Risk of cyberattacks is nothing new but, since the onset of the COVID-19 pandemic, cybercrime is on the rise — both in prevalence and magnitude — underscoring the importance for companies to maintain proper cyber hygiene to protect their data, operations and bottom lines.
Cybercrime on the Rise
In 2020, the global average cost of a data breach was $3.86 million, according to a study by IBM and Ponemon Institute. In the United States, the average cost was even more, at $8.64 million — the highest in the world. Last year, cybercrime victims paid $350 million in ransomware payments, according to a report by the Institute for Security and Technology, representing a 311% increase over the previous year.
Even as we return to some semblance of pre-pandemic normal in the coming months, the risk of cyberattacks is expected to keep growing. Costs of cyberattacks are projected to reach $6 trillion in 2021 alone, according to Cybersecurity Ventures, and expected to balloon to $10.5 trillion by 2025.
So far this year, the rate of cyberattacks has accelerated, with nearly daily reports of another high-profile breach or attack, including the recent hacks on oil pipeline operator Colonial Pipeline and meat processor JBS.
Impact on Cyber Risk Coverage
Considering these alarming trends, cyber risk insurance has never been more essential to protect businesses, their sensitive data and critical operations.
However, due to the rising incidence of cyberattacks and correlating claims, coverage has become pricier for companies to secure. Rates for cybersecurity insurance coverage climbed 30% by the end of 2020, with premiums potentially rising another 50% through 2021, according to Marsh.
But businesses aren’t simply having to pay more for cyber coverage. Because of the greater risk posed by more prevalent attacks, particularly ransomware, carriers have begun to tighten coverage limits, even restricting or placing sub-limits in ransomware coverage. Some carriers also have implemented co-insurance on coverage to share the cost of any ransomware payments.
Additionally, insurers are exercising more scrutiny in terms of companies’ overall cyber hygiene. In other words, insurer requirements for cyber coverage are driving companies to tighten up gaps in their cyber protections, policies and procedures. With increasing risk, businesses are required to create robust preparedness and response plans as a requirement for coverage.
Improving Cyber Hygiene
As expectations continue to climb for businesses’ cyber hygiene, here are several key changes companies can implement to fill those critical risk gaps, better protect themselves from cyberattacks and ensure they meet insurers’ requirements for coverage:
Penetration testing: Such testing is a simulated cyberattack performed to evaluate a business’s computer systems. It helps identify risks and any security gaps.
Cyber incident response plan: Also known as an IR plan, this is a set of instructions that lays out how a company prepares for, detects, responds to and recovers from cyberattacks.
Employee awareness training: These trainings help educate a company’s employees about cybersecurity issues, including how to identify phishing attempts and best practices with securing data.
Security controls: Network security controls are a must. At a minimum, these should include endpoint detection and response (EDR) solutions that monitor the devices that connect to a company’s network, as well as tested backups and multi-factor authentication (MFA) login methods requiring employees to login using additional credentials beyond their username and password.
Due to our reliance on digital devices and networks, as well as changes brought on by the pandemic, it no longer is a matter of if a business will experience a cyberattack, but increasingly when.
No business, regardless of size or industry, is immune to the dangers of cyberattacks. But with the increase in cyberattacks pushing up insurance costs, proper cyber hygiene that ensures businesses’ computer networks and sensitive data are properly protected from potential cyber threats is more critical than ever.
Richard Swetonic is of Lovitt & Touché, A Marsh & McLennan Agency LLC Company, which offers business insurance, risk management solutions, alternative risk financing, bonds and surety, and employee benefits.