From Naoris Protoco: Will companies be forced to play Russian Roulette with insurance premiums?
Will companies be forced to play Russian Roulette with insurance premiums?
As cybersecurity insurance premiums soar, companies may be forced to play a game of Russian Roulette, taking the chance that they won’t be hit by a cyberattack. The stakes are high, approximately 236.1 million ransomware attacks occurred globally in the first half of 2022 alone, in 2023, it’s predicted that close to 33 billion accounts will be breached costing the global economy $8 trillion.
In light of growing attacks cyber insurance premiums have been increasing exponentially making it difficult for companies to get the coverage they need. Globally, Q1 2022 saw cybersecurity insurance premiums rise by a massive 110% year on year. Q1 2023 saw an additional annual rise of 10%. An annual premium for coverage of $50 million could range anywhere from $100,000 to $500,000. This is a huge chunk of money to come out of operating budgets especially as new regulation is requiring companies to invest more in security systems.
A slow-down of premium increases at the start of 2023 is good news for companies, but it also has a dark side; there will be more exclusions written into policies as underwriters get to grips with the risks in this fast changing and complex environment. Recently Lloyds of London created a stir when they suggested to 76 of their insurance syndicates to remove “nation-state-backed cyberattacks” from insurance policies by March 2023.
The NotPetya attack in 2017 was a huge driver behind Lloyds decision to implement the exclusionary clauses. The malicious data encryption tool inserted into a legitimate piece of software used by most of Ukraine’s financial and government institutions, spread via trusted networks, rather than widely over the internet. Therefore, it bypassed the processes put in place to prevent ransomware attacks, estimated losses experienced by commercial companies in the Ukraine network exceeded $10 billion.
Prevention has to be the key focus because mitigating the damage of attacks is almost impossible. To put this into perspective, NotPetya destroyed all end-user devices, including 49,000 laptops and the print capability of shipping and logistics giant Maersk. It also destroyed 1,000 of the company’s applications and 3,500 servers. Total cost of losses – $250 million.
In addition to tangible costs of a major data breach or cyber attack, companies now need to consider the cost of regulatory fines, legal settlements, reputational damage, and business interruption costs.
Monica Oravcova, COO and co-founder of Naoris Protocol, a decentralised cybersecurity solution, says “The NotPetya attack really highlighted the NotPetya attack really highlighted the vulnerability of “trusted” networks, where no-one is validating the validators and ensuring the trust level of the network itself. This is a clear case of ‘eyes wide shut’ by some large multinational enterprises who left this attack vector open. New generation technology, such as a decentralised cybersecurity mesh architecture can prevent these kinds of attacks. This technology enforces trust across networks by turning all connected devices into validator nodes that check the security status of every other device in the network. Any detected anomalies or code manipulation will raise an alert within milliseconds potentially preventing the attack”
The average cost of a data breach is $4.2 Million and in the case of regulated industries, costs can be much higher. In finance and banking, the cost is estimated to be $210 per record with an average breach totaling 25k records, this translates into $10.725 Million.
You cannot talk about insurance premiums without introducing the highest risk factor – people. More than 90% of breaches are facilitated by humans. Experts agree that by addressing the standard of cybersecurity awareness globally, breaches should come down and risk management should be easier to enforce.
Oravcova says “ training must go beyond tick box compliance, motivated by regulatory and liability penalties, every member of staff needs to be able to recognise a malicious email. Many companies focus on technical improvement: ‘How can I make sure I have the best IT and detection systems in place?” but they don’t address the fact that the weakest links are their employees. The pandemic brought this into sharp focus as devices left the security of ring fenced networks. In essence the servers left the building and every device became a single point of failure”
Solutions need to be created in close collaboration between insurance companies, enterprises and cybersecurity firms, to work together in their respective areas to stop cyber attacks. Only then will we see a reduction in insurance premiums and more importantly, a reduction in the frequency of successful attacks.