By: Zack Schuler, founder and CEO of NINJIO
What would you do if your organization was hit by a cyberattack? At a time when reports of major data breaches and other attacks have become constant, this is a question CEOs, CISOs, and employees are increasingly asking themselves. Considering the stratospheric potential cost of cyberattacks and the time it takes to contain them, more and more companies are looking at cyber insurance to hedge against the risk of falling victim to one of these attacks.
However, the scale and volume of cyberattacks in recent years have sent the cost of cyber insurance premiums soaring. According to Bob Zukis, founder of Digital Directors Network: “The cyber insurance industry has been growing rapidly, but they’ve only insured a fraction of cyber risk – less than 10 percent in our calculations. That means companies need to translate cyber risk into economic concepts and manage it like any other financial risk.”
Just as it’s difficult for IT professionals and company leaders to keep up with the rapidly shifting landscape of threats, insurance providers are struggling to account for the evolution of cyberattacks. This raises the question: are we looking at cyber insurance in the right way? Instead of merely paying a monthly premium and hoping for the best, companies should be proactive about reducing risk – particularly by building a well-trained workforce capable of preventing cyberattacks and minimizing the damage they cause when they occur. There are many forms of cyber insurance, and they don’t all revolve around premiums and payouts.
Why cyber insurance has become such a pressing topic
You don’t just have to scan the headlines about recent cyberattacks to see that they’re becoming more severe, costly, and difficult to contain. According to the most recent IBM Cost of a Data Breach Report, the average financial impact of a breach has surged to its highest point in the 17-year history of the report: $4.24 million (up from $3.86 million last year). In cases where remote work is implicated in the breach, the cost is $1.07 million higher. The time it takes to identify and contain a breach has also soared to an unprecedented height as well: 287 days.
Between 2016 and 2020, the number of cyberattack complaints submitted to the FBI jumped from just under 300,000 to over 791,000. Meanwhile, recorded losses spiked from $1.5 billion to $4.2 billion – a figure that leaves out any attacks that weren’t submitted. For many years, every trend line has pointed in the same direction: cyberattacks have become one of the most urgent challenges companies face.
When company leaders see the staggering costs associated with these attacks, they immediately start searching for a safety net. This is where cyber insurance comes in.
The rising cost of cyber insurance
Because cybersecurity is such a dynamic and unpredictable field, companies often feel like they’re a few steps behind the emerging threats and the most effective methods for addressing them. The cyber insurance industry is no exception – as a recent article in Quartz reports, there isn’t “much data to draw on to develop the precise actuarial tables that insurance companies normally use” to strike a balance between premiums and payments.
This is one of the reasons why, as the article notes, cyber insurance premiums increased by 18 percent in the first quarter of this year – a rate of change that has shot up over the past few years,
and which outpaces all other forms of insurance. The Quartz article also cites a June report from AM Best, which found that total cyber insurance claims increased four-fold between 2016 and 2020. As claims continue to increase and insurance companies struggle to adjust, prices will remain volatile and high.
According to a survey conducted by Deloitte, the top-cited issue which prevented companies from purchasing cyber insurance was cost. While cyber insurance can help companies manage the financial blow inflicted by a cyberattack, the instability of the market for purchasing that insurance – along with the high financial barriers to entry – will continue to deter company leaders who are looking for cost-effective options to stay secure.
A different form of cyber insurance
Companies have to prepare for the worst, which is why they buy cyber insurance – but they also have to use every resource at their disposal to prevent the worst from happening. While this includes digital defenses such as firewalls, VPNs, and updated security software, the most valuable cybersecurity resource companies have is their workforce – a well-trained workforce, that is. Employees are the key to keeping their companies safe because cybercriminals target them in the vast majority of cyberattacks.
According to Verizon’s 2021 Data Breach Investigations Report, 85 percent of breaches involve a human element. It’s no surprise that researchers say it’s “obvious” that cybersecurity awareness training is a way to prevent future breaches. Similarly, the aforementioned IBM report states that “improvements around security awareness training can help to reduce threat event frequency.” A trained workforce isn’t just capable of foiling cyberattacks – it can also help companies respond quickly and mitigate the negative consequences when a breach occurs.
One way for cyber insurance providers to make their business model more sustainable is to offer incentives for companies that are less susceptible to cyberattacks than their peers. Just as safe drivers receive auto insurance discounts, companies with robust cybersecurity platforms should have access to more affordable rates on their cyber insurance. As for the companies themselves: no matter what the cyber insurance industry does over the next few months and years, an educated workforce will offer the most effective form of insurance available.
Zack Schuler is the founder and CEO of NINJIO – a global cybersecurity awareness company that teaches employees and their families how not to get hacked. Beyond serving as the CEO of two successful tech startups (before NINJIO, he started Cal Net Technology Group out of the trunk of his car and grew it to $20 million in annual revenue), Zack is an authority on cybersecurity, employee engagement, and related tech issues. He has written for Forbes, HR Dive, Dark Reading, and many other outlets.