The frequency and severity of cyberattacks have dramatically increased in recent years, leaving businesses and individuals vulnerable to financial loss and reputational damage. As technology continues to advance, and with the ever-present threat of cyberattacks, there is a growing need for cyber insurance.
Cybersecurity insurance was created in the late 1990s when organizations began moving their businesses online. As business leaders sought to understand the complexities of the digital world, insurance companies offer cyber insurance policies to mitigate the risks associated with the internet and protect companies against unauthorized access to an organization’s systems and data.
The earliest type of cyber insurance was in the form of policies that were often broad in scope and not specifically tailored to fit the needs of an organization. However, as the number of cyberattacks increased, so too did the nature of cyber insurance. Today, business leaders can opt for highly specialized insurance policies that cover a wide range of risks, including ransomware, data breaches, and business interruption.
In the Asia Pacific region, the adoption of cyber insurance is expected to grow by 35.5% CAGR (compound annual growth rate) during the forecasted period of 2019–2025. While artificial intelligence, robotics, virtual reality, and the Internet of Things have proliferated technological advancements, they have also led to new parameters of threat. When those threats are realized, cyber insurance comes into play, providing financial compensation and covering a business’s responsibility for data.
It is important to remember that cyber insurance is not meant to be a stand-alone solution. Because attacks can vary in severity, cyber insurance also varies in its premium prices, which can go up to millions of dollars. According to a report by S&P, the global cyber cover premium pool is expected to rise by an average of 25% per year. There are varying degrees to which an organization can insure itself. With first-party coverage, insurance would typically cover costs associated with the investigation of the incident, loss of revenue due to business interruption, risk assessment for future cyber incidents, ransomware attack payments based on coverage limits, and notifying affected customers. Third-party cyber liability coverage, meanwhile, can be purchased to protect a business in the event that a third party sues for damages from a cyberattack incident. This insurance can cover legal fees, settlements, and regulatory fines for noncompliance.
The complexity of cyber insurance policies and the nature of the coverage a company provides can make it a daunting task for businesses keen on acquiring coverage. It can be especially challenging for smaller enterprises that may lack the knowledge or resources to purchase an adequate policy. In addition, with the rise of cyberattacks, disputes may arise in the aftermath of an attack, with insurance companies and organizations debating the payout. This can lead to a lengthy and costly legal battle.
While cyber insurance has been around since the 1990s, it is still a relatively new concept that continues to be updated based on new methods of cyberattack. There is a lack of standardization among insurance companies, and more has to be done to ensure that a regulatory standard is adhered to in terms of what can be covered.
Organizations are targeted for cyberattacks for various reasons, with financial gain being the most common motivation. Attackers use various methods to access sensitive information, ranging from phishing to hacking.
Cyber insurance is only one aspect of practicing good cyber resiliency. While it provides financial relief, it does not negate the fact that a cyberattack occurred and that the organization’s trustworthiness has been compromised. Beyond encrypting sensitive data, installing cybersecurity software, and regularly educating staff about cyberattacks, backing up data is a good way to ensure that there is business continuity in the event of an attack and that hackers will not have the power to demand money from organizations to get their data back.
Data should always be backed up using the 3-2-1-1-0 rule, where there should be three copies of data, stored on two different media, with one copy off-site, and another copy offline and air-gapped or immutable, achieving zero errors with a recovery system. This will safeguard data and ensure that in the event a company goes offline, systems can be quickly restored with little to no downtime. According to our recent Data Protection Trends report, 82% of organizations have an “availability gap” between how quickly they need systems to be recoverable and how quickly IT can bring them back. A further 79% cite a “protection gap” between how much data they stand to lose and how frequently IT protects their data across the cloud and on-premise. This further highlights the importance of having backup copies.
Ultimately, strong backup is the insurance that organizations need. Cyber insurance can be part of an overall plan, but to rely on it exclusively would not be wise. As the technology landscape continues to advance and grow, companies need to lead their own defense against cyberattacks.