Is cyber insurance a must-have?

By Dave Russell, Vice President of Enterprise Strategy, Veeam and Rick Vanover, Senior Director Product Strategy, Veeam

The frequency and severity of cyberattacks have dramatically increased in recent years, leaving businesses and individuals vulnerable to financial loss and reputational damage. As technology continues to advance and with the ever-present threat of cyberattacks, this has led to a growing need for cybersecurity insurance.

Cyber insurance was created in the late 1990s when organisations began moving their businesses online. As many business leaders sought to understand the complexities of the digital world, insurance policies came in to mitigate the risks associated with the internet and protect companies against unauthorised access to an organisation’s systems and data.

The earliest form of cyber insurance was policies that were often broad in scope and not specifically tailored to fit the needs of an organisation. However, as the number of cyberattacks increased, so did the nature of cyber insurance. Today, business leaders can opt for highly specialised insurance policies that cover a wide range of risks, including ransomware, data breaches and business interruption.

In the Asia Pacific region, the adoption of cyber insurance is expected to grow by 35.5 per cent CAGR during the forecasted period of 2019 – 2025. While artificial intelligence, robotics, virtual reality, and the Internet of Things have proliferated technological advancements, this has led to new parameters of threat. Cyber insurance is expected to come in to provide financial compensation and cover a business’s responsibility for data.

It is important to remember that cyber insurance is not meant to be a standalone solution. As attacks can vary in severity, cyber insurance also varies in premium prices, which can go up to millions. According to a report by S&P, the global cyber cover premium pool is expected to rise by an average of 25 per cent a year. There are ranging degrees to the extent that an organisation can insure for. For first-party coverage, it would typically cover the cost of things such as the investigation of the incident, loss of revenue due to business interruption, risk assessment for future cyber incidents, ransomware attack payments based on coverage limits and notifying affected customers. Third-party or cyber liability coverage can be purchased to protect a business in the event a third-party sues for damages from a cyberattack incident. This can cover legal fees, settlements and regulatory fines for noncompliance.

The complexity of cyber insurance policies and the nature of the coverage a company provides can make it a daunting task for businesses keen on acquiring coverage. This can be a challenge for smaller enterprises that may lack the knowledge or resources to purchase an adequate policy. In addition, with the rise of cyberattacks, disputes may arise in the aftermath of an attack, with insurance companies and organisations debating on the payout. This can lead to a lengthy and costly legal battle.

While cyber insurance has been around since the 1990s, it is still a relatively new concept that continues to be updated based on new methods of cyberattack. There is a lack of standardisation among insurance companies, and more has to be done to ensure that a regulatory standard is adhered to in terms of what can be covered.

Organisations are often targeted for a variety of reasons, with financial gain being the most common motivation. Attackers use a variety of ways to access sensitive information, from phishing through to hacking into systems to extract sensitive information.

Cyber insurance makes up only one part of practising good cyber resiliency. While it provides financial relieve, it does not eliminate the fact that a cyberattack took place, and that the trust of the organisation has been compromised. Beyond encrypting sensitive data, installing cybersecurity software and regular staff education around cyberattacks, backing up data is a good way to ensure that there is business continuity in the event of an attack, and that hackers will not have the power to demand money from organisations to get their data back.

Data should always be backed up using the 3-2-1-1-0 rule, where there should be three copies of data on two different media, with one copy being offsite, and another copy being offline, air-gapped or immutable and lastly, achieving zero errors with a recovery system. This will safeguard data, and ensure that in the event a company goes offline, it can be quickly restored with little to no downtime. According to Veeam’s recent Data Protection Trends report, 82 per cent of organisations have an ‘Availability Gap’ between how quickly they need systems to be recoverable and how quickly IT can bring them back. A further 79 per cent cite a “Protection Gap” between how much data they can lose and how frequently IT protects their data across cloud and on-premise. This further highlights the importance of how many backup copies one should have.

Ultimately, strong backup is the insurance that organisations need. Cyber insurance can be part of an overall plan but to solely rely on it will not be wise. As the technology landscape continue to advance and grow, companies need to lead their own defence against cyberattacks.