Cyber insurance: DDoS and blackmail cause the most expensive damage
SECURITY INSIGHTS | 20 November 2020
While external attacks account for the majority of the damage, internal incidents are the most common cause of cyber damage. Security service providers can help to increase the level of protection, lowering cyber risks and insurance premiums.
A growing number of companies are turning to cyber insurance to minimize potential economic damage from digital attacks. In discussions with the insurance company, individual risks can be assessed and covered as required. The higher the calculated risk, the more expensive the premium at which the insurer agrees to assume the risk and provide coverage in the event of damage. After all, cyberattacks can cause immense damage, not only to the affected companies themselves, but also to third parties. Ideally, insurers will then settle the costs incurred, for example, for the recovery of IT systems or claims for damages from customers due to data loss.
DDoS, phishing, and ransomware attacks currently account for 85% of the damage. An additional 9% is caused by malicious internal actions, and 6% by unintentional internal incidents. This is according to an analysis by Allianz Global Corporate & Specialty (AGCS), for which the insurer reviewed more than 1,700 cyber damage reports from the years 2015 to 2020 totaling 660 million euros.
Unintentional internal incidents such as employee errors when performing daily tasks, IT or platform failures, problems related to migrating systems and software, or data loss were the cause of more than half (54%) of the cyber claims analyzed, measured by the number of claims reports. Cybercrime (DDoS, ransomware, phishing, etc.) accounts for 43% of filed claims, malicious internal actions for 3%.
The main cost drivers for cyber claims are business interruptions, which account for about 60% of the losses. The costs of dealing with data breaches come in second place. Companies that are involved in e-commerce or have digital supply chains are particularly vulnerable to business disruptions. If their online platform fails, or they are unable to access their data, they quickly face a significant loss of revenue.
Overall, the number of reported cyber insurance claims has risen continuously over the past few years: from 77 in 2016 to 809 in 2019. This year, AGCS has already received 770 insurance claims in the first three quarters. This trend is likely to continue in the future, as DDoS and ransomware attacks against companies are on the rise and becoming increasingly complex.
In addition, along with the digitalization accelerated by corona, the virtual attack surface has grown enormously in many organizations. This is because the level of security in home offices is rarely the same as in the normal corporate environment. This applies both to the hardware and software used and to the awareness of using IT securely by employees working remotely, which can quickly slip out of focus in the safe atmosphere of their own four walls. All this makes it easier for cybercriminals to gain access to corporate networks and confidential information.
This is where companies need to counteract with wide-ranging preventive measures to maximize their level of protection. Meeting with the insurance company is only one item on the agenda. Others include obtaining detailed legal advice on liability issues, clarifying responsibilities in the event of an attack, and above all awareness training for employees. Equally important are rigorous monitoring, thorough auditing, and, where possible, penetration testing for both internal processes and externally connected endpoints. Cyberrisks can only be effectively minimized by the perfect interaction of man and machine, as practiced for decades in aerospace.
Professional managed security service providers with industry experience that identify and address potential problem areas can help companies implement complex security and defense strategies. They actively contribute to lowering the risk of occurrence, which usually results in a lower premium for the policyholder when taking out cyber insurance.
As a German technology manufacturer, Myra Security offers a secure, certified Security-as-a-Service platform for protecting digital business processes. Smart Myra technology monitors, analyzes, and filters malicious internet traffic before virtual attacks can do any real harm. Myra DDoS protection is also certified by the German Federal Office for Information Security [Bundesamt für Sicherheit in der Informationstechnik (BSI)] for Critical Infrastructures (KRITIS) according to ISO 27001 on the basis of basic IT protection.
20 November 2020
28 February 2022
21 October 2021