The rise of ransomware has developed the perception that, in the event of a cyberattack attack, there is a risk that payouts will exceed revenues, making insurers more judicious about taking on a customer along with a lengthy list of caveats, explains Mohammad Ismail at Delinea.
As the number and sophistication of cyber-attacks has increased, organisations in the Middle East have steadily ramped up their cyber defences. But as successful attacks against some of the region’s largest organisations have demonstrated, even deep pockets do not guarantee protection. Unsurprisingly, organisations are increasingly opting for a final fallback line and today, the majority, 63% of MEA companies admit to having purchased some form of cyber insurance.
This figure is not far behind that in the US, where a 2022 Delinea survey found that 70% of respondents worked for organisations that had applied for cyber insurance, and of these, 93% were approved. More than half of the insured organisations that went on to make a claim ended up using the same policy again more than once.
This is consistent with many regional cybersecurity surveys that, for example, show ransomware victims being hit multiple times. Cyber insurers are getting wise to this oversized risk and Delinea’s research showed only around 30% of organisations being covered for ransomware-related events.
Here in UAE, where the cyber insurance market is forecast to expand at a CAGR of more than 25% between now and 2028, we find similar anxiety.
CIOs and CISOs are rightly concerned about the impact of an errant click here or a missed vulnerability there. Even as technology teams work diligently to protect what matters most, they know that it is misguided to assume they can cover every eventuality. And strict regulations here stipulate that businesses that experience a breach must report it to the relevant authorities.
It is little wonder that there is a ballooning demand for cyber insurance across the Middle East, particularly in the UAE and Saudi Arabia.
Housekeeping
The journey to find the most comprehensive and reassuring policy is fraught with challenges. Businesses are accustomed to having buying power. They are accustomed to dictating terms when dealing with suppliers. Rarely do they find themselves in the position of having to negotiate with a seller for the privilege of buying. But that is exactly the experience that awaits most enterprises that goes shopping for cyber insurance.
The rise of ransomware has given way to a perception that, in the event of an attack, there is a risk that payouts will exceed revenues. Insurers have become understandably more judicious about taking on a customer at all, never mind quoting them a reasonable price. And even if insurers are prepared to issue a policy, they will often infuse it with a lengthy list of caveats.
This leaves today’s digital businesses in the somewhat bizarre position of having to prepare and pitch to insurance companies. In truth, this has some benefits, because it encourages the candidate to get in better cybersecurity shape. And it dissuades them from using cyber insurance as a replacement for robust cybersecurity.
Shoring up threat posture should come first in order to get a more affordable safety net. Look at strategy, staffing, policy, and technology before researching insurance providers. Look to common security controls such as identity management, privilege management, asset discovery, employee behaviour monitoring, network segmentation, malware defence, and endpoint detection.
Revisit the incident playbook, the training of IT and security teams, and the awareness levels of end users.
While this may seem like a departure from the search for cyber insurance, it is critical groundwork for making the enterprise a viable subject in the eyes of underwriters. Its goal is to prove to risk assessors that the organisation is as safe a prospect as possible. To do that, it must demonstrate its implementation of best practices that prove to insurers that it, the insurance seeker, takes security seriously.
With the right threat posture, businesses may even be able to lower premiums.
Best practices
One area that frequently comes up as a high priority is Privileged Access Management. First, automate password management as much as possible. Enact the principle of least privilege that grants employees role-based access. Implement just-in-time credentials and ensure security checks include multi-factor authentication. And regardless of role or seniority, educate every employee about cyber risks. Assuming you can present an attractive prospect to an insurer, you will get a quote.
Next, revisit each of the concerns that brought the company to the insurance company in the first place. Tally best practices with the quote and the small print and start negotiating. By this stage you should be able to make the argument that your business is a low-risk entity and deserves reconsideration. Also, be on the lookout for the limits of coverage.
Cyber insurance, like many other products, may only insure up to a certain amount. Also familiarise yourself with the conditions of reimbursement, and the process to correctly file a claim. What must be proven before the payout can be authorised and what does the insurer stipulate as satisfactory evidence? How easy will it be to access and present this evidence in the event of a breach?
Remember that just because a cyber insurer does not mandate a particular control, does not mean that its implementation should be ignored. It may strengthen the case for a lower premium because the business went beyond the controls mandated by the insurance provider. But even if it does not, the control may act as a hedge against a gap in coverage.
Positive returns
The core point is an obvious one, better cybersecurity means better insurance. And cyber insurance has emerged as a critical fallback for every enterprise. Best practice security solutions such as PAM platforms will form the backbone of a posture that not only puts the enterprise in a better bargaining position but serves the primary purpose of mitigating the risk of cyber-attacks in the first place. Security professionals know better than to rest on their laurels. With these critical first steps done, they must partner with other business leaders to carefully navigate the fine print, exclusions, and the challenges around renewals.