A Breach from Within — Can Cybersecurity Insurance Help?



You train, you test and you monitor, but it still happens. A busy employee clicks on a link in an email only to realize it’s a scam. What they don’t know is the malware embedded in that link has triggered a series of actions deep inside your company’s systems. Within minutes, every bit of your data is available to a cyber thief, and your network is shut down.

With a vigilant employee and IT team, you may have been able to stop the hack. But most often, the damage is done before your cybersecurity systems can respond.

The costs of closing such a breach and rectifying the damage could be astronomical. And if the cyber incident isn’t accidental, you could be dealing with an employee crime.

The good news is both accidental and intentional cyber damage can be insured. But getting the right mix of coverages is imperative.

Cyber risk continues to top executives’ concerns

The Internal Audit Foundation’s “2024 Risk in Focus” report found that cybersecurity was the top concern for North American audit executives. Eighty-five percent of respondents cited it as the No. 1 risk their companies face.

Microsoft’s “Digital Defense Report 2023” revealed that human-operated ransomware attacks grew 200% between September 2022 and September 2023. Of those ransomware attacks, 70% were directed at organizations with fewer than 500 employees. The report also says attempts to gain passwords grew tenfold over that time frame. It cites a lack of multifactor authentication (MFA) as the primary reason hackers go for passwords.

Business email compromise (BEC) hacks have grown in in terms of victim losses and victim counts, according to the FBI’s 2022 Internet Crime Report. In these schemes, cyber thieves spoof business email accounts and request illegitimate fund transfers. Microsoft says they are now at an all-time high. It recorded 156,000 BEC attacks each day between April 2022 and April 2023. And the FBI’s report indicates the agency received 21,832 BEC complaints in 2022, with adjusted losses exceeding $2.7 billion.

Of increasing concern are Internet of Things (IoT) technologies. According to the Microsoft report, 46% of IoT devices with known security flaws cannot be patched. Worsening matters, “25% of IoT devices on customer networks use unsupported operating systems,” says the Microsoft report. This means they cannot be updated with patches.

The FBI report lists the top five cybercrimes in terms of victim counts for 2022:

  1. Phishing
  2. Personal data breach
  3. Nonpayment/Nondelivery
  4. Extortion
  5. Tech support

You can manage your cyber risk

Training employees to spot and report phishing attempts and other cybersecurity concerns is critical. It’s fairly inexpensive and enormously beneficial, but you must follow up with testing, corrections and refresher courses. And you must empower your employees to report suspicious activity by colleagues.

MFA is another cheap and effective way to reduce cybercriminals’ access to your systems. MFA requires anyone attempting to enter your network to provide their user credentials and one or more other factors to verify their identity. Typically, the second factor is a code sent to another device, such as a cellphone. But it can also be biometric data like a fingerprint.

Companies should also limit access to systems. This ensures that the users with access are easily identifiable.

While security patches and operating system updates seem like an obvious solution, they may require expensive upgrades and even new hardware. Though these upgrades can be expensive and disruptive, the investment may outweigh the cost of a lockdown of your systems.

For companies that can afford to go further, having a cyber monitoring system and dedicated IT team can help prevent serious losses. When a breach happens, a cyber monitoring system can help detect it. And an IT team can immediately take action to block the infiltration of code or exfiltration of data.

If your company cannot afford staff for such an effort, you may be able to contract with a service provider that handles monitoring and response. Or you can use a cloud provider for basic services. Even an out-of-the-box anti-malware software can be helpful.

Additionally, every company should have a backup system that’s disconnected from the internet. This will ensure that your data is not completely lost or corrupted in an attack. You can use the archived data to rebuild or continue your operations in an emergency.

What does cyber insurance cover?

Cyber insurance has two components: first-party coverage and third-party coverage.

First-party coverage insures lost data or revenue due to lockouts.

Third-party coverage insures your company’s liability for damage done to others because of a cybersecurity failure on your part, usually a data breach but not always.

Cyber insurance usually responds whether the breach occurred because of an employee’s erroneous actions or a failure in your cyber defenses.

Cyber insurance is not standardized; it is tailored to the needs of each policyholder. That said, common reimbursable expenses include:

  • Investigations
  • Revenue losses
  • Breach notifications
  • Lawsuits and extortion
  • Data restoration
  • Replacement of damaged hardware or software
  • Credit monitoring for victims
  • PR services to prevent or lessen reputational damage

Note that internal cybercrime is not covered by cyber insurance. For that you would need a fidelity bond, or employee crime insurance. This type of policy addresses cyber embezzlement, theft and damage. Your insurance professional can advise you on the availability of cyber risk and crime policies that protect your company’s assets and revenue and offer cyber risk management and response assistance. A mixture of crime insurance, cyber liability insurance and cyber risk insurance with business interruption protection is optimal.

Demonstrating your company is serious about managing cyber risk will make obtaining insurance much easier and more affordable. Most insurers today will reject your application or charge you substantially higher premiums if you don’t have quality cyber risk management.

 

This content is for informational purposes only, should not be considered professional, financial, medical or legal advice, and no representations or warranties are made regarding its accuracy, timeliness or currency. With all information, consult with appropriate licensed professionals to determine if implementing any recommendations would be in accordance with applicable laws and regulations or to obtain advice with respect to any particular issue or problem.
Copyright © 2024 Applied Systems, Inc. All rights reserved.