An explosion of costly cyberattacks has created a growing niche business: cyberinsurance.
The industry generated $8 billion in revenue in 2020. This figure could reach $20 billion by 2025.
“Seven or eight years ago, this was never discussed,” said Rob Clyde, the former chairman of ISACA’s board of directors, who is currently executive counsel for ShardSecure and executive chairman for White Cloud. Security. “You’ve had advice that has gone from very little cyber talk to, now, intense cyber talk.”
Research indicates that approximately 75% of Fortune 500 companies invest in cyber insurance.
“We are much better off than ten years ago when the number was closer to zero,” Clyde said.
Before cyber insurance began, many companies tried to have their general insurance companies foot the bill.
In a case that settled earlier this year, Merck successfully sued its insurer for $1.4 billion in damages related to a NotPetya attack in 2017.
The insurance company attempted to deny the claim under its “act of war” provision.
A judge ultimately ruled that the defense was unfounded since “cyberattacks” were not explicitly excluded in the political language.
In the years since the NotPetya attack on Merck, “insurance companies have learned not to include anything cyber in general business insurance,” according to Clyde.
“It’s increasingly common that it’s excluded from your general business insurance, or there are a lot of limits, so now you have to pay for special cyber insurance.”
These cyber insurance policies come with conditions.
Many companies require their customers to meet essential security criteria.
“The number of settlements and claims has continued to rise, so insurance companies are becoming more stringent about how they will cover policies,” said Ryan Toohil, chief technical officer of the security firm. Aura digital. “It’s to the point that it will be in the underwriting. If you don’t have active endpoint security, strong backups, basically if you’re not in a position where you could recover from the attack, they could not guarantee you, or they may not pay the policy.”
The changing landscape can be difficult for small businesses. 35% of security professionals surveyed for ISACA’s State of Cybersecurity 2021 said their businesses were experiencing more cyberattacks.
“Top threats aren’t new,” Clyde said, pointing to social engineering as the top threat to businesses. “Think of the phishing attacks we all know about. They can happen through email, social media, or text messages. We’ve all seen them. Now they’re much more sophisticated.”
Clyde also highlighted advanced persistent threats: a threat that persists in a corporate network and attacks from multiple angles.
“Think of it as a many-headed hydra,” Clyde said. “While you can cut off one head, there are still others that eventually resurface. It’s malicious code that has infected your network that is really hard to completely eradicate.”
Both experts agree that a proactive security program is one of the best investments a business can make.
“The two things I think are most important are endpoint security and backups,” Toohil said. “Endpoint security reduces risk by closing the number of vulnerabilities you might have and identifying when you’ve installed something malicious. Backups allow you to recover when you run into a problem. You shouldn’t do either without the other.”
Clyde said that as more companies raise their cybersecurity standards and create high-quality backups, the number of ransoms paid to hackers may decrease.
“There are situations where companies are well prepared, and maybe for a little inconvenience and extra cost, they can avoid paying the ransom and recover,” Clyde said. “The math that might go into these companies would be, ‘Do we really want to keep rewarding criminals for holding our data hostage? “And if fewer and fewer were doing it – ideally no one would – maybe ransomware would disappear.”