Premiums are down, but cyberthreats and risk are always advancing
The cyber insurance market continues to stabilize, with pricing declining 1.5% in the third quarter of 2024, according to the Council of Insurance Agents & Brokers’ Commercial Property/Casualty Q3 2024 Market Survey. That said, insurance companies are being more selective in whom they insure and are requiring proof of substantial, advanced cyber protocols. While coverage may be available for those with subpar cybersecurity, terms and pricing reflect the increased risk the insurer perceives.
The greatest challenges facing companies on the cyber front are increasingly demanding regulatory requirements, the persistence and capabilities of cyber criminals, and vulnerabilities to vendor, partner, and supply chain cyber failures—even if your own cybersecurity is strong.
Business email compromise and ransomware account for 53% of cyber insurance claims exceeding $1,000 in the 2019-2023 period, according to the NetDiligence Cyber Claims Study 2024 Report, and insider malicious actions are a growing concern, according to the 2024 DTEX i3 Insider Risk Investigations Report. Making matters worse, repeated attacks against vulnerable companies, known as double extortion tactics, are on the rise, so while a victim is investigating or responding to an attack, another attack is being perpetrated.
CURRENT THREAT LANDSCAPE
Perils in the cybersecurity realm are led by supply chain weaknesses, cyber fraud, and business email compromise, and ransomware remains the leading cause of insurance claims. Efforts by nation-state actors, international cybercrime rings, and malicious insiders are persistent, advanced, and growing.
Prime targets include utilities, financial organizations, logistics companies, and industrial control systems, but organizations in all sectors are experiencing attacks and cyber-system failures. Monetary gains, business or service interruption, and social, economic, or political chaos are typical motivations.
Supply chain risks
Supply chain risks associated with software and partner dependencies are key points of consideration for insurers that are asked to provide cyber insurance, and insurance companies expect organizations to know their vulnerabilities and address those through internal controls and contractual risk transfer with partners and vendors.
Even organizations that have high-quality internal cybersecurity measures are at risk of business interruption—sometimes severe—due to supplier, vendor, and downstream distributor disruptions resulting from cyberattacks or failures. Cyber diligence and cyberrisk mitigation are two practices all organizations should follow when contracting with a company for services or material inputs.
Partners should be assessed regarding their cybersecurity measures, and contracts should include risk transfer wording so a party that fails on the cyber front—whether in terms of security or systems performance—is held financially accountable for your resulting losses. Partner cyber liability insurance should be considered for inclusion in contracts, and contracts should be reviewed by an insurance professional for potential gaps.
A good example of vulnerability is URL rewriting, a security measure used by trusted security vendors to protectively wrap a URL in a new link to provide a checkpoint in prevention of phishing attacks before sending the user to the intended destination. This technique is now being used by bad actors to hide malicious links and gain access to systems through seemingly secure means.
“Security tools from major vendors use URL rewriting to prevent phishing attacks, but the same technique can be abused to trick these tools into thinking a malicious link is legitimate,” said KnowBe4. Use of this tactic was on the rise in late 2024 and is expected become more sophisticated, with attackers already employing double rewrite attacks, according to Perception Point.
Cyberrisk language in contracts can include specific protocols for disclosure, even within a day of discovery. Breach notification and response also can be negotiated within these agreements if the vendor will have access to data or systems.
Access controls should be stringent and monitored so your data and control systems have the least vulnerability.
You should evaluate not only upstream partners (those providing services or materials to your organization) but also downstream partners who interface to receive or distribute your product. A cyber incident downstream can paralyze your business, as is seen in attacks on shippers and logistics suppliers.
Cyber fraud
With the rise of artificial intelligence (AI), many organizations are more concerned than ever about cyber fraud and for good reason. AI can generate audio, video, and still images called “deepfakes,” which may depict real individuals with such convincing attributes that the victim is fooled into complying with demands or requests that open the door to cyber criminals. The best method of avoiding falling victim to these scams is to practice verification. That may be an email sent to a known address of the person being represented, a text or call to that person’s known phone, or a similar outreach to someone else in the chain of authority requesting verification of the instructions or permission to fulfill the request. Protocols should be set up and employees trained on these verification methods.
“In addition to traditional phishing tactics, malicious actors increasingly employ AI-powered voice and video cloning techniques to impersonate trusted individuals, such as family members, co-workers, or business partners. By manipulating and creating audio and visual content with unprecedented realism, these adversaries seek to deceive unsuspecting victims into divulging sensitive information or authorizing fraudulent transactions,” the Federal Bureau of Investigations San Francisco office said in a May 2024 alert.
Business email compromise
Business email compromise (BEC) remains one of the primary ways threat actors infiltrate cyber systems, outpacing malware attacks, according to Deloitte’s Global Cyber Threat Intelligence March 28, 2024, Annual Cyber Threat Trends report. BEC is especially problematic because it allows impostors to send or even hijack already ongoing communications using the legitimate point of contact’s email account.
AI enhances the effectiveness of BEC compromises by mimicking speaking and spelling styles and can make phishing attempts more believable.
Malicious insiders
Insiders can be employees currently working at an organization or recently released or departed from an organization. They have access to—or knowledge of how to access—proprietary systems. That access can be, and is, used to infiltrate or exfiltrate data or to harm systems. Some actors are paid by outside parties who want the information or avenues into systems; some are simply malicious themselves and want to harm the organization. Either way, they represent a substantial and growing risk.
Intellectual property theft constitutes the biggest portion of insider incidents at 43%, according to the DTEX i3 Insider Risk Investigations Report 2024, followed by 24% involving unauthorized or accidental disclosure of information, 17% involving sabotage, 9% for fraud, and 7% for other events.
Some behaviors to watch out for, according to the DTEX report, include file renaming, attempts to access privileged data, researching how to circumvent security controls, concealing the source of their internet connection (VPNs, mobile hotspots), using encrypted email accounts, and snooping into people associated with special proprietary knowledge.
Not all cyber insurance policies cover insider actions, as they may be considered a form of employee crime. It is crucial to address this issue with your insurance broker to see if losses from insider cyberthreats can be insured.
REGULATORY ENVIRONMENT
Recent regulatory changes highlight the importance of compliance for businesses seeking cyber insurance coverage. Cyber insurance pays for the defense and liability in the event of a privacy claim. It also covers expenses incurred due to regulatory proceedings, including fines and penalties.
The rise in privacy litigation, combined with varying data protection regulations regularly proposed and enacted across U.S. states and international jurisdictions, adds to the complexity of compliance. The introduction of stricter privacy laws, such as the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive (NIS2), underscores the focus on resilience and proactive compliance.
Keeping abreast of European law, such as the EU’s upcoming AI Act, as well as individual U.S. state laws is an imperative for organizations that want to avoid enforcement penalties.
The International Association of Privacy Professionals Inc. and similar organizations offer state privacy legislation trackers, which can be helpful in managing cyberrisk.
Smaller firms may have difficulty in keeping up with regulatory requirements and breach reporting timelines. Organizations without the resources to fund a robust cybersecurity program may find they are offered lower levels of coverage than those that have stronger cybersecurity. In many cases, basics such as multifactor authentication for access to cyber systems are prerequisites for coverage.
CLAIMS TRENDS
Though ransomware dominates in frequency of claims, affecting 66% of organizations in 2023, there has been a notable decline in ransom payments globally, according to the Deloitte report. However, aside from ransom payments, the average cost of recovery in 2024 rose to $2.73 million, according to Sophos, an increase of nearly $1 million over the previous year, meaning fewer companies paid out much higher amounts. A careful review of policy limits is needed to ensure companies can respond properly to an attack and avoid exhausting limits in one instance.
For small and midsize enterprises (SMEs), the news has been mixed, with a rise in incident costs for business email compromise claims but a drop in losses associated with generalized hacking, according to the NetDiligence report. Healthcare SMEs have seen a decrease in average incident costs, wire fraud losses continue to decline, and SMEs in the manufacturing sector saw 2023 losses at a five-year low, NetDiligence says.
Supply chain-related claims have risen, with significant financial losses stemming from vendor-related incidents. The issue of double extortion—ransomware attacks followed by additional attacks during the recovery phase—has complicated the claims process, often leading to disputes regarding deductibles and coverage limits.
Financial services cyber claims costs are up sharply, NetDiligence reports, and supply chain claims are on the increase, notably vendor-related loss costs, such as those caused by the CDK Global shutdown and the CrowdStrike software-update debacle. As Resilience put it in its Midyear 2024 Cyber Risk Report, “No matter how effectively a company defends its own digital environment, businesses are interconnected and interdependent on the cyber resilience of others.”
There are a few additional hitches in the claim environment that are worth noting. One is the issue of double extortion, which—as in the CDK Global example above—consists of a ransomware attack that is followed by another while the first is being examined or recovered from. The question arises as to whether it’s a single, ongoing attack or two separate attacks with two separate deductibles and limits, etc. The issue can lead to delays in payouts and ultimately to litigation between the policyholder and the insurance company.
In fraud cases where an insider is involved in illicit transfer of funds, the question arises if the claim falls under a cyber policy or a crime policy. It may be possible to leverage both for maximum coverage.
It’s important to note that, despite reporting requirements from state and federal bodies, cyber insurance coverage generally is not contingent upon identifying the perpetrators behind an attack. Moreover, unless specifically required by contract, sharing information about a cyber incident may be delayed until the situation has been contained, fully understood, and resolved.
MANAGING CYBERRISK AND RESPONSE
The most effective strategies for improving resilience are implementing strong cybersecurity protocols, careful planning and practice of an incident response plan for business continuity, and securing adequate cyber insurance tailored to specific risk exposures.
Of all types of attacks, breaches involving stolen or compromised credentials took the longest to identify and contain—292 days—according to the IBM Cost of a Data Breach Report 2024. Setting strong protocols for passwords such as minimum acceptable standards for password makeup and 90-day required changes as well as multifactor authentication and employee education are some of the keys to creating a strong security culture.
Having a cyber-incident response plan is one of the best things you can do. It forces your company to assess your strengths and weaknesses and allows you to know and defend against your vulnerabilities. All of these play well with insurers as they determine how much insurance to offer your company—or if they will insure you at all.
Tabletop exercises or simulations of cyber breaches or other incidents can prepare your organization to respond coherently and quickly to an event. They are widely emphasized in insurer evaluations of cybersecurity risks.
Along with a cyber incident response plan, your company should have a business continuity plan so you can continue operating even as you respond to a hack or other event.
Many cyber insurance providers now offer cybersecurity support, so take advantage of legal, forensic, negotiation, and risk avoidance resources. Remember that cybersecurity is a cost of doing business just the same as the physical security of your premises.
ON THE HORIZON
Artificial intelligence stands out as both a major threat and a defensive tool. Cyber criminals use AI to facilitate sophisticated attacks, while cybersecurity professionals leverage it for better defense and threat detection. AI-driven monitoring tools have significantly improved incident response times, but companies must reassess their AI usage policies to balance efficiency gains with potential vulnerabilities.
Also tops on business leaders’ radars are vulnerabilities associated with partners, vendors, and managed service providers (MSPs). Weaknesses at these organizations have caused major cyber-related losses resulting from software failures, system shutdowns, system infiltration, and data exfiltration. Having tightly worded contracts that assign reporting and financial-loss liability is crucial to your protection. And performing assessments on those parties’ cybersecurity is essential to your response and sustainability plans.
Cyberrisk, related to both both criminal activity and system performance, is constantly evolving, so you must stay on top of threats, regulations, and internal systems to avoid costly losses—all while maintaining the basic controls, such as multifactor authentication for account access, software updates and patches, and training and testing for employees. Plan to protect and recover so your business is resilient in the face of advanced, persistent cyberattacks.
Having the advice of an IOA professional who specializes in cyber insurance will help you navigate the complex world of cyberrisk management and insurance.
