Do you have the right level of protection against cyberattacks? Does your current insurance even cover them? What about cyberinsurance?
If you’re not sure, you’re not alone. At our recent Fraud Prevention Institute, Katharine Hall, senior vice president and cyberpractice leader with Aon, and Chetan Sehgal, partner, forensic disputes and investigation with BDO Canada LLP, discussed how to manage the cyber-risks that plans and organizations are facing.
Cyberattacks Are on the Rise
In 2018, the total cost of cybercrime was around $600 billion—and this is estimated to rise to a whopping $2 to $6 trillion in 2022, said Sehgal. “There’s a whole market out there for our information,” he noted.
Types of cyberattacks can include malware and ransomware, as well as SQL injection and phishing attacks, Sehgal explained. Social engineering—for example, impersonating an executive to get a fraudulent invoice paid—is also very common.
The reality is, even after security awareness training, employees are still susceptible to cyberthreats. “What is the weakest link within the antifraud system? The human interaction,” he added. And the damage can be considerable, including financial loss, business or service disruption and loss of intellectual property.
The Challenges of Cyberinsurance
As with any risk, you can deal with cyber-risk in one of four ways: avoid it, mitigate it, accept it or transfer it, said Hall. But if you’re looking to transfer a portion of that risk through insurance, don’t automatically assume you’re covered, she cautioned.
While cyberinsurance has been around for a while, until recently, it hasn’t had much uptake. Organizations may have been able to piece together some coverage from existing policies (e.g., business email compromise, or kidnap and ransom). However, many carriers don’t want to cover cyber because they don’t fully understand the risks, said Hall. “Those extensions were never properly written; they were never properly considered and were never properly priced.”
Today, types of insurance available to mitigate cyber-risks include cyber liability insurance and commercial crime insurance, she explained. Organizations may consider coverage for network business interruption, system failure, dependent business interruption/system failure, cyber extortion and digital asset restoration, as well as privacy and security risks.
However, cyberinsurance isn’t that easy to get these days, said Hall, noting that the underwriting has become much more rigorous. Before agreeing to provide insurance, the carrier will likely ask detailed questions on the organization’s existing cyber-risk management practices, such as multi-factor authentication, endpoint protection and response, and phishing exercises or cyber awareness training for employees. “The proliferation of ransomware has really hit the insurance industry hard,” Hall added.
Best Practices in Cyber-Risk Management
To ensure organizations are appropriately managing their cyber-risk, Hall and Sehgal’s top three recommendations are as follows:
- Create a culture of cybersecurity—it can’t be just IT’s responsibility;
- Hire a qualified Chief Information Security Officer (CISO); and
- Regularly review your cyberposture, including assessment, quantification, insurance and incident response readiness.
It’s critical for organizations to continually reevaluate their cyber-risk as they grow and evolve over time, Hall added. “The best thing you can do is be prepared.”
Learn More About Benefits Fraud
The Fraud Prevention Institute for Employee Benefit Plans Virtual Conference is available on-demand through August 19, 2021. Access the entire conference to learn more about emerging trends in fraud prevention, the latest in cybersecurity and deterrence of data breaches, and guidance for internal controls and risk prevention.
[Realted Reading: The Psychology of Benefits Fraud: Why We Lie to Ourselves]
Director, Education and Outreach – Canada
The latest from Word on Benefits: