Cyber insurance offers protection in a changing digital world, writes Thomas Spier.
Few business leaders are unaware of the scourge of cyber risks. But with the recent mega-outbreak of the WannaCry ransomware, which has affected more than 200,000 computers so far, companies should be taking a hard look at their security posture against the backdrop of a real-world cyber attack. This is a perfect opportunity for self-appraisal, because WannaCry, while just one example of the perils of the digital age, provides important insight into the disconnect that exists between what firms are protected against and what they aren’t.
Surveys by the insurance brokerage Marsh and insurer Zurich revealed that 52 percent of CEOs believed they had insurance coverage for cyber attacks. The reality, however, was that less than 10 percent were actually covered for such an event. In fact, recent estimates have shown that only about 3 percent of businesses have a cyber insurance policy that protects against attacks. As cyber criminals continue to up their game, savvy business leaders should take the time to be more aware of their risks and needs, and the strategies available to them to keep their companies safe.
Cyber risks have evolved
The WannaCry incident highlighted several dangers posed by cyber attacks, the first being that most firms are more vulnerable than they think. Ransomware schemes rely on business interruption to extract money from victims, something that hasn’t been a primary concern for business leaders in the United States, where take-up of cyber insurance policies is much higher. Instead, because data privacy was front and center, most basic cyber insurance policies focused on this area and were designed primarily to cover the expenses related to losing customer or employee information. While an important protection for organisations, those policies would not have covered the business interruption that resulted from WannaCry, nor would they provide policyholders with resources to restore their data or to work around a ransomware infection. Those early policies also didn’t include coverage for the ransom itself; WannaCry has so far resulted in nearly 300 payments made to the hackers for a total of £76,555. The expenditure was relatively low (£230 according to the BBC) with WannaCry but ransom demands in other ransomware attacks are often much more substantial.
Though data privacy continues to pose significant risks to firms of all sizes, ransomware is quickly becoming the most common type of attack on business systems. An interesting component of the WannaCry variant was its ability to distribute itself by exploiting a vulnerability in the Windows operating systems. It was a weakness that didn’t have a patch available in older versions, such as Windows XP. Even in newer systems where a security patch had been released, Windows 7 among them, many users hadn’t stayed current by installing it. This made it far easier for WannaCry to spread.
Companies put off software updates due to concerns about compatibility with in-house systems or custom software, but delaying upgrades puts systems and operations at greater risk in the long run. Organisations need to weigh the impact of an unexpected interruption and potential data loss due to a ransomware infection compared to the planned interruption of daily operations as they upgrade systems with a patch. For most organisations, a planned interruption will be less risky and disruptive overall.
Adding to the problems is a lack of attention to other protective approaches, such as a tested data backup protocol. Even if a ransomware infection takes hold, restoring data from a backup server or cloud service offers an immediate and reliable answer. The bad news is that many companies don’t take the necessary steps to ensure their backups are ready and usable. They’re stored on the network, making them easily found by even the most basic ransomware schemes, and they aren’t typically iterative. To be truly effective, the data must be trustworthy, it must be recent enough to be useful and it also must contain enough versions to successfully evade any ransomware that may have propagated within the system before it was discovered. Unless they make these defensive measures a priority at the strategic level, businesses increase their vulnerability in a cyber attack. They leave themselves open to data loss and devastating disruption of their daily operations.
Find the right coverage
In addition to good software and data practices, cyber insurance provides another layer of protection. Cyber insurance policies come in many flavors and it’s important to ensure that the right ones are included in a business’s portfolio of insurance coverage. The early cyber policies focused on providing liability protection to address lawsuits that might result from lost data. In today’s environment, business interruption coverage should be included, as well. If the business can’t function because of a cyber attack or a failure in the company’s IT systems, this type of policy will insure the firm against those expenses. Also important is cyber crime coverage, to address the prevalence of social engineering schemes where criminals directly extract money from the business through electronic means; phishing attacks are one increasingly common example. With cyber crime coverage, businesses can create a proactive plan that protects the organisation against attack, as well as draw on the advice of an experienced fraud specialist if an attack causes harm. Protection against extortion is another type of coverage that will enable the business to either have the resources and capabilities at hand to restore and recover lost computer systems that are taken down by a cyber attack, or in some instances, to pay the ransom, if it comes to that.
Though most businesses have several standard insurance policies already in place, carriers often specifically exclude cyber events from their coverage. Forward-looking companies should work with their risk management team to re-instate the cover through an updated cyber insurance policy. With broader and more comprehensive coverage in place, the next WannaCry-esque event can be less about panic and more about businesses using their strong cyber strategy to continue moving forward.
About the author
Tom Spier is International Director of Business Development at CyberScout, a data security and identity theft protection firm. He has more than 12 years of experience in the insurance and identity industries, with previous roles at UK General Insurers and European Credit Union. Visit www.cyberscout.com.