Businesses have been told they have to check the small print on their cyber insurance coverages as far too many still “pay lip service” to the risks and the policies they have to mitigate them.
Managed services provider Eacs has issued a stark warning to UK Plc that as the risk rises further up the agenda as the threat from the COVID-19 pandemic eases, companies now have to better scrutinise all and any corporate insurance and ensure the business is protected against future cyber-attacks.
It warned as many businesses face the prospects of huge increases in energy prices and running costs, the costs of business insurance, particularly cyber Insurance, has increased significantly.
“Historically many businesses have paid ‘lip-service’ to the content of their cyber insurance cover but following the pandemic and the subsequent changes to working practices, these risks have been brought sharply into focus and to the top of many boards risk log,” explained eacs.
In the past year, businesses have been victim to tens of thousands of cybersecurity incidents took place involving ransomware, supply chain attacks, and the exploitation of critical vulnerabilities. While it has been reported that the total number of attacks in December 2021 was down on the previous month, overall, 2021 saw an increase of 17% in the number of recorded breaches, according to the Identity Theft Research Centre (ITRC).
Eacs CEO Kevin Timms, said: “This is a huge leap in the number of incidents, but it is in our opinion underplaying the full picture as there has always been a lack of transparency around the disclosure of security incidents for commercial reasons. This – and the fact that according to IBM the average cost of a data breach has now reached over $4 million, businesses need to act and act fast.
“But it is not just simply looking at the security systems and protocols in place within the organisation. Firms need to pay close attention to cyber insurance itself and what it will actually cover you for and stay up to date. And the best place to start is renewing.”
The company added that all too often firms still opt for a cyber policy that is packaged within a broader business insurance policy.
“While these are clearly popular, they are often far from as comprehensive as a stand-alone policy and may not cover you should the worse happen,” it said. “Many insurance companies have changed the small print significantly, with more caveats and exclusions now in place. As a result, it is imperative that businesses check what is included, what is excluded and additional caveats and requirements have been put in place. Only then can they confirm that it meets the needs of the organisation.”
“Business email is very often the route into an organisation. It is an easy target, and criminals are much more targeted today than ever before. They are specifically looking to exploit email security vulnerabilities such as misconfigured sender policy framework (SPF), domain keys Identified Mail (DKIM), and domain message authentication reporting & conformance (DMARC) to enact phishing and email spoofing attacks, which they can use to deploy a ransomware attack. This means insurance must match the potential threat,” explained Timms. “With cyber insurance pay-outs now on the rise, and the insurers’ loss ratios worsening, it will come as no surprise to any CFO that the insurance industry is now taking steps to reduce its losses and limit the exposure to risk. And this will have several implications for risk management in turn.
“First and foremost, we are seeing a hardening of the market as businesses find it more difficult to not only source cover cheaply, but in many instances to obtain cover. This in turn is leading to two crucial trends, increased premiums and a greater focus on a business by their insurance provider to have robust cybersecurity measures and controls in place. “This is often highlighted at the last minute or included somewhere in the small-print.”
Timms continued: “But this is a fast-moving environment, and the nature of cyber threats means that while a business and its insurance provider focus on the ‘now’, the chances are the cyber criminals are one step ahead and that means an endless game of ‘whack a mole’ in which businesses build ever greater security barriers and insurance providers update policies to meet the needs of an ever-changing threat.”
“Businesses cannot afford to be slow to respond and we urge all stakeholders – from CFOs to CISOs to check your policies today and ensure they meet the needs of the business not last year, but this week and beyond. Look for any changes in cover limits, as well as any exclusions. According to research from Sophos one in four cyber insurance policies today exclude ransomware – which is one of the biggest cyber risks today.”