At the turn of the century, cyber insurance was a “niche” market for the bank and tech industry; typically as a rider attached to more traditional E&O or D&O policies. Not anymore. As the practice of cybercrime has professionalized, the threat has not only increased but also spread to target organizations of all sizes, from all industries. As a result, the cyber insurance market has exploded from a $1 billion market in 2013, to a $16 billion market today. By some estimates, it may approach $85 billion in the 2030s.
How has cybercrime changed, and what is causing companies from Main Street to the Fortune 500 to explore cyber insurance? In today’s blog, we’ll explain the threat and five takeaways—and tips—that will help you take proper action.
The expanding threat of cybercrime
Over the last 20 years, cybercrime has both grown and evolved. Starting with data breaches, cybercriminals then branched out to ransomware and business email compromise. Moving beyond the “lone hacker in a hoodie” concept, today’s assailants have formed specialized organizations similar in structure to the companies and industries they attack. Although hackers can be found all over the world, many of the most sophisticated syndicates operate in “safe-harbor” countries where authorities might look the other way or even actively encourage some forms of cybercrime. Ironically, hackers have become experts in leveraging the same tools businesses have developed to protect themselves—namely by using digitization, automation, and specialization within cybercrime supply chains. For example, companies looking to protect their data from hackers might instead find the hackers protecting their own data from them, locking systems, encrypting the data, and threatening to leak the data, using it to extort clients or business leaders.
Five takeaways for business leaders
1. Cybercrime is no longer merely a “work” problem.
Blurring the public/private divide, cybercrime can follow us home with devastating effects on our personal lives. “Most people know somebody who has had a cyber incident,” says Patrick Thielen, global head of cyber at Liberty Mutual Insurance. “Whether it’s identity theft or a ransomware incident, they’ve been personally impacted by cyber risk.”
TIP: As cybercrime can now happen anywhere, protection must be equally comprehensive—being at home is no excuse to drop your guard. Use strong internet security software and a password manager, turn on multi-factor authentication, keep your software updated, keep your critical data backed up offline, and check your social media privacy settings. Periodically monitor your credit and better yet: freeze your and your children’s credit with all relevant credit bureaus. Another option is to use a Virtual Private Network (VPN) to encrypt all outbound traffic. Lastly, don’t store compromising digital content which could be used against you as extortion fodder. All of these things can be done by anyone for very low to no cost.
2. Companies have to meet complex data-privacy regulations.
In addition to the threats themselves, companies now have to comply with a series of regulations designed to combat cybercrime, including the EU’s General Data Protection Regulation and the California Consumer Privacy Act. Instead of a one-off reaction to a data breach, these laws require constant attention to how companies collect, store, use, manage, share, and destroy their own and third-party data. As opposed to the reactive posture of the past, these legal requirements are forcing firms to be more proactive about monitoring and managing cyber risk.
TIP: It’s important for companies of any size to maintain a sound data inventory, including detailed information about what you’re collecting, how it’s used, where it’s stored, and who’s responsible. Make sure to train your staff thoroughly and, if necessary, hire or assign a data protection officer. And don’t forget to have data processing agreements in place with all third parties with whom you do business.
3. Protection is not just about technology, but about training.
Although technology is a key piece of the puzzle, it is not sufficient on its own. “An even more important way of thinking about cyber risk is around an organization’s cyber philosophy,” says Thielen.
TIP: For Thielen, a robust cyber philosophy includes four elements: philosophy/culture, business resilience, technical cyber security, and partnerships. Check for any operational redundancies in your organizational chart and engage with your board to make sure cyber resiliency is adequately funded. It is important for leadership to understand that respecting cyber-risk management is a critical source of value—and to reinforce this message.
4. Beware of human error.
The most advanced protection systems in the world can do little against a lone individual who falls for phishing, vishing, smishing, social engineering, and other scams. Ultimately, all it takes is one employee to let their guard down. Indeed, according to the World Economic Forum, 95% of data breaches occur as a result of human error.
TIP: Training begins with communication and education, including regular check-ins and in-person or online compliance courses. In addition to training, companies need to prepare for all eventualities by conducting tabletop drills and tasking chief information security officers (CISOs) to war-game loss-prevention strategies. Assuming intrusion is often a first step toward good network segmentation architecture, and potentially implementing zero-trust safeguards within a network.
5. Cybersecurity can also be a form of legal defense.
If an attack were to occur, proper cybersecurity can be a key argument to counter any charges of negligence. “If you deployed the same best practices as your peers in the industry, that could meet the threshold of reasonableness from a risk management perspective,” Thielen notes.
TIP: Carefully document all of the actions performed to protect your company’s cybersecurity, including technology, trainings, board meetings, and actions undertaken by your data protection and security officers. The time invested will pay off in the unfortunate case of a breach and subsequent legal or regulatory action.
Confronting an ever-changing risk with insurance
Cybercrime is a many-headed hydra, changing and mutating, constantly searching for new ways to attack and deceive. And that’s where the benefit of an experienced partner comes in. “At Liberty Mutual, we’ve been writing this business for over 15 years,” says Thielen. “So we understand these kinds of loss events and what kind of protocols make sense. While the specifics of the technology may change, the themes and protocols can remain remarkably similar.”
Thielen recognizes that organizations can get spooked when talking about cyber risks because of the high stakes involved. “But I think they take a lot of comfort in talking to us because we can help them proactively plan and train,” he says. “We know where small changes can make the biggest impact, and we know what to do in the event of a loss—because we’ve probably seen similar incidents in the past.”
This website is general in nature, and is provided as a courtesy to you. Information is accurate to the best of Liberty Mutual’s knowledge, but companies and individuals should not rely on it to prevent and mitigate all risks as an explanation of coverage or benefits under an insurance policy. Consult your professional advisor regarding your particular facts and circumstance. By citing external authorities or linking to other websites, Liberty Mutual is not endorsing them.