By Roger Francis
In our complex and connected digital age, cybercrime has become the fastest growing form of criminal activity. The scale of cyberattacks has grown to such an extent that it’s no longer a case of if an organisation will be compromised, but when.
Malware outbreaks such as WannaCry and NotPetya, which occurred in 2017, served as wake-up calls to many businesses as to the value cyber insurance can play in recovering from a cyber incident. However, uptake is still relatively low compared with other commercial insurance products.
In its early years cyber insurance was perhaps more of a hedge against possible litigation resulting from a cyber incident, but since then it has evolved to become an essential component of a mature organisational incident response plan. Providing access to additional technical incident response capability and capacity when needed most has become vital, as has utilising a whole host of proactive risk reduction tools that run the gamut from security training and education to templated Incident Response Plans and Dark Web monitoring.
As cyber insurance gains traction, so does the frequency of cyber claims. A recent report issued by an insurance broker, Marsh, stated that individual insurers reported a huge surge in claims in 2018. As one example, our team at CFC handled over 1,000 cyber claims in 2018, and we expect this to increase by another 5% this year.
The rise in claims is an indication that cyber policy wording is getting closer to the mark – though to be honest, when a business purchases a cyber insurance policy, they’re really buying the claims service behind it, not the paper it is written on. While this fact is true of any insurance policy, this is even more critical when it comes to cyber, where incident response, technical expertise, and real-world cyber claims handling experience can make the difference between a business suffering a catastrophic loss or getting back online quickly.
Despite the many security tools available to businesses to improve cyber maturity and the work of organisations like the Global Cyber Alliance, the inescapable truth is that the vast majority of cyber incidents involve some kind of human error or oversight.
This is in part due to the truth that theft of funds, ransomware, extortion, and non-malicious data breaches usually involve the exploitation of the human element in any given business process, whether it be a victim falling to advanced social engineering and clicking on a phishing link, or failing to follow up on a wire transfer request with a phone call.
In each of these cases it would be easy to blame employees, touting a lapse in security awareness as the deficiency, but in reality, this is an oversimplification of the facts. By our very human nature we derive trust from our daily interactions, and in this digital age this interaction encompasses the computers and systems we use to carry out our daily activities.
Our natural instincts to trust can lead even the most well-informed and well-trained of us to click, download, install, open, and wire money to far flung parts of the world, without taking pause to consider the source of the request.
Cyber criminals prey upon this tacit trust and have become experts at digital manipulation, adapting traditional fraud techniques to be delivered at scale, using a range of techniques, from simple lures designed to convince victims to open a malicious document attachment, to more elaborate tactics, techniques, and procedures.
The good news is that cyber insurance continues to adapt in response to insureds’ needs and remains a critical component in tackling and remediating the impact of cybercrime.