:
- Back up critical data regularly to an “offline” location that would not be affected by a security incident in your business environment. Test to ensure that these backups are recoverable.
- Use multi-factor authentication (MFA) for all your services and applications – cloud-based and on-premises – and for all your employees, not just privileged accounts.
- Do not allow remote access has a corporate network without virtual private network (VPN).
- Provide regular and at least once a year cybersecurity awareness training including anti-phishing, to anyone who has access to your organization’s network or confidential/personal data.
The Importance of Multi-Factor Authentication
“MFA is one of the most important cybersecurity practices for reducing the risk of intrusions. According to industry research, users who enable MFA are up to 99% less likely to have a compromised account,” reads a joint CISA-FBI advisory.
In fact, multi-factor authentication is recommended or required by several regulations, including:
- President Biden Executive Decree on improving the nation’s cybersecurity
- Office of Management and Budget (OMB) Memorandum on the U.S. government’s move toward Zero Trust cybersecurity principles
- ENISA guidelines on building your organization’s cyber resilience
It is therefore not surprising that MFA is a prerequisite for obtaining cyber insurance. Even if a company has met all other requirements, it will have difficulty obtaining insurance if it has not deployed MFA. “No AMF, no cyber-insurance”, notes Nikos Georgopoulos.
Cyber insurance is the tool that can help small and medium-sized businesses become cyber-resilient. However, before even entering into discussions with an insurer, it is important that companies do their part and invest in basic cyber hygiene controls, including multi-factor authentication.