Do You Need Cyber Insurance?
The World Economic Forum forecasts that cybercrime will skyrocket in coming years, with the global cost of cyberattacks expected to reach $23.82 trillion in U.S. dollars by 2027. While large cyberattacks like the Royal Mail ransomware attack in the UK, the LastPass data breach, and the Toyota Financial Services attack make headlines, smaller companies are at high risk, too. There are more than 2,200 cyberattacks reported daily, with a cybersecurity incident taking place on average every 39 seconds.
Attacks on small businesses now account for 43% of all cybercrime, with an average cost of $200,000 per incident—enough to put many smaller companies out of business entirely. Small to medium-sized enterprises are often seen as low-hanging fruit by cyber criminals due to typically weaker cybersecurity defenses, and many lack the resources to fully recover from a cyberattack.
That’s why cyber insurance is becoming increasingly necessary for businesses of all sizes and industries. Cyber insurance is a crucial safety net for companies in an era of increasingly pervasive cyber risk. This is especially true for organizations in healthcare, financial services, manufacturing, energy and utilities, and government sectors, which can provide tempting targets for ransom attacks as well as data theft. However, any organization handling sensitive customer data or intellectual property can be at risk of a data breach.
What Is Cyber Insurance?
Cyber insurance, also known as cyber liability or cyber risk insurance, is a type of insurance product designed to help organizations mitigate risk exposure by offsetting the costs associated with recovery after a cybersecurity breach. The scope and specifics can vary widely between policies and providers, but typically, cyber insurance covers a range of damages resulting from cyber incidents such as ransom attacks, data breaches, phishing scams, malware attacks and Denial-of-Service (DoS) attacks.
Cyber insurance may offer either first-party or third-party coverage—or, ideally, both.
- First-party coverage in cyber insurance covers direct costs that a business incurs due to a cyber incident. These may include expenses related to data recovery, business interruption, cyber extortion demands and crisis management efforts following an attack.
- Third-party coverage provides protection against claims made by external parties affected by a cyber incident in which the insured business is involved. This covers legal defense costs, settlements and judgments related to data breaches, privacy violations, and failure to prevent cyber threats that impact others.
The specifics of what cyber insurance covers can vary widely based on the policy, so it is important to check your policy carefully. For example, some policies may not cover ransoms demanded by cyber-criminals but cover other first-party damages, such as data recovery costs.
Costs for cyber insurance are also highly variable, based on factors such as company size and revenue, the type and volume of sensitive data collected and stored, the regulatory environment the company operates within, and industry sector. Cyber insurance companies will review the organization’s overall cybersecurity posture and risk profile. The strength of a company’s cybersecurity measures—including network security and user authentication systems—can have a significant impact on cybersecurity insurance premiums.
Cyber Risk and the Importance of User Credential Protection
Companies are at risk for many different types of cyber-crime and attacks, including:
- Data Breaches: Unauthorized access to or theft of corporate or customer data.
- Ransomware Attacks: Malware that encrypts an organization’s data, with attackers demanding a ransom to provide the decryption key.
- Phishing Scams: Fraudulent communication that tricks individuals into providing sensitive data or installing malware.
- Denial of Service (DoS) or Distributed Denial of Service (DDoS) Attacks: Overwhelming a system’s resources to make it unavailable to users.
- Malware Attacks: Malicious software designed to disrupt, damage or gain unauthorized access to a computer system or network.
- Social Engineering Attacks: Manipulating individuals into breaking normal security procedures to gain unauthorized access to systems or data.
- Cyber Extortion: Threats to attack a company’s digital assets or release sensitive information unless a ransom is paid.
Some of the most common cyberattacks involve compromised user credentials. User credentials may be stolen as part of a larger data breach or through installed malware such as key loggers. Users can also be tricked into revealing their usernames and passwords through phishing scams—for example, by entering their credentials into a fraudulent website reached through a link they receive in an official-looking email or text. Sophisticated social engineering attacks may be used to target individuals, often through emails or even voice calls by individuals claiming to be acting on the part of company management or IT.
According to Google Cloud’s 2023 Threat Horizons Report, password-related breaches as a result of stolen or compromised user credentials make up 86% of successful cyberattacks. Once a cyber-criminal has the user credentials for an insider with the right permissions, they are able to gain access to sensitive company information, which may include protected customer data, company financials or personal information for employees. They may also be able to install malware or ransomware or engage in other activities that disrupt operations.
That’s why a robust user authentication process is such an important part of a company’s cybersecurity plan. Passwordless authentication and phishing-resistant forms of multifactor authentication (MFA) can help companies significantly reduce the risks posed by stolen or compromised user credentials.
- MFA is a security process that requires users to provide two or more verification factors to gain access to a resource, such as an application, online account, or a VPN. Instead of just asking for a username and password, MFA requires additional verification methods, such as a code sent to a smartphone, a fingerprint, or a facial scan, making it much harder for unauthorized users to gain access.
- Passwordless authentication eliminates the password entirely, instead relying on a user credential stored in a radio-frequency identification (RFID) card or token or on a smartphone. RFID or mobile credentials can be used as part of an MFA process to improve security.
Meeting Authentication Requirements for Cyber Insurance
Cybersecurity measures, including strong user authentication policies, play a strong part in coverage and rate decisions for cyber insurance. Some insurance companies require organizations to implement some form of MFA to receive coverage or secure preferential rates.
The most common forms of MFA include one-time codes (sent by SMS text or email or generated by an authenticator app on the smartphone) and push notifications (in which the user must accept or deny a new login attempt on a trusted smartphone or other device). However, these phone-based forms of MFA are still susceptible to phishing and social engineering attacks, as well as other vulnerabilities, such as SIM card attacks and push bombing. For maximum security, cybersecurity experts such as the U.S. Cybersecurity & Infrastructure Security Agency (CISA)—and some insurance companies offering cyber insurance—recommend that organizations implement phishing-resistant forms of MFA.
Passwordless authentication systems using RFID or mobile credentials combined with a user PIN have been recognized as a highly effective form of phishing-resistant MFA:
- The secure user authentication key is unknown to the user, so they can’t be tricked or coerced into revealing it.
- If the card or smartphone is stolen, it is useless without the secondary PIN. Conversely, the PIN can’t be used alone without access to the physical card or device.
- When using mobile credentials on a smartphone, biometrics can be used instead of a PIN as a secondary authentication factor.
ELATEC makes moving to phishing-resistant MFA simple for organizations, helping them comply with modern cybersecurity standards and cyber insurance requirements. The TWN4 line of RFID readers supports virtually any RFID transponder technology along with mobile credentials via Bluetooth® Low Energy (BLE) or Near-Field Communication (NFC). Employees simply log onto their work laptop or desktop using the ID card they already carry or a mobile credential on their smartphone—no password required. Passwordless login using RFID can be combined with single sign-on (SSO) software to simplify access to files and applications on the business network.
Interested in learning more about implementing phishing-resistant MFA to meet cyber insurance requirements? Talk to an authentication expert.