Cyber insurance is now becoming more widely adopted with 43% of businesses now holding a policy and premiums have fallen for the first time this year, with the Global Insurance Market Index showing a decline of 6% over the last three quarters of 2024. This is due in part to the market maturing and providers becoming more accurate at assessing risk. Ransomware, supply chain attacks, business email compromise, data breaches, human factors and skills shortages were all seen as the key risks this year, with AI and geopolitics set to join the list as insurers seek to align policies with risk.
But the sector is also becoming more prescriptive over what is covered. Around a fifth of insurers elected to remove ransomware protection altogether in 2023 while others have chosen to cap payments. What’s more some of these attacks could be classed as cyber warfare if they are deemed to have been carried out by or sanctioned by a nation state actor. In fact, Lloyd’s of London issued a statement to this effect last year stating that certain policies should include a clause that excludes liability for losses arising from any state-backed cyber attack. For this reason, it’s imperative that businesses read the terms and conditions of their policy and pay attention to any changes that are typically made by insurers on an annual basis.
Reading the fine print
Unfortunately, many businesses are not familiar with the cover they are afforded. A survey conducted by Apricorn of IT security decision makers in mid-2024 found that 7% of those questioned were unsure whether it covers them adequately in the event of a cyber breach. Others found they were unable to make a claim, with 8% proving unsuccessful in claiming financial assistance from their insurer. However, they were all too aware of what they wished to guard against, with 31% naming ransomware as a top concern when seeking cover followed by phishing and supply chain attacks.
Insurers are also becoming more exacting in their requirements when it comes to the security measures that the business should adopt to meet policy requirements.
They’ll often want to see how the business plans to protect its data through the use of encryption, access controls and secure storage, for example, as well as the incident response plan which should include provisions for recovery to help the business resume operations.
Key to this ability to recover is the back-up strategy yet surprisingly few have a multi-layered backup plan that is tried and tested. Ideally, the business should follow the 3-2-1 rule and have at least three copies of data, stored on at least two different media, one of which should be offsite. One copy of the data should be offline, for example, on an encrypted removable hard drive that can be disconnected from the network. And the strategy should be tested on a regular basis to ensure data can be retrieved.
Too many are unable to recover data
The Apricorn survey found that half of those questioned had to resort to recovering data from backups over the past year. Of these, a third (33%) were either unable to do so or could only partially recover their data, illustrating that weak backup processes remain. This is in spite of the fact that almost half (46%) consider robust backup policies to be the most important factor when it comes to compliance with cyber insurance policies, up from 28% in 2023.
Other key considerations when it comes to meeting insurance demands cited by respondents were password hygiene (41%) and employee training and awareness (43%). These efforts, combined with encrypted storage (both at rest 35% and on the move 39%), regular patch updates (35%) and access controls (36%), were all regarded as essential components of a robust cyber defence strategy.
What the survey reveals therefore is that businesses are aware of what measures they need to have in place but they’re not always blast testing those processes. The tide is turning with the implementation of more robust backup practices but it’s doing so at too slow a pace. There has a significant increase in automated backups, for instance, indicating a move away from manual backups which can see users either forget to save data or make mistakes in doing so. Automated backup to both central and personal repositories has surged to 30%, up from 19% in 2023.
Attacks against backups are on the increase
However, threat actors have been quick to exploit this reliance on repositories. The 2024 Ransomware Trends report found that 96% of ransomware attacks are now aimed at these repositories. This makes it even more critical that companies don’t just rely on these online locations but have air gapped or offline backups of their data.
Looking to the future, it’s imperative that the cyber insurance sector and their business clientele collaborate more if we are to see premiums reflect and protect against threats accurately and at a sustainable price point. We need to see more transparent policies that adopt clear wording and address current and emerging threats on the insurance side and we need to see organisations not just pay lip service to policy requirements but actively test and add contingency storage on the part of the enterprise.
Cyber insurance should never be a substitute for risk assessment but should instead be seen as a means of guarding against residual risk once measures have been enacted. Any breach will still result in considerable cost and expense caused by loss of business and reputation, recovery efforts and reporting so reducing the likelihood of it happening is in everyone’s interests.
