Cyber Insurance: Its Days are Numbered!

Uncertainty has been the norm in recent years, and criminals are taking systematic advantage of it. Lack of awareness, the use of more sophisticated technology and protection/sponsorship from rogue Governments is making it challenging for organisations to stay one step ahead of criminals.  

One traditional key component of any Cyber Security programme is the use of insurance, to protect and cover potential losses due to a cyberattack. 

Or at least that was the strategy until now. A few weeks ago, Mario Greco the Zurich CEO stated in the FT that “Cyber attacks will become uninsurable as the disruption of hacks continues to grow”. This was considered as  a clear industry statement and a call to action for  Chief Security Officers and C-Suite in general. 

In 2022 several actions have been taken by Insurance companies to limit their risk exposure to cyber-attacks, especially those related to state-backed (Advanced Persistent Threats). The most notable case is Lloyds of London, removing all “protection or covering losses” related to those types of attacks from March 2023. 

But Why? 

The challenge for Insurance companies is to determine whether an attack can be attributed to an organisation that has been sponsored by a government as quite often a hacktivist can work for, government and non-government organisations. Due to the exponential increase in attacks linked to criminal groups sponsored by states and the limitation to litigate against them, insurance companies are deciding to take an adverse risk approach, reducing the protection, and increasing premiums. 

What Are Organisations Doing? 

Organisations are not doing their homework. 

Insurance is just one additional component of the Cybersecurity and Resilience framework which is an option and not an obligation and unfortunately, many institutions have adopted the insurance policy as a “silver bullet”. Consequently, security controls may have become outdated or even lapsed, presenting weaknesses that could be exploited. 

The Policy of Truth 

Is your organisation prepared to live without Cyber Insurance? 

The overall security programme is an obligation and responsibility of the C-suite. The senior management must establish a dynamic approach to increase resilience to minimise the potential impacts of any attack. This responsibility cannot be transferred or outsourced. 

Based on TORI’s experience and industry trends which further substantiate this thinking, we have identified the following which are must-have elements of your Cyber Resilience Programme: 

  • Establishing a Threat Intelligence Monitor: this will allow you to identify any potential threats and vulnerabilities 
  • Red Team / Blue Team Strategy: simulating attacks is essential to test your business resilience and the efficiency of implementing security controls 
  • Training: criminals are using social engineering techniques to perpetrate attacks. Providing training and awareness activities to your teams is key to minimise risk. Also, using techniques such as “Cyber mentalism” will help your security team to think like a criminal and anticipate their next move 
  • Independent Assessment: perform evaluations of your overall strategy, including data management, security protocols and incident response. This assessment will increase your resilience against future attacks

Technology is continuously evolving which means that nowadays protecting a company’s assets, its users and customers are minute-by-minute challenge. As a result, monitoring cyber trends and the tactics employed by cyber criminals in order to protect an organisation has now become a 24/7 job.  

How TORI Can Help 

As part of our Governance, Risk and Compliance practice we support organisations to increase their resilience promoting a dynamic approach to combat criminals. 

Our Cybersecurity and ICT Risk service can bring the necessary support on:  

  • Performing Cybersecurity assessments including framework, application, networks, and assets 
  • Implementing security protocols (Cloud/On-Prem, In-Source/Out-Source) following industry standards and regulatory requirements 
  • Providing operational support on Threat intelligence activities, monitoring in real-time vulnerabilities and other elements as part of your resilience programme 
  • Training and awareness sessions with technical and Senior management team on key elements such as social engineering, cyber essentials, managing attacks effectively and threat identification