There are good reasons why cybercrime is keeping insurance brokers, insurers, reinsurers and underwriting managers (UMAs) awake at night. In fact, this criminal activity has grown to such an extent that its ‘cost to the global economy’ now slots into third place on a ranking of country’s by annual GDP: first, United States; second China; and third, cybercrime! This staggering development was shared by Ryan van de Coolwijk, Product Head: Cyber Insurance at ITOO Special Risks, during his presentation to the South African Underwriting Managers’ Association (SAUMA) 2023 Virtual Conference.

Cybercrime set to eclipse NATCAT

“The cost [to businesses and individuals] of cybercrime is growing exponentially; and set to peak at over USD10.5 trillion in 2025,” Van de Coolwijk said, citing an estimate by Cybersecurity Ventures. “From an insurance perspective it is quite frightening that cybercrime is predicted to cost more each year than what natural disasters do”. 

There are two main categories of cybercrime that impact the domestic market, namely business email compromise (BEC) and ransomware, with the latter often leading to full-blown cyber extortion. In keeping with international trends, BEC is the most common cause of cyber claims at ITOO, with ransomware-related cyber extortion in second place. BEC involves a hacker obtaining unauthorised access to an electronic mailbox and then manipulating documents to entice individuals at a firm to share their credentials, or make payment to an incorrect bank account, among other crimes. 

Statistics from Mimecast illustrate the extent of the problem. In their ‘State of Email Security 2022’ report, they revealed that more than half of the South African companies surveyed had been impacted by a ransomware attack, and that 92% of companies has been targeted by email-based phishing attacks. Van de Coolwijk commented that the latter statistic was probably closer to 100%. “Who among the audience has not, either personally or in your professional capacity, received some form of phishing email, SMS or voice call trying to encourage some sort of behaviour?” he asked. Against this backdrop, Mimecast reported that 56% of respondents felt that cyber insurance was a worthwhile addition to their cyber security armoury. 

Skepticism over cyber insurance

“There is still some scepticism over cyber insurance,” Van de Coolwijk said; but this will change as more people become aware of how cyber insurance performs for insureds who fall victim to cyberattack. The Mimecast survey also revealed that 72% of local firms felt they needed to spend more on cybersecurity, with the aggregate being a 13.5% budget increase. “It is difficult for businesses that are already struggling to make ends meet to find this money; [the consequence is] that they potentially leave themselves exposed to cyber incidents,” he said. This revelation should be read in the context of average ransomware demands topping ZAR35 million in 2021, and the average ransom paid exceeding ZAR8.5 million.

To make matter worse, there has been a significant year-on-year increase in cases where hackers post victims’ data on so-called ‘leak’ sites on the dark web. “Reviewing the claims that we have had over the last three years, there is hardly a single instance where the hackers did not post [data] on to one of the leak sites,” Van de Coolwijk said. And the cybercriminals have no boundaries, with documented cases of extortionists contacting the press to ‘spread the bad news’ and thereby put additional pressure on businesses to settle, or even telephoning company CEOs at all hours of the day or night to create tension. Cyber extortion “is a very nasty process to go through, and one of the benefits a cyber insurance policy brings is having access to experts to help you deal with this”. 

Be warned: these hackers will be back for more

Local digital forensic firm Cyanre recently published statistics based on their investigation of 58 large BEC attacks that took place in South Africa over the past few years. They pointed out that financial services firms (31%) were the most commonly compromised locally, with insurance firms (12%) and IT firms (10%) also popular targets. Among a sea of alarming statistics, they indicated that around 7% of companies suffered a second attack within a two-year window. Of particular concern is that more than 8% of companies that suffered a breach were compromised from an external IT service provider. “As soon as you open up access to data and your environment to a third party, you are exposed to how good [or poor] their security is,” Van de Coolwijk said. 

ITOO mentioned a case in which a third-party IT supplier was compromised by hackers, who then proceeded to drop ransomware on and / or compromise data at 20 of the IT supplier’s clients! It has become common practise for hackers to seek out footholds from which they can easily launch multiple attacks. According to Cyanre, common ‘points of compromise’ include easily ‘guessable’ passwords (44%); outdated firewall patches (23%); poorly configured firewall rules (21%); and unsecured RDP structure (15%). Outdated anti-virus software was the laggard in this list, contributing to just 13% of compromises in the study. The good news is that you can take out insurance cover to protect your commercial clients from a range of cybercrime risks. 

Getting to grips with cyber insurance

At its basic level, cyber insurance covers the resultant costs and damages from a privacy or network security breach. It can be structured to offer comprehensive first-party, being the insured, and third-party coverages, including expert incident response. “This cover is a lot broader than people typically think … it goes beyond hacking to include insider and privilege misuse; physical theft and loss; and various threats posed by third-party access,” Van de Coolwijk said. There are a range of triggers for cyber insurance policies; but where coverage is concerned you need only consider three main pillars: incident response; financial impact; and liability. 

Borrowing from the presentation slides, we can summarise the components under incident response cover as incident triage; data and system recovery; forensic investigations; legal guidance; crisis management; notification costs; remediation services; and cyber extortion. Financial impact cover consists of business interruption (BI); increased cost of working; and regulatory fines and penalties. And finally, liability deals with defence and settlement; compromised data; compromised environments that are used to cause damage to others; and digital media liability. This is where the broker adds value; though it is clear that you will have to work closely with your UMA and / or insurer to ensure that you clearly communicate the standard cover, optional covers, exclusions and limitations of this cover to your clients. 

Five ways to thwart cyberattack

To conclude, ITOO shared five tips to prevent your cyber insurance policy from being triggered. “These are controls that will not necessarily break the bank,” Van de Coolwijk said. They include implementing multi-factor authentication and complex passwords; resilience, through the use of immutable and disconnected back-ups; patching, to ensure that your firm’s software is up-to-date; endpoint protection, or next generation anti-virus solutions; and the so-called human firewall, involving education and training to ensure that your employees are a first line of defence against cybercrime. 

Writer’s thoughts:

The rising frequency and severity of cybercrimes such as business email compromise (BEC) and ransomware present both financial and reputational risks to your small and medium enterprise (SME) clients.

Original Article - FA News