As ransomware attacks continue to increase, businesses are ramping up their cybersecurity defences and recognising the need for post-attack financial safeguards. This is where the role of cyber insurance becomes increasingly important.
Spencer Young, SVP of EMEA at Delinea, shares insight with Cyber Magazine about how organisations can maximise their chances of qualifying for cyber insurance, particularly with increasing underwriting demands from insurers.
We will also explore the importance of staying abreast of the ever-changing landscape of cyber insurance, including costs, coverage, and potential gaps.
Tell us about yourself and your current role at Delinea
Since January 2022, I am Senior Vice President for Europe, Middle East and Africa at Delinea, guiding the sales strategy across the region. Overall, I have been in the IT industry for more than 30 years, holding leading roles in software, hardware and networks companies, with more than one third of my career spent in the security sector.
How is Delinea working to help businesses in cyber protection?
At Delinea, we are focused on helping organisations meet the cybersecurity challenges of today's enterprise environments. We believe that privileged access management (PAM) is foundational to any robust cybersecurity strategy. That is because defining clear boundaries of access reduces not only the risk of data breaches but also the risk of unauthorised data access, helping organisations maintain compliance with ever-evolving regulatory standards. Our PAM solutions address the needs of managing and securing access to sensitive data and critical infrastructure of an organisation regardless of its size and whether its infrastructure is on-premises, in the cloud or hybrid.
Earlier this year, we introduced the Delinea Platform, our cloud native solution to centrally manage the privileged credentials of all types of identities across an entire company infrastructure. And a few weeks ago, we also announced the Intelligent Automated Auditing, an AI-augmented capability for the platform to assist administrator in monitoring privileged session recording.
In addition to our focus on innovation, what sets us apart is our adaptability and scalability. Our solutions are trusted by a diverse client base from burgeoning small businesses to global financial giants and intelligence agencies. Most importantly, our customers do not see us just as a vendor, but as a strategic partner committed to safeguarding their digital assets while simplifying your security processes.
In line with increased cyberattacks and the spread of malware, how important is cyber insurance?
The importance of cyber insurance today cannot be overstated, particularly with the average cost of a data breach escalating year-over-year - reaching US$4.35m in 2022. Cyber insurance serves as a financial safety net, helping organisations with the recovery process after an attack and it is the ideal companion of a robust cybersecurity strategy. The industry has evolved significantly, offering comprehensive policies covering a wide array of costs associated with breaches, such as data theft and business downtime. These policies can also cover the often-overlooked costs of investigations, forensics, compliance fines, and extortion payments.
However, not all policies are equal. While many insurers have broadened their coverage, there are still gaps. It is important that businesses carefully read the fine print and understand the scope of their policy, to make sure they are properly protected against the threats that are most relevant to them.
What about the small print – how can businesses best avoid any surprises?
Navigating cyber insurance policies is becoming increasingly complex, especially as insurers refine their offerings based on new data and insights. One of the key challenges lies in understanding what is and is not covered.
For example, our research shows that “data recovery” is one of the expenses most likely to be covered, but there is no unique definition of what it entails, so it can mean different things to different insurers. There are also cases of insurance companies retaining the right to decide whether to pay or not the ransom, regardless of their client’s preferences. Respondents also reported that insurance policies are least likely to pay for lost revenue, regulatory fines, or legal fees and claims can be denied if the insurer determines the company lacks adequate security measures or compliance protocols. It is important therefore to have as full a picture as possible of what is covered, before signing or renewing the contract and be aware of the potential pitfalls to avoid unwelcome surprises due to unnoticed exclusions or complicated conditions.
What recommended robust cybersecurity measures can organisations implement to increase their chances of being covered by cyber insurance?
Having a comprehensive approach to cyber risk governance is essential also when it comes to cyber insurance. Organisations should conduct in-depth risk assessments to understand where there may be weaknesses and gaps in their current cybersecurity posture. This foundational step informs the rest of their cybersecurity strategy, which would be specific to their own situation, and they could use established frameworks like Cyber Essentials in the UK, or NIST in the US as guidelines.
That said, our research revealed that almost half of insurers have Identity and Access Management (IAM) and Privileged Account Management (PAM) as prerequisites for their policies, Multi-Factor Authentication (MFA), comprehensive monitoring and tools that provide timely detection and response capabilities considered good practice and increasingly required to qualify for insurance coverage.
Insurers also scrutinise incident response plans to gather a sense of company’s preparedness. They also evaluate the post-attack recovery plans, wanting to see a well thought out approach to restoring operations and the ability of using the experience as a learning opportunity to improve their cyber security posture.
What do you predict the next 12 months will look like for businesses from a cybersecurity perspective?
Ransomware will continue to be a major threat for businesses. We may not hear about it as much as before, but it does not mean it is less dangerous or it has vanished. It is also reasonable to imagine that as access to Artificial Intelligence becomes widespread, more cybercriminals will start using it. And as cyberattacks escalate becoming more complex, so will the demand for cyber insurance. Having said that, it is crucial to understand that having cyber insurance does not replace the need for strong cybersecurity procedures, especially considering that our research found that 43% of companies discovered that their coverage was nullified due to inadequate measures. But most importantly because even with the best policy, the damage could be far greater than what you would recover.