Businesses are finding it difficult to protect themselves against the increasingly diverse range of tactics deployed by cyber criminals and cyber insurance is underused. Recently, organisations have experienced a rise in destructive malware attacks, for instance, which are designed to shut down information access and obliterate system functions on victim machines.
Destructive malware, including ransomware that employs a “wiper” element, is on the rise, according to recent research by IBM X-Force Incident Response and Intelligence Services (IRIS). It saw a rise in cases of 200% during the first half of 2019 compared with the second half of 2018, it said.
IBM X-Force IRIS data showed organisations hit with destructive malware can experience a total loss of $200 million. Large multinational companies take an average hit of $239 million per incident, it estimated. The cost of remediation, equipment replacement, lost productivity, and other damage makes destructive malware attacks far pricier than typical data breaches, which averaged $3.92 million each, according to estimates from the Ponemon Institute.
Unlike a traditional data breach, which typically targets intellectual property or other valuable information, a destructive malware attack aims to shut down a target’s corporate environment. Half of destructive malware cases targeted the manufacturing industry. Other popular targets were in the education or oil and gas sectors.
The firm recommends that businesses consider segregating and minimising privileged accounts and ensuring the same account cannot be used to access every critical system. It is critical to protect company backups, otherwise paying a ransom may be the only way a victim can get its information back, it said.
In August, the industry body the Association of British Insurers revealed that 99% of claims made (207) on ABI-member cyber insurance policies in 2018 were paid. It said that this is one of the highest claims acceptance rates across all insurance products. But the take up of cyber insurance products for business stands at only 11% and is about only a tenth of the size of the market for UK pet insurance, suggesting that cyber insurance is underused. Many standard policies are “silent” over whether businesses are covered, making specific cyber-related insurance more important.
“The UK has the potential to be a world leader in cyber insurance, but the inability to access raw breach data risks limiting the potential of the market,” an ABI spokesperson said. It said that the Information Commissioner’s Office has so far refused to make anonymised cyber breach data publicly available. ABI said this would enable insurers to price risk more accurately and manage exposure more effectively by feeding this data directly into their modelling. Ultimately this would make cyber insurance more widely available, more accurately priced and better tailored to each business, it said.
What does cyber insurance cover?
While individual policies may differ, the ABI says that typical cyber insurance policies cover the following risks: