Losses from cybercrime are expected to surge in the next five years, rising from $8.44 trillion in 2022 to approximately $11 trillion in 2023 and potentially reaching approximately $24 trillion by 2027. As the cost of premiums increase and organizations learn to implement better system backups, some have opted to invest more heavily in system recovery procedures over cyber insurance, cybersecurity consultancy SecurityScorecard reports in a blog post for the cybersecurity project at World Economic Forum.
The firm says that despite the increasing complexity in cyber insurance and rapidly evolving cyber threats, security leaders can minimize and even simplify risk assessments by focusing on four core areas.
“While cyber insurance is a critical component of a risk-loss management strategy, the cost benefit is becoming more difficult to analyse owing to continued cyberattacks and increasing premiums.”
“Cybercrime has continued to rapidly increase in 2023 and cyber insurance cost increases have kept pace. According to a recent study of 3,000 cybersecurity and IT professionals, 95% of organizations that purchased a cyber insurance policy in the last year reported a direct impact of this trend on their cyber coverage:
- 60% said it impacted their ability to get coverage;
- 62% said it impacted the cost of their coverage;
- 28% said it impacted the terms of their policy.
Market research firm Statista reports that cybercrime worldwide costed 0.86 trillion USD in 2018, that the cost will be 11.50 trillion USD this year to grow rapidly and is estimated to cost 23.82 trillion USD in 2027.
“In addition to rising rates, insurers have introduced exclusion clauses into policies in an effort to minimize risk exposure. In the past two years, many cyber insurers have focused on potentially catastrophic cyber risk, including fallout from geopolitical conflicts and corresponding nation state activity”, the SecurityScorecard blog post says.
“The challenge facing insurance companies is quantifying the risk and complexity of measuring the cascading impact of a cyber attack. This monumental task is complicated by a rapidly evolving threat landscape.”
To minimize and even simplify risk assessments, the consultancy recommends focusing on four core areas.
- What type of firewall is being used? It is absolutely essential that a firewall be in place in any cyber defence structure. Equally as critical is the need for at least 60 days of firewall logs, six months if possible. Just like security camera footage, firewall logs are vital evidence in a potential cyber incident.
- How is the environment backed up? Spending the money for quality back-ups is as important as cyber insurance premiums. Ensure your back-ups are configured to be immune to any possible network intrusion or infection Back-up length needs to be industry appropriate for the timeline and budget that your industry demands.
- Is there a multifactor authentication for all users? An MFA requirement for access to any company system is not optional and needs to be implemented so that it cannot be compromised without gross negligence. This needs to apply to all departments and levels of employees throughout the company with a zero-exception policy.
- Do you regularly verify who has access? Having a system of changing passwords is not enough; you need to verify who has access to what systems and software at least quarterly. The lowest level of access policies must be mandatory to ensure proper risk mitigation. The principle of least privilege (POLP) model is mandatory to ensure proper risk mitigation. POLP is a concept that limits users’ access rights to only what are strictly required to do their jobs. Having a tool that sends alerts when new accounts are created is a necessary cost to ensure unauthorized users can be identified immediately within the environment.
The blog post is written by senior director Anna Sarnek and Larry Slusser, vice president.