As cybersecurity insurance premiums soar, companies may be forced to play a game of Russian roulette, taking the chance that they won’t be hit by a cyberattack.
The stakes are high: approximately 236,1-million ransomware attacks occurred globally in the first half of 2022 alone – in 2023, it’s predicted that close to 33-billion accounts will be breached costing the global economy $8-trillion.
In light of growing attacks cyber insurance premiums have been increasing exponentially making it difficult for companies to get the coverage they need. Globally, Q1 2022 saw cybersecurity insurance premiums rise by a massive 110% year on year. Q1 2023 saw an additional annual rise of 10%. An annual premium for coverage of $50-million could range anywhere from $100 000 to $500 000.
A slow-down of premium increases at the start of 2023 is good news for companies, but it also has a dark side; there will be more exclusions written into policies as underwriters get to grips with the risks in this fast changing and complex environment. Recently Lloyds of London created a stir when they suggested to 76 of their insurance syndicates to remove “nation-state-backed cyberattacks” from insurance policies by March 2023.
The NotPetya attack in 2017 was a huge driver behind Lloyds decision to implement the exclusionary clauses. The malicious data encryption tool inserted into a legitimate piece of software used by most of Ukraine’s financial and government institutions, spread via trusted networks, rather than widely over the internet. Therefore, it bypassed the processes put in place to prevent ransomware attacks, estimated losses experienced by commercial companies in the Ukraine network exceeded $10-billion.
Prevention has to be the key focus because mitigating the damage of attacks is almost impossible. To put this into perspective, NotPetya destroyed all end-user devices, including 49 000 laptops and the print capability of shipping and logistics giant Maersk. It also destroyed 1 000 of the company’s applications and 3 500 servers. The total cost of losses came in at $250-million.
In addition to tangible costs of a major data breach or cyberattack, companies now need to consider the cost of regulatory fines, legal settlements, reputational damage, and business interruption costs.
Monica Oravcova, chief operating officer and co-founder of Naoris Protocol, says: “The NotPetya attack really highlighted the NotPetya attack really highlighted the vulnerability of ‘trusted’ networks, where no-one is validating the validators and ensuring the trust level of the network itself. This is a clear case of ‘eyes wide shut’ by some large multinational enterprises who left this attack vector open. New generation technology, such as a decentralised cybersecurity mesh architecture can prevent these kinds of attacks.
“This technology enforces trust across networks by turning all connected devices into validator nodes that check the security status of every other device in the network. Any detected anomalies or code manipulation will raise an alert within milliseconds potentially preventing the attack.”
The average cost of a data breach is $4,2-million and in the case of regulated industries, costs can be much higher. In finance and banking, the cost is estimated to be $210 per record with an average breach totalling 25 000 records, this translates into $10,725-million.
People are still the highest risk factor, with more than 90% of breaches facilitated by humans. Experts agree that by addressing the standard of cybersecurity awareness globally, breaches should come down and risk management should be easier to enforce.
Oravcova says: “Training must go beyond tick box compliance, motivated by regulatory and liability penalties, every member of staff needs to be able to recognise a malicious email. Many companies focus on technical improvement: ‘How can I make sure I have the best IT and detection systems in place?” but they don’t address the fact that the weakest links are their employees.
“The pandemic brought this into sharp focus as devices left the security of ring fenced networks. In essence the servers left the building and every device became a single point of failure.”
She adds that solutions need to be created in close collaboration between insurance companies, enterprises and cybersecurity firms, to work together in their respective areas to stop cyberattacks.