Below is a great article written by Alicia Hope published in CPO Magazine. CPO provides news, insights, and resources to help data privacy, protection and cyber security leaders makes sense of the evolving landscape to better protect their organizations and customers.
According to a new study by the Hanover Insurance Group, Inc., most businesses are more vulnerable to emerging risks such as malware and ransomware attacks than traditional threats such as the breach of personally identifiable information. However, the report found most businesses were insured against traditional cyber threats instead of the emerging risks. The study, which was carried out in collaboration with Zogby Analytics, found that the cyber insurance coverage gap poses an existential threat to the majority of the businesses.
The current situation in cyber insurance
Most businesses contacted said the decision to purchase a particular policy was based on recommendations from independent insurance agents. The study also found most businesses understand the extent of cyber threats they face and understand the negative impacts of such incidents. However, 42% of businesses did not have adequate cyber insurance to cover the cost of a cybercrime-related incident, despite 9 in 10 businesses reporting a cyberattack. Additionally, 60% of businesses reported it would take just two days to become unprofitable in case of a cyber attack that denies them access to critical systems or data, while 92% said an attack would cause a negative financial impact. Despite 84% of businesses feeling inadequately covered by their current policies, 38% have not increased their cyber insurance policy limits within the past 12 months. The study found small businesses being more vulnerable to cyberattacks than large or middle-sized businesses. The majority of small businesses also lacked cyber insurance coverage.
Another observation showed media coverage informed the decision to purchase a cyber insurance cover for 50% of business leaders. Past attacks influenced 37% of the business decision makers to purchase a cyber insurance cover. According to Bryan J. Salvatore, president of specialty insurance at The Hanover, having the appropriate cyber insurance protection will only become more important as new technologies emerge, businesses become more connected, and cyber criminals develop more sophisticated methods. He added that as businesses grow in complexity, the advice of an independent agent becomes increasingly important in helping business owners understand the many risks they may face and mitigate those emerging risks.
Emerging risks becoming more prevalent and catastrophic
The study found an increase in emerging risks involving malware and ransomware attacks. Almost half of the businesses surveyed reported experiencing a malware-related attack. According to the report, 35% of incidents included the transmission of malware to a third party. Close to half of all attacks involved the use of malware or ransomware. And 27% of the attacks involved the use of ransomware, while 20% involved other forms of malware. A third of businesses also admitted they were unaware of how to respond to a ransomware attack.
Emerging risks also caused more losses in business income and higher rises in recovery costs. However, most businesses were protected from highly publicized threats, while they paid little attention to the emerging risks. The failure to recognize the emerging risks would have immediate catastrophic effects on business profitability, according to the report.
Managing the security risks
Businesses had strong policies in place to protect against the threats most concerning to them. Among the respondents, 81% had written plans identifying, mitigating, and dealing with cyber threats. Another 93% had their data backed up to prevent data loss in case of an attack.
Despite the efforts made to protect organizations against the effects of both traditional and emerging risks, some of the effects were almost impossible to defend against. Most cyber-attacks caused the loss of the reputation of the companies affected. In contrast, the leak of personal data could irreparably harm their customers if not detected on time. Consequently, most businesses should have adequate plans to prevent the occurrence of these attacks, besides having recovery plans.