Can Business Cybersecurity Protection Outlay Offset Cybercrime Insurance?

What is cybercrime insurance?

Business cybersecurity protection (cybercrime insurance) safeguards organizations from any financial losses relating to damage to (or loss of) information from, networks and IT systems. This may include reputation loss, the cost of business interruption, infringement of regulatory data standards (such as GDPR, CCPA, or LGPD), and/or attacks from bad actors (e.g., ransomware, data breaches, etc.) depending on the coverage taken. Policies may include help with the management of an incident and the recovery of lost or ransomed data, which can be invaluable for smaller companies.

The protection industry is doing the math

Business cybersecurity protection was once a lot cheaper, but a global pandemic that heralded a new era of remote working has taught them that cyber risk is more prevalent than ever before.

According to the most recent Cost of a Data Breach Report [IBM], the loss of earnings and associated financial outlay of a data breach rose from an average of USD 3.86 million to USD 4.24 million last year. Just one ransomware attack on the New Orleans city government cost them over USD 7 million [SC Magazine] and a single attack on ISS ISS A/S (a facility management services company in Copenhagen) cost the organization in excess of USD 50 million [GlobalNewswire]. In 2020, just 92 ransomware attacks cost the US healthcare industry an estimated $21 billion [Comparitech].

The number of worldwide malware samples is growing at nearly 5% per annum, with 153 million new malware samples from March 2021 to February 2022 [AV-Test]. Now, on the Dark Web, you can buy a simple malware kit for just USD 45, with basic “how to construct attacks” tutorials for as little as USD 5. [Top10VPN’s]. 93.6 percent of malware is polymorphic, meaning the code changes to avoid detection [Wbroot Threat Report] and 50+ percent of business PCs that are infected will be re-infected again in the same year. Imperva’s research team has observed guides for sale on the Dark Web created for the purpose of obtaining fraudulent accounts at financial institutions. These sell for as little as USD 12.50. Bad actors sell templates for fraudulent documents and phishing emails for just a few dollars. Wanna-be cybercriminals can rent a compromised server to launch a keylogging phishing attack or run your own remote access Trojan campaign for cents and pennies.

The world has changed and will change even further. Anyone with a bitcoin wallet can, should they choose, become a black-hat hacker in an evening. The numbers are plain to see, and the insurance world is built on probability and statistics.

Business cybersecurity protection providers utilize general liability class codes to classify businesses according to their risks. For insurance underwriting, these codes group SMEs with those that face the same types of risk and conduct similar work. These codes, and the cost of business cyber liability insurance, have changed with the frequency of commercial cyberattacks. Business cybersecurity protection provides measures for individual risks such as privacy risk, security risk, operational risk, and service risk. Every company has a possibility of a cyberattack, regardless of its size, but the bigger the organization the larger the measurable attack surface and vulnerability.

The Global Advanced Persistent Threat Protection Market (Business Cybersecurity Insurance) had an estimated worth of USD 6,082.53 million in 2021, and is expected to reach USD 7,426.78 million later this year. It is anticipated that this will further rise at a compound annual growth rate of 22.35% to reach USD 20,408.68 million by 2027. It is, without doubt, a growth industry – but it is a justifiably cautious industry. Insurance companies are, after all, there to make a profit for their shareholders.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is currently advising businesses to prepare for cyberattacks and bolster their digital security – and insurance companies are fully aware of the current geopolitical cybersecurity landscape. With an increase in attacks comes an obvious increase in premiums and requirements.

Requiring higher standards

In the UK, insurance firms have begun to ask that policyholders conduct the government-backed Cyber Security Essential Plus certification. This lets UK businesses conduct a formal self-assessment to discover their level of preparedness for a cyberattack against their infrastructure. After reviewing the results, insurance firms may insist on cover limitations, greatly increase premiums, or improvements before providing business cybersecurity protection. This type of attitude to cyber insurance is likely to be de rigueur in the future, regardless of your region or territory. It is possible you may have limited business cybersecurity protection through any existing business interruption insurance already and could make a saving on this by providing compliance certification.

In this instance, yes, business cybersecurity protection can offset cybercrime insurance premiums, now and in the future. Reducing attack surface and risk will statistically reduce surcharges. As such, this is a tangible call to action for investment in cybersecurity and in our IT security teams, and one to cite when looking for departmental funding from the wider organization. This includes protecting applications and APIs from DDoS, supply chain, and disruptive bot attacks, plus ensuring optimal network availability, bandwidth, and access. It means securing sensitive data across on-premises and cloud environments, and against insider threats, taking stock of your data real estate, and knowing what needs protecting and where.

Acting regardless

It is important to be prepared in order to save money on cyber insurance premiums or policies, but it also makes sense. You wouldn’t miss out on buying a fire alarm just because you had home insurance.

In the words of the UK Gov guidelines on cyber insurance: “As well as potentially lowering your premiums, completing schemes like these demonstrate to your customers, partners, and suppliers that you take cyber security seriously, and for this reason should be considered even if you don’t intend to take out cyber insurance.”