Cyber insurance. A changing of the guard.
It comes as no surprise the threat of cyberattacks on Australian businesses is increasing year on year. Cybercriminals are teaming up and borrowing from each other's playbooks, as attackers are determined to penetrate security defences and outsmart cybersecurity strategies. Unfortunately, their efforts are paying off.
In 2021, 80% of Australian organisations were hit by cyberattacks, according to Sophos' State of Ransomware report. This is a considerable increase from the 45% that reported an attack in 2020, and a concerning figure by comparison globally, where an average of 66% of respondents experienced a ransomware attack.
Our research also revealed attacks on Australian organisations cost an average of USD$1.01 million in 2021. This is leading to insurance companies changing their cybersecurity policies, making it harder for businesses to qualify for insurance.
Changes in cyber insurance requirements are driving improvements to cyber defences
Up until recently, some organisations were using cybersecurity insurance as their plan A and taking an "if we get hit, we're covered" approach to cybersecurity, however changes to cyber insurance policies means this complacency must change. With the recent increase in ransomware attacks and subsequent payouts, fewer insurance companies are offering cyber insurance and, as a result of the growing risk and fewer suppliers, the cost of cyber insurance premiums has skyrocketed.
On a more positive note, insurance companies are requiring policy holders to prove they have adequate levels of cybersecurity controls in place to qualify for cover.
To obtain cyber insurance, organisations need to take a more mature approach to their security strategies by prioritising improving their cyber defences first, before investing in cyber insurance. This means cyber insurance should form part of an organisation's security strategy, rather than being the entire strategy.
What's next?
Replacing complacency with proactive security measures means businesses have a more robust cybersecurity strategy. Rather than relying solely on a pay out from insurers, organisations will instead be protected, lowering the chance of disruptions to workflows, and getting back up and running quicker if an attack occurs.
Insurance can cover an organisation for more than just ransom remediation costs, it can also help a company respond to attacks by fighting back, covering the costs of rapid response activities such as neutralising current attacks and thwart any retaliation attacks. This can not only save organisations time and money, but prevent attackers from double dipping.
In saying this, similar to how insurance companies won't pay out on home insurance claim if a house wasn't properly secured, cyber insurers will not cover the costs of those organisations that have insufficient cybersecurity protection in place.
It is also vital that organisations read the fine print of their policies, including what they're covered against, and what they're not. This is important to avoid complications, and even legal battles in the wake of ransomware attacks. Recently, automative services provider Inchcape Australia lost a court battle against their insurer regarding the language used in their cover, and the meaning of the phrase "direct financial loss".
The judge ruled against the victim, explaining their insurer should not be liable for indirect, or resulting financial loss in the wake of an attack, including clean up and recovery from an attack, such as for forensics, incident response and replacement hardware. This reflects the importance of utilising cyber insurance as part of a wider cyber resilience strategy, rather than trusting it as a fix-all solution.
Before considering an investment into cyber insurance, businesses should be implementing basic security controls to maintain a solid front line defence, as well as more advanced solutions to help combat and respond to more sophisticated threats.
Controls that organisations should consider include simple protections like multi factor authentication (MFA) which adds an extra layer of authentication when logging in, to Managed Threat Response, which is backed by an elite team of threat hunters and response experts, who take targeted actions on an organisation's behalf, and helps to neutralise more advanced threats.
Final thought
While Sophos does not encourage organisations to pay ransoms, businesses will occasionally be faced with critical situations where paying the ransom is the only way out. In this case, organisations should remember they can negotiate with their attackers before handing over every last cent in their savings account or crypto wallet.
In 2021, cyber insurance paid out on 98% of ransomware claims, while 78% reported the insurance paid the costs to get them up and running again. Now more than ever, cyber insurance is a worthwhile investment as part of a wider cyber security strategy.
It's clear that whether an organisation is looking to acquire insurance cover or not, optimising cybersecurity is a must.
To learn more about how to improve your organisation's cybersecurity, visit the Sophos website.