Why phishing prevention should be a cyber insurance condition
With cyber risks on the rise and growing demand from businesses, more insurers are jumping into the cyber insurance market.
A report by PwC estimates that the industry will grow to $5 billion in annual premiums by the end of 2018, and $7.5 billion by 2020. Some of the biggest insurers in the space include American International Group, XL Group and Chubb.
But without addressing better measures to prevent cyber attacks in the first place, insurers are leaving the door open to claims and what some analysts say could be an unsustainable insurance market.
Phishing is now the primary vector in more than 90% of cyber attacks and data breaches. It follows that anti-phishing and email security technology usage should be the primary requirement that insurers look to when pricing and issuing a cyber insurance policy.
Complicated playing field
Cyber insurance policies are designed to mitigate risk exposures by covering some of the costs of recovery. Policies vary, but typically cover the costs of forensic investigations, business interruption and losses due to downtime. They also commonly cover legal expenses associated with the loss of confidential information, and the costs of issuing data breach notifications.
Most insurers that issue cyber policies require companies to follow some best practices, including firewalls, adequate security software and employee education on security awareness. Some may also require an audit of an organizations’ processes and governance as a condition of coverage.
Yet while many cyber policies generally insure against first-party breach response, losses and legal liability, they often do not cover losses due to phishing scams. Attorneys at the firm of Reed Smith have said that as insurers face increasing losses because of these (phishing) attacks, they are “attempting to exploit gaps, broadly interpret exclusions and narrow coverage to limit their exposure.” Much of the debate rests on the fact that victimized employees technically “authorized” any payments made. And in some cases, courts have agreed and made clear distinction between data breaches and what they say are non-covered phishing schemes.
Some insurers have been moving to bridge the gap with “social engineering loss” endorsements that cover losses because of a phishing scam, but many are hesitant to do so until more companies take the extra steps to reduce phishing attempts in the first place. This is quite surprising, considering the FBI reported that business email compromise (BEC) attacks reached record levels in 2017 and have resulted in more than $5.3 billion in losses since 2015.
A simple BEC attack alone can cost an organization between $25,000 and $75,000, but for phishing attacks that more deeply compromise systems, the losses can climb significantly. Dr. Larry Ponemon, founder of the Ponemon Institute, told CSO Online that the average cost of a data breach in 2017 topped $2 million when factoring in losses, disruption, remediation and lost revenues.
Maximizing cyber insurance policies
As insurers strive to better identify the risks and adequately price policies, they could better serve themselves and the market by putting more emphasis on automatic phishing detection, prevention and remediation. The underlying issue is that focusing primarily on response and too little on preparation can create an unsustainable insurance solution. PwC said while cyber insurance is a “potentially huge, but still largely untapped opportunity” for insurers, it is unlike any other insurance they’ve had to underwrite.
With limited data on the scale and financial impact of potential losses, and few measures to prevent them, some analysts question if insurers could handle multiple large-scale breaches and attacks. Stephen Boyer, CTO of risk-rating company BitSight, told Inc.com that most insurance companies are now writing such policies without a means to accurately assess a company’s risk. In fact, many insurers today assess risk simply by asking customers to fill out questionnaires about their security practices.
PwC says the development of effective in-house safeguards is essential in sustaining credibility in the market. The consultancy also argues that while many insurers impose blanket terms and conditions, they would be better served with auditing processes, threat intelligence assessments and exercises to test weaknesses and plans. “As a condition of coverage, you could then specify the implementation of appropriate prevention and detection technologies and procedures,” said PwC.
In today’s complex threat landscape, cybersecurity should entail more than traditional firewalls and secure email gateway solutions. Because it is inevitable that some phishing messages will still appear in inboxes (only 17% of phishing emails were reported in 2017 according to the Verizon Data Breach Incident Report) it is essential that organizations move security down the stack to the mailbox level itself. Even well-respected systems and Fortune 100 companies can no longer thwart complex, socially-engineered attacks that lack the signatures and adherence to rules that traditional security tools scan for.
Advanced phishing threat prevention is inherently designed to provide phishing mitigation that is capable of making a real dent in what is the biggest risk to organizations: phishing attacks. For insurers, a company’s investment in modern anti-phishing technology should be the most important criteria when pricing and issuing a policy, otherwise they are just leaving the door open to excessive claims that they won’t be able to fulfill or may have to spend time and money litigating. This will become especially burdensome as the courts work to overturn loopholes in social engineering losses.
Phishing threats will not diminish any time soon, so the time is now for cyber insurance adjusters to elevate the importance of anti-phishing and email security technologies to the top of the requirements list.