A global shift towards working from home during the pandemic and a surge in ransomware attacks over the past year is driving premium prices higher and leading to tougher terms and conditions for cyber-insurance. This highlights why it’s more important than ever for South African enterprises to tighten their information security policies and processes.
That’s according to Paul Lowings, Security Executive at new-age solutions and systems integrator, +OneX. He says that a rise in cyber-insurance claims over the past year and a half is prompting insurance companies to more closely scrutinise the systems, policies and processes in place at companies that hold their cyber-cover policies.
When security is not up to scratch, consequences could include higher premiums, denial of coverage, or the dismissal of a claim from a company that has experienced a breach. This comes at a time when commercial insurers are concerned about new vulnerabilities opening in their clients’ infrastructure due to more people working from home on consumer-grade networks and devices.
Ransomware attacks are spiking
What’s more, there are signs that claims are rising. A blockchain analysis found that the total amount paid by ransomware victims increased by 311% in 2020 to reach nearly $350 million worth of cryptocurrency. High-profile cyber-breaches, such as the suspected ransomware attacks that brought Transnet ports to their knees in July, are driving awareness of the dangers businesses face.
Lowings says that demand for cyber-insurance is growing as South African enterprises become more wary of cyber-risks. The Allianz Risk Barometer 2021 survey shows that South African organisations rank cyber-incidents among their top three business risks. Cyber-insurance is essential in mitigating this risk.
Says Lowings: “Responsible organisations need to plan for cyber-attacks as part of responsible risk management, and cyber-insurance has a key role to play in helping them to alleviate the financial losses, data and systems recovery costs, and liability claims they may face in the case of a serious breach. But as the frequency, sophistication and severity of ransomware attacks increases, so do insurance costs.
In the US, for example, cyber-insurance prices for at least half of insurance buyers increased by 10-30%, in late 2020. “We’re also seeing our insurance partners ask our clients for more details about how they are trying to prevent data breaches and ransomware incidents, as well as how they will handle such incidents when they occur,” says Lowings.
Time to tighten controls
This puts enterprises under pressure to tighten their controls, especially where digital customer self-service and remote work may have opened up new vulnerabilities, he adds. “For a start, the IT and risk departments need to be meticulous about how they answer their insurer’s security questionnaire,” says Lowings. “If there are errors in the documentation, the company might not be able to claim in the event of a breach or loss.”
In addition, companies must focus closely on ensuring that they remain secure and compliant with the terms of their policy throughout its duration. This includes putting the right tools and systems in place and ensuring that they are configured correctly and patched for the latest vulnerabilities.
“End-user awareness and compliance are also key, especially in a remote and distributed workforce,” says Lowings. “Besides implementing tip-top endpoint security, organisations will need to invest in awareness training for their employees, create and enforce data protection policies such as multifactor authentication, and use tools like phishing simulations to test end-user compliance and awareness.”
Landscape grows more complex
Lowings notes the spiralling complexity and specialisation of cyber-insurance and information security, along with the fast evolution and growing sophistication of cyber-threats, makes it difficult for most organisations to keep up.
“We have become even more reliant on technology and data during the pandemic, which means cyber-risk exposure is growing,” he adds.
“Each enterprise needs to think about how it can best protect its business and systems, as well as transfer some of the risk. The risk management and IT functions will need to work together to safeguard the business, often drawing on external expertise to architect, build, manage and deploy security controls, as well as to find the best insurance solutions in case these controls fail.”