Business disruption that results from ransomware attacks is costly on many levels. Downtime, mitigation expenses and reputational costs can run anywhere from hundreds of thousands of dollars to shutting a business down for good. Recent statistics show that ransomware remains the most prominent malware threat to organizations. Malicious emails are up 600% since the start of the COVID-19 pandemic. According to GRC World Forums, the ransoms being asked are on the rise, with the average ransom fee requested being $570,000. This year, CNA Financial paid $40 million to criminal hackers who launched a ransomware attack against them in late March, setting a world record, and it is estimated that the average downtime to businesses hit by ransomware is 15-22 days. Even with cybersecurity insurance, can your organization stand to be down 21 days? So how can you reduce your business risk from a cybersecurity breach?
Cost of cybercrime
By 2025, Cybercrime Magazine estimates that cybercrime will cost companies worldwide an estimated $10.5 trillion annually, up from $3 trillion in 2015. That is a growth rate of 15% year over year! Cybercrime Magazine also reported that cybercrime represents the greatest transfer of economic wealth in history. What is especially alarming is that cyberattacks are becoming more frequent, complex and targeted toward small to medium-sized businesses.
According to Accenture’s Cost of Cybercrime Study, 43% of cyberattacks are aimed at small businesses, but only 14% of businesses polled said they are prepared to defend themselves. With the most common kinds of attacks on small business being phishing, social engineering, compromised or stolen devices and theft of credentials, small to medium-sized organizations need to build cyber incident response and recovery into their business plans.
The business risk of cybersecurity incidents
According to the World Economic Forum, cyberattacks were the No. 5 rated risk in 2020 and have become the new norm across both the public and private sectors. It is expected the number of cyberattacks on organizations will double by 2025. This introduces a significant amount of business risk to organizations across all segments.
The pandemic has amplified cybersecurity risk significantly with the swift transition that had to be made from working within an organization’s controlled environment to working remotely from employees’ homes. The inability for organizations to exercise control over the networks their employees do business over has created a much greater attack surface for cybercriminals. Cybercrime, which includes everything from theft or embezzlement to data hacking and destruction, is up 600% due to the COVID-19 pandemic. Organizations need to address this risk within the scope of their business operations and adapt accordingly. Addressing cybersecurity risk is the same as addressing any other risk to an organization. Risk tolerance can be expressed by:
- Accepting – The risk does not have a big enough impact
- Mitigating – Implement controls to diminish the risk
- Avoiding – Do not engage in the activity that would cause the risk at all
- Transferring – Put the risk onto someone or something else, such as insurance.
Can cybersecurity insurance mitigate business risk?
Even with the most sophisticated controls, policies and procedures in place, many organizations still fall victim to cyberattacks. Acquiring cybersecurity insurance is an important element to a cybersecurity incident response and recovery plan. Many organizations think that by purchasing cybersecurity insurance, they do not need to worry about cyberattacks. This could not be further from the truth.
Cybersecurity insurance policies come in many different varieties. As with car insurance or homeowner’s insurance, one size does not fit all. There are many options that carriers offer to insureds when it comes to cybersecurity insurance, and it is important to understand what these options are, how they apply to the organization and what is covered. Some classifications of cybersecurity insurance include:
- First-Party Coverage – This is sometimes also referred to as “direct attack” coverage. It covers the victim organization from things such as data destruction, extortion, online theft, hacking and denial-of-service attacks.
- Third-Party Coverage – This kind of coverage focuses on attacks that occur through a third-party, usually within the supply chain. The SolarWinds attack is considered a third-party attack, where a manufacturer compromise caused many of its customers to be vulnerable to and fall victim to attack.
- Liability Coverage – This coverage includes errors of commission, errors of omission, data breaches, data theft and defamation or other related negative publicity.
Having one or all these coverages still does not mean the CEO can rest easy at night. An important factor in determining whether a claim is paid or denied is what the security ecosystem of the insured looks like. Some of the questions insurance companies will have in determining if they will cover an incident may include things like:
- What controls did the organization put in place to defend against attacks?
- What did the organization do to vet its supply chain for cyber maturity?
- How prepared was the organization for an attack?
- Did the organization have an incident response plan in place?
- Does the organization run regular tabletop exercises to practice their incident response plan?
- Does the organization have an employee cybersecurity education and awareness program?
Creating a comprehensive security plan means an organization needs to create layers of controls (both physical and cybersecurity related). In addition to the controls, they need to create incident response plans for cyberattacks, and if all else fails, they need to partner with an insurance carrier to determine which coverages will best support the organization’s needs for risk transference.
It’s not if, it’s when
Statistics show that no organization is 100% protected from cyber incidents. Once an organization comes to terms with this notion, they can take the steps needed to protect and prepare for attacks. Understanding the risks that are associated with a cyber event should provide organizations with a blueprint of how they will approach the risks. There should be elements of prevention, response and recovery in the approach to cybersecurity risk.
Creating a culture of security should be the goal of every organization. Bearing in mind that people are typically the weakest link in any security program, empowering employees to play an active role in the protection of the organization improves the odds of success. Weaving security into the culture of any organization adds a component of prevention.
Even the best of plans are not bulletproof. Preparing for an attack is just as important as building out a strong security program. Preparation for a cybersecurity incident is like preparing for any other disaster in that a plan needs to be created, the plan needs to be executed and the execution of that plan needs to be practiced. A comprehensive incident response plan that is well rehearsed will reduce the downtime experienced from an incident, thus saving on the overall cost of the incident. After each incident, a lessons-learned review should be used to identify ways that the incident could have been managed better, then respective changes made to the incident response plan.
Cybersecurity insurance coverage should be strongly considered as an organization plans the recovery from a cyber-related incident. Understanding what coverages are available, what the responsibilities are and that the process is to submit a claim should be a part of the recovery plan. Open communication and transparency with the carrier before an incident occurs will create a long-lasting partnership and improve the recovery from an incident significantly. Carriers can offer services beyond just coverage that may include breach coaching, ransomware negotiators and forensics services. So including representation from the carrier in an incident response simulation is essential.
This article was developed with support from Security Industry Association (SIA) Cybersecurity Advisory Board members Chuck Davis, founder of Caveat Labs, and Rachelle Loyear, vice president of innovation and integrated solutions at G4S.