Most companies are much better prepared for hurricanes and earthquakes then they are for cyber-attacks, according to figures from AIG.
Only about 55% of Fortune 500 companies have cybersecurity insurance. For the majority of enterprises, the figures are even lower; just 35% of small to medium-sized businesses are insured against cyber attacks.
By contrast, recent statistics on cyber attacks recently released by the Australian Government show that cybercrime attacks have increased by 300% since 2015 and 60% of smaller businesses that experience a major data breach go out of business within six months.
“The cyber-insurance industry is relatively new and it’s evolving,” explained Paul Waite, Director of Cyberplus.
“It’s a bit different to other insurance offerings because the cyber environment is always changing. There are new threat vectors being pushed out daily and that makes it difficult for insurers to calculate the potential losses.”
“At the moment, insurers are relying on historical data to rate premiums and calculate probable loss events and I don’t think that approach to underwriting is sustainable long term,” added Mr Waite.
According to Paul Waite, there are a large number of cyber threats that organisations need to be prepared for. There is the well known ransomware-type event that is simple but quite dangerous for an organisation.
There has also been a rapid evolution of the Business Email Compromise (BEC), which is becoming more sophisticated in the way that attackers lure their victims.
Additionally, there has been a rise in user credential farming, which provides cybercriminals front door access to organisations. Rather than trying to break through the cyber perimeter that most organisations have in place, cybercriminals are tricking people into letting them straight in.
“An off-the-shelf cyber-insurance product isn’t necessarily going to be the right approach,” said Mr Waite.
“Cyber-insurance is complex and needs to be tailored to suit an organisations specific risk profile. My advice to managers is: before purchasing cyber insurance, your organisation first needs to undertake a detailed risk analysis of their business.”
Cybercrime can result in massive financial losses, but it’s not just the immediate theft that’s the problem; very often cyber-attacks leave company’s computer systems crippled or corrupted and that can bring an entire business operation to a grinding halt.
“When it comes to cybersecurity, being prepared isn’t just having a wall that will block and protect from attacks,” said Dan Tehan, former Minister Assisting the Prime Minister for Cybersecurity.
“Instead, being prepared means minimising risk.”
Prevention is the most effective strategy for dealing with cybercrime, and organisations must implement a multi-layered defence to help minimise the risks associated with cyber security attacks, according to Craig McDonald, MailGuard CEO.
New regulatory regimes like the NDB and GDPR administer serious penalties for companies whose data is breached, making it more vital than ever for every business to acknowledge and address their cybersecurity responsibilities.
CEOs are encouraged to audit data and IT resources, seek professional guidance on establishing a cybersecurity policy, enable effective endpoint security and deploy cloud-based threat protection to prevent malicious incursions.