Cyber insurance: an umbrella for a cloudy IT security climate

In this second part of our series on cyber insurance we focus on the responsibilities of CISOs and CFOs. In Part 1 we took a closer look at the important role IT admins play when organizations seek or renew insurance coverage.

The facts are clear: the number of companies of all sizes falling victim to cyberattacks is increasing significantly worldwide.

• According to CVEdetails.com, the number of vulnerabilities found worldwide rose to 29,065 in 2023 from 25,083 in 2022.
• The IBM 2023 “Cost Of A Data Breach” report found that the average cost of a data breach was $4.45 million or €4.11 million. The World Economic Forum reported that the cost of cybercrime worldwide totaled $11.5 trillion or €10.6 trillion in 2023, and estimated that costs will rise to $23.8 trillion or €22 trillion in 2027.
• Cybersecurity software vendor Malwarebytes reported that the number of known ransomware attacks surged 68% in 2023, and that the average ransom demand climbed precipitously, led by an $80 million demand following an attack on Royal Mail in the UK. 
• There were more than 420 million attacks on critical infrastructure in 2023 – more than 13 attacks per second – a 30% increase from 2022, according to Forescout Research. 

Operators of critical infrastructure and associated businesses face increased government scrutiny and requirements for cybersecurity and reporting of incidents. In the U.S., the National Institute of Science and Technology (NIST) published the “Guide to Operational Technology(OT) Security” in September 2023 to guide OT operators on improving OT security. That followed passage in 2022 of the Cyber Incident Reporting for Critical Infrastructure Act, which granted rule-making and enforcement authority to the Cybersecurity and Infrastructure Security Agency (CISA) and mandated incident reporting for critical infrastructure providers.

In the EU, the new NIS2 EU directive has tightened requirements for business IT security and holds corporate leaders responsible for ensuring that the company’s cyber defenses meet the latest standards. NIS2 affects companies with more than 50 employees and €10 million in annual revenue in banking, healthcare, energy, transport and many other sectors. The expanded range of businesses affected by the requirements and increased fines for non-compliance prompted the President of the Germany’s Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or BSI) to recommend that companies set aside at least 20 percent of their IT budgets for cyber security measures.

Most insurers provide cyber insurance questionnaires for companies to complete. The self-disclosure also determines insurance eligibility and how the policy should be individually structured. It includes questions about security guidelines, risk management, protection of information systems, vulnerability assessments, data backup and employee training. Business must answer these questions as accurately as possible because insurers will verify if the criteria have been met if a claim is filed. Ultimately, the more secure a company is the better that insurers can assess specific risks and offer more favorable insurance policies.

Comprehensive unified endpoint management (UEM) software such as the baramundi Management Suite (bMS), can help companies maintain a current and accurate overview of their systems and security status and document compliance with applicable requirements. 

The process of applying and qualifying for cyber insurance now involves several company executives and departments. The CISO (Chief Information Security Officer), for example, prefers cyber insurance that covers specific risks such as data theft, data breaches and business interruption. The scope of coverage and the extent of incident response services also are priorities.

The CIO (Chief Information Officer) is focused on coverage for damage to the company’s IT infrastructure and data, including protection against malware and physical damage. That includes the technical details of and coverage requirements for hardware and software.

The CFO (Chief Financial Officer) is interested in coverage for cybersecurity-related losses including business interruptions and liability claims. Cost-benefit analyses and the potential financial impact of security incidents take precedence.