Espria has issued a warning to all business leaders in the UK that now is the time to review the small print of any corporate insurance contracts to ensure that their business is appropriately protected against potential cyber attacks.
Historically, many businesses have paid little attention to the details of their cyber insurance coverage, but following the pandemic and its associated changes in working practices, these risks have become a priority for many boards’ risk logs. In addition to facing increased energy costs, businesses must also take into account the higher premiums for cyber insurance, Espria states.
Cybersecurity threats have grown in recent years on a global scale, with cyber criminals exploiting mismatched networks during the pandemic and continuing to exploit these vulnerabilities. As businesses shifted to remote working environments, cyber threats became a more common reality.
Recent reports show that the UK suffered 4,783 cyber crime victims per million internet users in 2022. This is up 40% over the previous year. The trend continues with the number of data breaches and cyber attacks reaching 277.6 million in January 2023.
Dave Adamson, CTO at Espria commented, “This is a huge leap in the number of incidents. In our opinion, however, this figure still underplays the real risks; there has always been a lack of transparency around the disclosure of security incidents for commercial reasons.”
Cybersecurity breaches can leave connected partners of a company’s organisation vulnerable. With up to 40% of current cyber threats coming indirectly through the supply chain, cyber criminals are focusing on these vulnerabilities. These breaches can result in the loss of confidential data, financial losses, and even lost business opportunities, Espria states.
A recent study has revealed that only 23% of security leaders regularly assess cybersecurity vulnerabilities among their partners and vendors. Furthermore, many organisations limit third-party coverage to their direct suppliers and vendors, overlooking the wider network of clients, collaborators, investors, and other stakeholders. It is estimated that by 2025, 60% of organisations will take cyber security risks into account when making decisions about transactions and business interactions with third parties, as awareness of third-party risks increases.
On ensuring adequate protection, Adamson says, “Simply looking at the security systems and protocols in place within the organisation is not enough. Firms need to pay close attention to what their cyber insurance covers and stay up to date with the latest risks. Looking at their contract renewal and comparing policies is the first step in due diligence.”
Firms often opt for a cyber policy that is packaged within a broader business insurance policy, Espria states. While these are clearly popular, they are often far from as comprehensive as a stand-alone policy and may not cover the business should they fall victim to the latest cybersecurity attack tactics. Many insurance companies have changed the small print significantly, with more caveats and exclusions now in place. As a result, it is imperative that businesses check what is included, what is excluded, as well as any additional caveats and requirements.
Adamson continues, “Business email is very often the route into an organisation. It is an easy target, and criminals are much more targeted in their attacks today than ever before.
“They are specifically looking to exploit email security vulnerabilities using methods that include: misconfigured sender policy framework (SPF), domain keys identified mail (DKIM), as well as domain message authentication reporting and conformance (DMARC) to enact phishing and email spoofing attacks, which can be used to deploy ransomware. This means insurance must match the potential threat.”
He continues, “Cyber insurance is very often designed to only cover a business from the impact of a successful cyber attack. Depending on the cover, it may well include a mix of financial payments encompassing costs and support for IT forensics, legal, and even communications. It is not, however, a panacea for actual cybersecurity measures.
“With cyber insurance pay-outs now on the rise – and the insurers’ loss ratios worsening – it will come as no surprise to any CFO that the insurance industry is now taking steps to reduce its losses and limit the exposure to risk. And this will have several implications for risk management in turn.”
Cybersecurity insurance does not replace having the right cybersecurity measures in order. For example, Cybersecurity-as-a-Service from Sophos addresses insurance security challenges, ensuring uninterrupted operations.
Adamson adds, “Businesses are finding it more difficult to not only source cost effective cover, but in many instances to obtain cover at all. This, in turn, is leading to increased premiums and a greater focus on a business by their insurance provider to have robust cybersecurity measures and controls in place.
“But this is a fast-moving environment, and the nature of cyber threats means that while a business and its insurance provider focus on the most pertinent threat at that moment, cyber criminals are typically one step ahead and that means an endless game of ‘whack a mole’ in which businesses build ever greater security barriers and insurance providers update policies to meet the needs of an ever-changing threat.”
“Businesses cannot afford to be slow to respond and we urge all stakeholders – from CFOs to CISOs to check your policies today and ensure they meet the needs of the business not last year, but this week and beyond. Look for any changes in cover limits, as well as any exclusions. According to research from Sophos one in four cyber insurance policies today exclude ransomware – which is one of the biggest cyber risks today.”