Financial news

By Spencer Young 

The surge in cyber threats and the rising costs of a security incident are pushing companies to get cyber insurance as a financial safety net. But while it can provide a vital lifeline for organisations in the financial sector in the aftermath of an attack, even the most comprehensive coverage cannot help with the wider costs resulting from the damage to a company’s reputation, loss of customers, or share values.    

The cost of a breach  

According to an IBM report from earlier this year, UK organisations pay an average of £3.4 million for data breach incidents. However, the cost is 55.9% higher for companies in the financial sector, reaching £5.3 million. While this hefty price tag may come as a surprise, it is important to remember that the consequences of a successful cyber attack are far reaching and not always immediately visible. In a dynamic market like financial services where seconds count, any disruption leads almost immediately to business losses as transactions are halted. Downtime can also affect customer confidence, making it challenging to attract new business and possibly leading to a loss of market share that can be difficult to regain. Lloyds of London recently reported that a cyber attack on financial service payments systems could cost the world a staggering $3.5 trillion, which gives an idea of the magnitude of what is at stake.  

Stricter requirements for cyber insurance 

It is no surprise then that demand for cyber insurance is growing, with Lloyds predicting in the same report that the value for gross written premiums will increase from $9 billion last year to nearly $25 billion by 2025. Ransomware attacks and the associated costs are key factors behind this rising demand, but paradoxically they are also behind the concurrent hardening of the cyber insurance market. The increased level of risk-shifting and the availability of more data-driven analytics that provide clearer insights into risk factors and outcomes are pushing insurers to significantly tighten their requirements, with some sectors at risk of becoming uninsurable. Alongside this, research from Delinea found that the exclusion criteria are also changing, with organisations often faced with an extensive list of rules that can void their coverage, including the lack of security protocols, human error, and acts of war or terrorism. 

It is a stark picture and, for many, a harsh wake-up call, but fortunately it is not all doom and gloom. 

Where to start?  

The reality of any insurance policy is that one party is paying another party to bear their risk. This applies when buying car insurance or getting the necessary coverage required by mortgage lenders, and cyber insurance is no different. Moreover, meeting the strict requirements to qualify for coverage increases a company’s overall resilience and improves its security posture. To this end, preparing to apply for cyber insurance should be seen as a useful moment to take a hard look at cybersecurity strategies and spot possible gaps and issues in their implementation. Securing a cyber insurance policy is a process that does not happen overnight and according to our research, with qualification now frequently taking six months or longer for larger organisations.  

While each insurance company has its own methodology to assess an organisation’s ability to effectively detect and respond to threats, there are some commonalities in what they are usually looking for. Advanced security tools and endpoint solutions that offer real-time monitoring and alerts are increasingly seen as must-haves, as are access controls to verify and monitor any identity in the network, whether human or machine. Placing time-bound and role-based access controls around sensitive data is a core part of any security strategy and also essential for many insurance applications.   

This is because most cyberattacks involve stolen credentials, and therefore insurance providers require companies to have in place all the security controls needed to prevent stolen credential abuse and contain attacks. Having the right solutions in place ticks the box, but it is only half of the effort. Solutions also must be appropriately configured according to the specific requirements of a company to be effective against cyber threats and avoid the risk of insurance coverage being nullified. 

Insurers focus on personnel training as well. Employees are often the first line of defence and a workforce trained to identify and report cyber threats is less likely to fall victim to phishing attacks or inadvertently expose sensitive data. Insurers also expect organisations to have tried and tested incident response plans in place and conduct regular simulation exercises mimicking real-world attack scenarios. What they want to assess is how much a company is just reacting to cyber risk, instead of proactively managing it. 

Reading the fine print   

As cyber threats constantly evolve, cyber insurance also adapts to demands and policies can vary significantly based on a range of factors like risk profile, provider stipulation, or the size of an organisation. Being aware of the fine print in a policy is therefore of paramount importance. And if renewal is on the horizon, it is up to an organisation to scrutinise the terms meticulously. Changes can and do occur, and the renewal period is a prime time to renegotiate terms or consider alternative providers. Additionally, companies must keep abreast of any variations that could affect their coverage, such as changes to deductibles, shifts in the definition of covered incidents, and newly added exclusions for certain types of cyber events, such as state-sponsored attacks or specific types of malware.   

Now more than ever, proactive cybersecurity planning is essential, especially for organisations in the financial services sector facing the continued pressure of cyber threats. As with any policy, the coverage is only meant to provide a safety net, not to protect against every eventuality. It is everyone’s responsibility to do their part to prevent an incident becoming a catastrophe.

About the Author 

Spencer Young has more than three decades of experience in senior leadership roles within enterprise technology, with a wide range of expertise across software, hardware, and networks, with an established track record of high growth, both in innovative start-ups and large enterprises around the world.