Businesses are struggling to keep pace with the risks and costs associated with cybercrime. We’ve seen a surge sophisticated incidents involving social engineering and AI. Most business owners often underestimate the true extent of the risk to their organizations from not having adequate coverage.
Decision-makers need to recognize that general liability policies simply don't cover the damages caused by cybercrime. CISOs must engage others in leadership — particularly CFOs —that their organizations have adequate coverage.
A general liability policy does not cover cybercrime. “The CFO may feel like $50k in cyber coverage is adequate. But that is like dropping a dime in a mailbox,” says Ralph Pasquariello, veteran cyber insurance expert with the firm Snellings Walters. “If their business drops or stops because of a cyber incident, then they expect business interruption insurance to cover the revenue loss. But the company must have cyber insurance or business interruption is not covered.”
Pasquariello urges management to game it out: what does it look like when the big event happens? What will it cost? For even a midsize organization, $3 million in business interruption insurance isn’t enough — not even close. The revenue loss is huge for a $500 million company that’s down for three weeks. Add on forensics and reputational harm, and you’re looking at closer to $12 to $20 million.
To even qualify for cyber insurance, insurers want to know if a potential client is taking defined steps to protect the organization. “Underwriters want to see the organization uses multifactor authentication,” says Pasquariello. “MFA won’t solve everything — it’s a tiny piece. But it is fundamental.”
“I got a panicked phone call from a CISO client. Someone who sounded like the CEO said these funds — $650,000 — had to be wired immediately. It sounded legit. The circumstances required knowledge of the client, which the caller had. It was a Friday afternoon on a holiday weekend. The money got wired, and the situation became clear the following Tuesday. By then, it was too late to claw back the money.
It is essential to understand that cyber liability insurance companies do not provide policies that cover cybersecurity oversight, avoidable mistakes, and negligence responsible for data loss or data theft, potential future lost profits, or loss of value due to theft of your intellectual property. While cyber insurance is a critical component of a comprehensive cybersecurity strategy, it should not be seen as a substitute for proactive measures to protect your organization from cyber threats.
Moreover, it's crucial to assess your organization's needs. Remember: 85% of companiesexperience at least one ransomware attack per year; three out of four have experienced more than that.
9 out of 10 cyber attacks can be traced back to mistakes inadvertently made by employees). So, keeping cyber-safe behavior on top of their minds is crucial to protecting your company.
The solution: keep your employees engaged in cyber-security all year round. Offer snackable and relatable content they can apply to their daily work life and bring to their families at home with Aware Force.