A new report has identified a number of significant shortfalls in terms of modern cybersecurity insurance policies, suggesting that modern threats and remote workforces are often left unprotected.
The report comes from Arceo who took data from more than 250 Chief Information Security Officers across companies ranging in revenue between $250 million and $2 billion.
Atop the list of Arceo’s concerns were 77% of the respondents saying that there are a number of security threats that they’re concerned about, but insurance companies aren’t currently offering protection for.
This is in addition to the 88% of the study’s respondents stating outright that they weren’t satisfied with the performance of their cybersecurity insurance policy.
The report notes that 96% of respondents are in the market for additional cybersecurity insurance policies due to the fact that workforces are increasingly moving to remote working, which puts them at higher risk of a cyber security incident.
CISOs interviewed for the report stated that cloud storage, personal device usage and the use of new or unverified platforms represent the biggest threat to their organisation’s information security, which are all being compounded by a workforce moving to remote operating.
Andrew Barratt, the UK’s managing director at Coalfire told Infosecurity Magazine that “cyber-extortion (and extortion in general) has posed problems for the insurance markets because it is difficult to underwrite.”
“In practical terms, the policy typically won’t cover a ransom or extortion charges due to the legalities in different jurisdictions. Also, the ransomware that is typically used to execute extortion scenarios is something that exploits user error – so insurers have a tough time balancing the value of this risk.”
“Risks are more likely to be accepted if an organisation can show they have some controls in place to mitigate or detect issues and that potential exposure time can be controlled.”
It seems likely that an insurer will be more likely to accept risk in terms of cybersecurity protection for things like extortion in ransomware attacks if an organisation can provide evidence of an information security management system like ISO 27001.
Isabelle Dumon, vice president of market engagement at Cowbell Cyber has told Infosecurity Magazine that “only a standalone cyber-policy can address this by matching every category of a cyber-incident – data breach, extortion and ransomware, social engineering, fraudulent fund transfer and many more – with specific coverage and relevant definitions, including which device usage – home or office – is covered and much more.”
“Policyholders’ satisfaction directly depends on this, as well as overall value provided whether or not there is a claim made during the policy period.”
According to the report, the most common request or organisations that is failing to be met by insurance providers is protection for cyber-extortion like ransomware attacks, that as we’ve noted in previous reports, are becoming more prevalent and more expensive for organisations.