Most business owners already know that cybersecurity is a serious issue to be dealt with. Cyber incidents have been mentioned in news headlines for quite some time, ranging from mild to devastating. Furthermore, cybercriminals are getting more ambitious, targeting small businesses and large corporations or even governmental institutions if they have the power.
Cyber attacks destroy small businesses that don't have sufficient resources to acquire expensive cybersecurity protection, causing 60% to close down within six months of a cyber attack. One way to mitigate the damages is to have a cybersecurity insurance policy.
This article overviews two cybersecurity insurance policies to help you decide what's required for your enterprise's longevity. But before we go into specifics, we'll overview the current cyber-threat landscape.
Over the last few years, ransomware has risen as one of the deadliest cyber attacks against businesses. Ransomware gangs are extremely sophisticated groups of hackers, some outrageously operating on a RaaS (Ransomware as a Service) business model.
Other ransomware gangs are state-backed, as many incidents have been linked to Russian ransomware groups, safely assuming they are exempt from law in Russia as long as they target states they consider enemies.
Data leaks are also spreading with little resistance. Facebook, Yahoo, Marriott International, Microsoft, and Equifax have experienced massive data leaks over the last decade. In 2016 European General Data Protection Regulation came into effect and set the laws for consumer data gathering and storing and issuing fines for businesses that fail to do so.
Two years later California Consumer Privacy Act did the same in California, modeled after GDPR, and the California Privacy Rights Act became effective earlier this year, making California one of the global leaders in user online safety regulations. It's essential to know these laws if your business deals with EU or California user data.
Phishing is another serious threat that can have dire outcomes. Phishing scams target employees and CEOs depending on the attack type.
Usually, Phishing is used to infect the device for further exploitation. For example, a user may receive a fraudulent letter pretending to be a company's representative. The email has a PDF attachment, which infects the device with ransomware upon download or spyware to cause a data leak.
Currently, human error is the primary reason for data leaks and cyber security threats. It's highly advisable to carry out regular cybersecurity training to teach employees how to identify Phishing scams, safe online behavior, healthy password management, and incident response.
To better illustrate the scope of the situation, here are two examples.
In 2018 Marriott disclosed that their systems had been breached, leaking up to 500 million guest records, including credit card details and passport numbers. In 2014 the then-separate company Starwood experienced a cyber attack that went unnoticed.
In 2016 Marriott bought Starwood and incorporated it into their business model, including their digital infrastructure, providing cybercriminals access to their data until the illegal activity was identified two years later.
This example illustrates that cyber incidents can come from many places, and that influences cyber insurance policy choice. A more recent Marriott hack involved a person tricking a Marriott employee into giving access to their device, called social engineering. Marriott was fined $23.8 million for the 2014-2018 data leaks.
On both occasions, an in-depth cybersecurity system with employee training could've prevented the attack.
In 2021 Ireland experienced the worst ransomware attack against the healthcare sector. The attack began in March with a batch of fraudulent emails with infected Microsoft Excel attachments. After the attachment was opened, attackers gained access to Ireland's Health Service Executive (HSE) system.
It took nearly two weeks for the HSE anti-virus to notice the threat, which was worsened by the fact it functioned on monitor mode and did not take immediate action. It took almost two more weeks for HSE to be informed, as Ireland's National Cyber Security Centre then had only 25 employees.
In the middle of May, ransomware was activated, paralyzing HSE. Doctors lost access to digital patient records, patients could not schedule appointments, and doctors could not use some diagnostic equipment. The HSE computer network was restored to 95% capacity nearly four months later.
This example illustrates the severity of contemporary ransomware attacks and a lousy example of preparation. Many fraudulent attacks can be prevented by removing information from the internet. It’s essential to ensure the proper measures to not end up with enormous losses.
Ireland's example demonstrates the need for cybersecurity specialists on the spot. Cybersecurity experts outline that immediate response is one of the most important factors in mitigating damages.
However, with the current lack of CySec seniors, most businesses and governmental institutions cannot hire enough dedicated specialists to ensure safety. Cybersecurity insurance guarantees that an incident response manager is sent ASAP once the incident has been identified. Incident response specialists carry out these vital tasks:
Having such a professional on your side can be a game-changer. Business or governmental institutions that experience ransomware hits report an intense atmosphere of chaos and confusion during the first hours and days as computer systems go down, cutting communication and information access. Experienced cybersecurity specialists can immediately start issuing orders, resisting the overall chaos.
You should evaluate your business model before choosing a cyber insurance policy. Here are indicators that your business should be insured:
You should choose one of two cybersecurity insurance types depending on your business model.
First-party cyber liability insurance covers the losses you may have suffered due to a cyber attack or a data breach on your computer systems. It is essential if you don't do regular cybersecurity training, or your business operates vast user data but is in no way related to cybersecurity or lacks advanced computer specialists. Here's what first-party coverage includes:
This is an excellent insurance type against ransomware attacks and data breaches. Regarding the former, insurance will help pay the ransom (which is unadvisable, as hackers tend to target such businesses repeatedly) or compensate for the revenue losses, minimizing closure risks. And informing customers whose data has been compromised during a data leak is essential to avoid significant reputational damages.
Third-party cyber liability insurance kicks in when a third party sues your business for a cyber incident that they have experienced and believes it is your fault. It applies to companies that deal with software development, hardware manufacturing, or provide security solutions. Here's what third-party coverage includes:
This also applies to companies that collect and store user data. Users who have been negatively affected by a data breach and suffered damages because of it can launch a class action lawsuit, which is one of the worst nightmares for businesses. Class action lawsuits are usually lengthy and extraordinarily expensive and can quickly drain business resources if there's no insurance policy. Furthermore, initiatives like GDPR and CCPA protect user data and can issue additional fines.
Getting ahead of the problem is always better before anything bad happens. Unfortunately, there's no such thing as a 100% foolproof computer system. All businesses should assume they can get hacked at some point, regardless of size, model, or influence. Hackers are motivated by different reasons, and if you don't have any cyber protection, that beacons them to come in.
Building a robust cybersecurity system is a topic for another article. However, even the toughest protection can sometimes fail, especially if you draw the attention of serious cybercrime groups.
We hope this article illustrates how a cybersecurity insurance policy can safeguard your business and minimize the negative consequences. After experiencing a cyber attack, businesses report an immediate loss in revenue and damage to their reputation.
Suppose there's no safety net and reserve funds to soften the blow, two-thirds of small businesses close down. If you find any parts of this article applicable, we recommend contacting a reputable cybersecurity insurance enterprise to discuss steps to prevent unnecessary losses.