Every second of the day, a digital miscreant steals or copies data from at least 30 accounts, according to new data published by the data privacy agent Incogni. Based on that statistic, cybercriminals were responsible for pilfering data from more than 2 billion online accounts during the past two years.
In view of this situation, one might imagine that insurance focused on cybersecurity would be at the forefront of business owners and risk managers. However, a recent survey conducted by BlackBerry and Corvus Insurance of 405 information technology and cybersecurity decision makers at U.S. and Canadian companies found cyber insurance is conspicuously lacking.
The survey found that while 55% of respondents had cyber insurance, only 19% had ransomware coverage limits above the median ransomware demand amount ($600,000). More than one-third (37%) of respondents with cyber insurance lacked cyber insurance coverage for ransomware payment demands, and 43% of those with a policy are not covered for auxiliary costs such as court fees or employee downtime. Among small and midsized businesses with fewer than 1,500 employees, only 14% had cyber insurance coverage limit in excess of $600,000.
Furthermore, 28% of respondents said they “intend to acquire coverage shortly.” However, 34% of respondents who tried to obtain this coverage were denied due to their inability to meet the carriers”™ endpoint detection and response eligibility requirements.
“The cyber underground is increasingly sharing learnings and partnering to make threats as efficient as possible” said Shishir Singh, BlackBerry executive vice president and chief technology officer of cybersecurity. “For uninsured and under-insured organizations, this potentially puts them in extreme jeopardy. It”™s vital that businesses strengthen their security posture against these threats by supplementing insurance with a prevention-first software approach that lowers their overall risk.”
The cyber insurance question has become so acute that in June the U.S. Government Accountability Office (GAO) recommended that the U.S. Departments of Homeland Security (DHS) and the Treasury determine if a federal “backstop” was needed for cyber insurance policies that offered protection against attacks on critical infrastructure. This backstop would be similar to the government”™s agricultural insurance programs covering crop failure and would fill a void created by the lack of an active private sector market for this type of coverage.
“Although federal agencies do not have a comprehensive inventory of cybersecurity incidents, several key federal and industry sources show (1) an increase in most types of cyberattacks across the United States ”” including those affecting critical infrastructure, and (2) significant and increasing costs for cyberattacks,” said the GAO”™s report, adding that “future cyber incidents could result in systemic risks for the United States.”
The GAO noted that since Congress has yet to take the lead on this issue, it would be incumbent upon the Executive Branch departments to provide “federal assistance (that) would help ensure that any response balanced and appropriately safeguarded public and private interests.” To date, neither DHS nor the Treasury publicly responded to the GAO report”™s recommendations.
