11 Aug 2022

Whack-A-Mole is no serious approach to cyber security

In the past year, thousands of cybersecurity incidents took place involving ransomware, supply chain attacks, and the exploitation of critical vulnerabilities.

Though it has been reported that the total number of attacks in December 2021 was down on the previous month, overall, 2021 saw an increase of 17% in the number of recorded breaches, according to the Identity Theft Research Centre (ITRC).

Many businesses face the prospects of huge increases in energy prices and running costs. However, on top of that, business insurance, particularly Cyber Insurance, has increased significantly. Historically many businesses have paid “lip-Service” to the content of their cyber insurance cover but following the pandemic and the subsequent changes to working practices, these risks have been brought sharply into focus and to the top of many boards Risk Log.

Managed services provider EACS has issued a stark warning that now is the time to check the small print in all and any corporate insurance and ensure the business is protected against future cyber-attacks.

Kevin Timms, CEO, EACS, stated: “This is a huge leap in the number of incidents, but it is in our opinion underplaying the full picture as there has always been a lack of transparency around the disclosure of security incidents for commercial reasons. This – and the fact that according to IBM the average cost of a data breach has now reached over $4m – businesses need to act and act fast.

“But it is not just simply looking at the security systems and protocols in place within the organisation. Firms need to pay close attention to and stay up to date with cyber insurance and what it will actually cover you for. And the best place to start is renewing.”

All too often, firms still opt for a cyber policy that is packaged within a broader business insurance policy. While these are clearly popular, they are often far from as comprehensive as a stand-alone policy and may not cover you should the worse happen. Many insurance companies have changed the small print significantly, with more caveats and exclusions now in place. As a result, it is imperative that businesses check what is included, what is excluded and additional caveats and requirements have been put in place. Only then can they confirm that it meets the needs of the organisation.

“Business email is very often the route into an organisation. It is an easy target, and criminals are much more targeted today than ever before. They are specifically looking to exploit email security vulnerabilities such as misconfigured sender policy framework (SPF), domain keys Identified Mail (DKIM), and domain message authentication reporting and conformance (DMARC) to enact phishing and email spoofing attacks, which they can use to deploy a ransomware attack. This means insurance must match the potential threat,” continued Timms.

Cyber insurance is very often designed only to cover a business from the impact of a successful cyberattack. Dependent on the cover, it may well include a mix of financial payments encompassing costs and support for IT forensics, legal, and even communications. But it is not a panacea for actual cybersecurity measures.

“With cyber insurance pay-outs now on the rise – and the insurers’ loss ratios worsening – it will come as no surprise to any CFO that the insurance industry is now taking steps to reduce its losses and limit the exposure to risk. And this will have several implications for risk management in turn.

“First and foremost, we are seeing a hardening of the market as businesses find it more difficult to not only source cover cheaply, but in many instances to obtain cover. This in turn is leading to two crucial trends – increased premiums and a greater focus on a business by their insurance provider to have robust cybersecurity measures and controls in place,” added Timms. “This is often highlighted at the last minute or included somewhere in the small-print.”

“But this is a fast-moving environment, and the nature of cyber threats means that while a business and its insurance provider focus on the ‘now’, the chances are the cyber criminals are one step ahead and that means an endless game of ‘whack a mole’ in which businesses build ever greater security barriers and insurance providers update policies to meet the needs of an ever-changing threat.”

“Businesses cannot afford to be slow to respond and we urge all stakeholders – from CFOs to CISOs to check your policies today and ensure they meet the needs of the business not last year, but this week and beyond. Look for any changes in cover limits, as well as any exclusions. According to research from Sophos one in four cyber insurance policies today exclude ransomware – which is one of the biggest cyber risks today,” concluded Timms.

This could not have happened at a worse time for businesses. With the prospect of huge increases in utility charges coming in soon, they now face the prospect of an even bigger uplift to the insurance costs. And if that wasn’t enough, to actually get the cover in place many businesses leaders will have to spend to on additional technology to enable to meet the caveats being put in place by the insurance industry. A triple whammy that will force many businesses to make some difficult decisions, a situation we could all do without as we continue on the path to some sort of normality.

Company info: EACS