How insurers can approach cybersecurity risk

A ransomware demand for the payment of $300 worth of bitcoin sits on the screen of an Apple Inc. Macbook Air laptop infected by the 'Petya' computer virus inside an electronics store in Kiev, Ukraine, on Wednesday, June 28, 2017. The cyberattack similar to WannaCry began in Ukraine Tuesday, infecting computer networks and demanding $300 in cryptocurrency to unlock their systems before spreading to different parts of the world.
A ransomware demand for the payment of $300 worth of bitcoin sits on the screen of an Apple Inc. Macbook Air laptop infected by the 'Petya' computer virus inside an electronics store in Kiev, Ukraine, on June 28, 2017.
Vincent Mundy/Bloomberg

The FBI reported a 400% increase in cybercrimes in 2020, in part because of the increase in remote work. Among the cybercrimes were two major data breaches: SolarWinds and FireEye, both third-party technology partners hired to protect their clients from data breaches and then becoming victims themselves.

The FBI noted that ransomware crimes made up about 85% of all incidents in 2020, dubbed The Year of the Digital Pandemic, a trend that has ramped up in 2021 and shows no signs of slowing.

Many insurers are focused on ransomware risk protection even though other new vulnerabilities are emerging from remote work. The new class of crimes could result in claims damages that may amount to much more than a single ransomware situation.

Recent statistics point to a troubling increase in ransomware and phishing, web application attacks and other emerging cybercrime tactics.

The Biden Administration announced a national security directive to boost defenses against ransomware attacks to critical infrastructure. While the directive sets performance standards, it doesn't provide any natural way to enforce them, which is why businesses have to assume that cyberattacks are inevitable.

A new approach to cybersecurity risk prevention
Companies can regain control over cybersecurity risks with robust management processes, outlined here in six main steps (and a seventh bonus step):

  1. Assess your risks
  2. Prioritize your risks
  3. Determine your risk profile
  4. Choose your risk strategies
  5. Execute your risk strategies
  6. Measure residual risk
  7. Repeat Steps 1-6 all over again since things are constantly changing

Managing cyber-risk follows the same basic process and principles as managing any other risk; however, the best risk management plans are only as strong as their weakest link. When it comes to cybersecurity, that weak link is often a business’ third-party vendor.
Hiring an expert or external consultant, purchasing password protection software, backing up your files, and enabling multi-factor authentication are some quick and easy ways to ‘lock the door’ to cybercriminals. But, as ransomware and other attack vectors become more lucrative and easier to initiate, companies of all sizes will need to implement additional, more layered security measures, especially if they’re working with third parties that are equally at risk.

Companies should start by taking inventory with a thorough gap assessment of personnel and capabilities and find a way to address any discrepancies with either an internal expert or an external consultant or both, depending on needs. Next, companies should prioritize which risks are worse than others and develop a continuity plan to manage them and recover if disaster strikes.

To cover losses when an incident inevitably occurs, companies should purchase or shore up their cybersecurity insurance policiesas well as requiring that their third-party partners (e.g., suppliers, vendors, contractors, franchisees, etc.) carry a certain amount of cybersecurity coverage to pay for damages and the cost to remediate them.

How insurance verification helps
It’s not enough just to carry cybersecurity coverage — companies need to make sure the policies are adequate and haven’t lapsed. This is where verification, and ongoing reverification, of third-party cybersecurity insurance, comes into play. This simple measure is one of the most effective ways for businesses to protect themselves and their customers from the financial risk of stolen data, ransomed files and more.

Additionally, many cyber insurers now verify a company’s cyber-risk controls as part of the underwriting process, so the act of verifying cybersecurity insurance can add a second layer of verification in one. This ensures that not only do third-party vendors have coverage but that they’ve prioritized cybersecurity protection and developed a comprehensive plan of defense.

If the Digital Pandemic has taught us anything, it’s that nobody and no business is immune from an attack. Companies need to be better about verifying their supply chains and ensuring that each vendor they're working with is sufficiently covered.

Data breaches are inevitable, but businesses can and should protect themselves and their customers from third-party risk by verifying that their partners’ cybersecurity and ransomware insurance policies are active and appropriately meet the company’s needs.

For reprint and licensing requests for this article, click here.
Cyber security Ransomware Malware Identity verification Cybersecurity and data privacy due diligence Insurance Risk analysis
MORE FROM DIGITAL INSURANCE