Business security
Cyber ​​insurance is not only a safety net, but can also be a catalyst for advancing security practices and standards
August 8, 2024
•
,
3 minutes reading
If there was ever any doubt about the relationship between cybersecurity and the cyber insurance industry, Black Hat USA 2024 has dispelled it. A full afternoon on a main stage was dedicated to the cyber insurance industry, allowing them to share their perspectives on cybersecurity, the evolving threat landscape and what it means for organizational cybersecurity.
What the future holds for business cybersecurity, according to cyber insurers
The cyber risk insurance ecosystem is changing, moving from human-based underwriting, annual policies, with dozens of inputs and physical forms, to machine-enhanced, continuous monitoring of countless inputs, all in the digital world. It’s digital transformation on steroids.
The presentations include various statistics and trends: after all, this is an industry that lives on data and figures to calculate risks. A presenter from Coalition, a specialist cyber insurer, claimed that they have helped insured policyholders resolve 74,000 vulnerabilities, resulting in a 64% reduction in claims.
Considering that the time to exploit a vulnerability once the proof-of-concept is made public (or even if a patch is available) may be only 22 minutesReducing the risk of vulnerabilities is a significant win. This short time frame makes testing a patch prior to deployment virtually impossible.
The conclusion of this statistic is that the cyber insurer makes itself an observer of potential vulnerabilities for customers; However, because the insurer has in-depth knowledge of what companies do thanks to the insurance questionnaire and scans, it is not so shocking that they are moving into this specific area.
A Tokyo Marine presenter explained that that cyber insurance market was stagnant in 2023, with approximately $9.5 billion in premiums in both 2022 and 2023. A flat market could result from the transformation mentioned above. When applying for a policy, there is a significant amount of information about cybersecurity that companies must share with the insurer. This could even be a barrier to entry.
The pre-underwriting and scanning questionnaires give the insurer unique insights into the basics of a company’s cybersecurity policy, just like any claim, as the insurer already knows all the security solutions in play. This mass of data about a cyber attack gives the insurance industry a unique data set: they can identify the problem areas and the exact details about the access method if a cyber criminal has breached the protection measures.
According to the presentations, over the past year there have been changes in the initial attack vectors: phishing remains the biggest problem, but by 2024, switching attacks will be attacks that use Remote Desktop Protocol (RDP) and virtual private networks (VPNs) without multifactorial protection. authentication (MFA) enabled (RDP attacks sink to position 3).
The importance of MFA was a clear message in all insurance-related presentations. In 2021, 70% of companies had not implemented MFA, in 2023 and 2024 this will be approximately 45%. This is an easy win: if you haven’t enabled MFA yet, make it a priority.
The question ‘to pay or not to pay’
Another interesting data point is that a small decline in the number of companies paying an extortion demand when attacked by ransomware – falling to 34.4% in 2023 and further to 26.5% in 2024. This is actually at odds with the data which the Coalition released in 2024. their recent white paper where they report that the number of those who pay an extortion demand is 40%. Either way, the number of companies paying for the demands is too high. Payments should only be a last resort, and it is inconceivable that even 26.5% would choose this last resort.
I’m sure money talks and companies pay ransomware demands because it’s the easier option, and if this is a purely financial decision I can understand the logic of paying, but it’s not that simple and those who don’t pay claim, should take pride in your moral and ethical standards.
Learn how cyber risk insurance and how cyber risk coverage, combined with advanced cybersecurity solutions, can increase your chances of survival if or when a cyber attack occurs. Download our free white paper Prevention. Protect. Insure. here.