Cyber insurance at its limit

Companies that wanted to renew their cyber policies at the turn of the year had to dig deep into their pockets. A significant increase in premiums with a simultaneous doubling of deductibles and reduction of limits is a reality for cyber insurance. Meanwhile, the claims situation continues to worsen. Most of these are ransomware attacks, which are becoming more and more professional and frequent. The "Ransomware-as-a-Service" business model is constantly evolving: On the one hand, the attackers encrypt active systems and, if possible, backups as well. On the other hand, they steal confidential data or personal data worthy of protection in order to exert additional pressure (double extortion). In this way, attacked companies are brought to their knees and the decision-makers are persuaded to pay the ransom. The individual ransom demand is adjusted to the financial possibilities of the attacked company, but experience shows that it can be negotiated down.

Cyber security requirements for insurance coverage

In response to the significant increase in losses, insurers are now formulating specific cyber security requirements. Companies must meet these requirements if they want to take out a serious cyber policy. The essential requirements for cyber security are:

1. Transparency across all assets (IT systems and processed data)
2. Multi-factor authentication for any remote access (e.g. from home office) to IT systems
3. Strong passwords (length and complexity requirements)
4. Annual employee awareness training on information security and cyber risks, combined with a simulated phishing attack
5. Strict network segmentation of operational technology and/or legacy systems and by geography or organization
6. Continuous and responsive patch management (monitoring vulnerabilities, installing critical patches within 72 hours)
7. Solid backup strategy (following the 3-2-1 rule as well as an offline or stand-alone cloud backup for ransomware incidents).
8. Documented and annually practiced disaster recovery plan (including backup recoveries).
9. For large and internationally oriented companies: Uniform cybersecurity standards at all subsidiaries

Coverage restrictions

An important development in the transfer of cyber risks is that more and more insurers are massively limiting the scope of coverage in connection with damage caused by ransomware. This can be attributed to the high frequency of ransomware incidents. Consequently, some insurers do not offer any coverage at all for this attack tactic or malware. Others limit their benefits to a maximum of 50% from the sum insured or additionally involve the policyholder in such incidents. Sporadically, damage caused by critical vulnerabilities that have become known, such as Microsoft Exchange or Log4Shell, is also excluded from the scope of coverage when taking out insurance.

Increase in insurance premiums

Cyber insurance premiums have undergone a correction in recent years due to the ever-increasing threat and claims situation. When renewing a cyber insurance policy, premium surcharges of 50-100% are common. After major claims, a quadrupling of the premium may also apply. In addition, select insurers have implemented minimum premiums to better control frequency claims on their books. Insurance companies have also announced strategy adjustments for cyber insurance in 2022. So stabilization of the market does not seem to be within reach.

Author

Max Keller is Head of the Funk Risk Lab at Funk Insurance Brokers AG
> www.funk-gruppe.ch

A 10-point plan for managing a cyber emergency

A cyberattack is more likely today than ever before. Studies by the IT security service provider Sophos, such as "The State of Ransomware 2021", show that internationally 37 percent of the companies surveyed are affected by ransomware alone. While ransomware probably caused the most devastating damage within the last few years, it is far from the only type of malware that can lead to serious problems for companies. A well-prepared and thought-out incident response plan that all affected parties in the organization can implement immediately can significantly mitigate the consequences of a cyberattack. Accordingly, experts at Sophos Labs have drawn on their experience to develop the following 10-point plan for dealing with a cyber incident:

1. Determine all parties involved and affected
2. Identify critical resources
3. Practicing and acting out emergency scenarios
4. Deploy security tools
5. Ensure maximum transparency
6. Implement access control
7. Invest in analytics tools
8. Define response measures for the cyber emergency
9. Conduct awareness training
10. Take advantage of managed security services

>Source: www.sophos.com