☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Risk Management

Unlimited Reinstatements under Cyber Coverage

Posted on by

With cyber attacks rising in number, how can businesses protect themselves against the risk of suffering multiple incidents in a single policy period? Discover the value of a new limit for every unrelated claim.

Today’s stark reality is that cyber attacks are growing in both number and impact, increasing the risk of businesses falling victim to multiple attacks in a single year. In this environment, only having access to a single aggregate limit can leave businesses exposed, with a single incident entirely capable of using the full policy limit. To give businesses reliable protection and peace of mind, they need cover for multiple events in the same policy period.

Many cyber insurance policies fall short in this way but at CFC they built unlimited reinstatements into the core of their insurance product. If a first cyber event wipes out the original policy limit, to ensure a second cyber event is covered they reinstate the limit—helping businesses remain resilient to whatever’s round the corner.

What are unlimited reinstatements?
The majority of cyber insurance providers work with an aggregate limit. Each claim erodes this limit, until the point where no money is left to protect the business—despite them still being a policyholder. If cyber attacks were simple and inexpensive to manage, this wouldn’t be so much of an issue. However, this is far from the case. Increasingly disruptive attack techniques mean that often a single event can max out a policy limit, especially when you take into account the cost of forensics, business interruption loss, remediation costs legal expenses and so on.

It’s easy to see how this can be a significant benefit. Say one month a ransomware attack hits, taking up the full $1 million limit agreed in the policy—no exaggeration considering the average length of downtime after a ransomware attack is 24 days. When three months later the business is disrupted by a second, unrelated fund transfer fraud incident, the policyholder is given a fresh $1 million limit to cover the costs of this new attack.

Business benefits: Multiple limits for the price of one
With a CFC cyber policy, if an initial cyber claim exhausts the full policy limit and the business then needs to make a second, unrelated claim, they’ll receive a new reinstated limit,  allowing for multiple limits, at the cost single premium payment. Not only does this represent better value for money, but it offers vital, long-term protection throughout the lifespan of the policy. Ensuring the business can operate with peace of mind, even after suffering a cyber attack, knowing that their cyber policy will respond to its full capacity if another, unrelated cyber attack hits.

Unlimited reinstatements in action
A manufacturing firm suffered two cyber incidents in as many months, starting with a ransomware attack. The threat actor exploited a VPN vulnerability, deploying ransomware and leaving an extortion note demanding $750,000. After the firm notified CFC, their in-house cyber claims and cyber security team determined the ransom did not need to be paid, and instead helped rebuild impacted systems. In total, the financial losses—including loss of income from downtime, forensic investigation and legal counsel—came to just over $1 million. Luckily the entire cost was covered by the firm’s policy with CFC.

Unfortunately, the firm then fell victim to funds transfer fraud. Acting on a fraudulent email, an employee directed a significant payment to an account owned by the cybercriminal, leaving the firm out of pocket. Since CFC’s cyber policy provided unlimited reinstatements, the firm still had access to the full policy limit, ensuring they were fully reimbursed.

Market-leading cyber cover
With cyber incidents posing a constant threat, unlimited reinstatements for unconnected claims in the policy period is a vital tool for businesses everywhere.

At CFC they also don’t impose any warranties or conditions specifying security controls or callback provisions for businesses at the time of an incident. This allows them to focus on what matters, getting a business back online.

To see unlimited reinstatements in action, check out this full case study.

Source: www.cfc.com

Cyber Lessons from the Ashley Madison Affair

Posted on by

A new Netflix series has revived one of the most controversial cyber attacks in history, serving as a stark reminder of the data privacy issues faced by consumer technology companies—the Ashley Madison data breach.

It’s hard to convince people to hand over their personal data without assurances it will be kept safe; something the founders of infamous dating website Ashely Madison were well aware of.

A website for infidelity and married dating, Ashley Madison promised anonymity and privacy for its millions of users, billing itself as ‘100% discreet’. To access its services users handed over personal information including their names and email addresses, their privacy concerns no doubt eased by the dating website’s message of discretion and security. Except in the world of cyber, every business is at risk—particularly those that hold extremely sensitive, personal information.

In 2015 the worst happened; hackers under the name Impact Team infiltrated Ashley Madison’s systems and threatened to release details of its entire user base to the public. In what can be described as a moral attack, Impact Team demanded the owners of Ashley Madison and its companion site to take both websites offline. The owners refused to comply, and the hackers made good on their threat by publishing the stolen data online.

Navigating the fallout: An alarm call for all tech companies
Almost a decade on, the impact of this data breach is more relevant than ever. As portrayed in the popular Netflix docuseries, the hack disrupted the lives of many of its victims, leading to resignations, divorces and, tragically, suicides.

While names and email addresses are not typically classified as highly sensitive, the nature of the website in question placed greater weight behind the need for privacy. Even users who took precautionary measures when signing up to Ashley Madison, such as using fake names and phone numbers, found themselves exposed as Impact Team published credit card details—with other users able to be identified through data such as their height, weight or personal preferences on the site.

It didn’t take long for cybercriminals belonging to other threat groups to take advantage. Sextortion refers to a highly personalized extortion scam, where the threat actor emails individuals their data from a data breach and claims to possess personal videos or photos which they will distribute unless a ransom is paid. The Ashley Madison breach was the perfect breeding ground for this type of attack, with many of its victims being targeted even 5 years after the breach—not only resulting in the stress of managing a ransom demand, but resurfacing the scandal as a whole.

This entire episode raises critical questions for all types of business—not least tech companies storing user data. Do you manage, store and use data? Are you following the privacy laws? Can you do more to keep data safe?

Cyber security: Why it should be top of the agenda
Unfortunately where user data is concerned it’s easy to run into trouble. Earlier this year company review site Glassdoor was found to have attached real names to profiles without the user’s consent. Again, names are not considered sensitive data. But the context of the website makes this data more sensitive, as users may fear retaliation from an employer should they be identified. While Glassdoor claimed that users can choose to remain anonymous, since the website now requires and stores the names of all users, a data breach could see them being linked to their reviews.

This data risk is everywhere. Grindr, a dating website for the gay, bi, trans and queer community, allows the option for users to share their HIV status with other users. While this is a fundamental step in creating a safe community, it’s not information the that user would necessarily share beyond that context. Grindr are currently facing litigation from hundreds of users alleging the company shared their private information, including their HIV status, with third parties without consent.

Like Ashley Madison, all platform and tech providers that hold personal or sensitive information on clients come with significant cyber risk. These companies need to be incredibly mindful of how they collect, store and use information, following data privacy laws and giving customers confidence that data privacy is a priority.

Mitigating cyber risk: Steps for today’s tech companies
Who can say how many companies that store data know how to protect that data. What’s certain is that cybercriminals are becoming increasingly cunning in their tactics, able to steal vast volumes of data at rapid speed and at big consequences. Ashley Madison faced no financial ransom given the moral motive, yet the majority of data breaches do culminate in a hefty demand. This alone can be a huge burden for any business working alone to bear, and when you consider the additional costs that come with a cyber incident—remediation and recovery, restoring data, legal fees, reputational harm, business interruption and so on—it’s no surprise that for some businesses there’s no coming back.

Data breaches are of course just one type of cyber incident. High-profile cases like the Ashley Madison hack demonstrate this risk, however it’s vital that businesses understand the full picture of cyber risk—with ransomware, social engineering and theft of funds attacks growing in frequency and severity—and take steps to protect themselves and their customers.

That’s why comprehensive cyber cover is a vital part of risk management for all technology companies. If you’re responsible for large amounts of data, including third-party data, cyber insurance can offer robust network and privacy liability protection, also providing cover for a wide variety of cybercrime events. More than that, the best policies also come with cyber security and incident response services that can stop cyber incidents from happening in the first place.

Source: www.cfcunderwriting.com

Five Reasons to Buy Cyber

Posted on by

Making the case for cyber insurance can be tough even if it’s clear that nearly all companies would benefit from it. So to help your conversations, CFC has put together the top five reasons to buy cyber.

Here are the top five reasons every business should have a cyber insurance policy.

Cyber security and incident response services come free
Cyber insurance doesn’t just cover financial loss when an incident occurs. A good policy offers proactive protection to stop attacks from happening in the first place, and reactive support to respond efficiently and effectively when they do occur.

From the moment a CFC cyber policy is bound, their global team of cyber experts works around the clock to detect and alert customers to cyber threats targeting their business. If they discover a cyber security issue, their team notifies the impacted business through their app, Response, and takes steps to remediate the threat before it escalates.

The value these services offer to small businesses in particular might just be the greatest benefit a cyber policy can provide.

Cybercrime is growing rapidly
Our increasing reliance on technology and the internet is exposing any business that uses a computer to a world cybercriminals—who work around the clock to identify vulnerabilities and launch attacks. You’ve likely heard of ransomware, but social engineering scams are also on the rise, leading to significant losses for companies of all types.

At the forefront of protecting against this new wave of crime, cybercrime provides invaluable cover for a wide range of electronic perils, from wire transfer fraud to ransomware.

System downtime is missed by standard business interruption insurance
When computer systems are brought down, a traditional business interruption policy is unlikely to respond. Considering how almost all businesses rely on technology to some extent, this can result in significant financial loss the business has to bear alone.

Cyber insurance can provide cover for loss of income and extra expenses associated with a cyber event, including legal fees, the cost of remediating the incident, the hiring of expert teams, reputational harm and so on.

Your data is not covered
Data is one of today’s most important business assets, often worth many times more than the equipment it’s stored upon. Yet business owners are often unaware that a standard property policy would not respond if data is damaged, lost or destroyed.

Taking out a cyber policy is a great way to get comprehensive cover for data restoration and even re-creation in the event of a loss.

Complying with breach notification laws cost time and money
Breach notification laws are now commonplace across many territories, and require businesses that fail to protect personal data to notify affected individuals or risk hefty fines and penalties. Australia’s Notifiable Data Breaches Act, Canada’s Digital Privacy Act, Europe’s General Data Protection Regulation, and numerous US state laws make it a legal obligation to notify, and there is also a growing trend towards voluntary notification in order to protect your brand and reputation.

Cyber policies can provide cover for the costs associated with providing a breach notice even if it’s not legally required, and can also cover associated regulatory fines and penalties.

Source: www.cfcunderwriting.com

Six Things Successful Cyber Brokers Know

Posted on by

The case for cyber insurance gets stronger by the day, as cyber incidents grow in cost, cyber attacks become more frequent and cyber policies offer more innovative and effective services. But cyber is still a new market. Businesses often aren’t aware of their cyber risk or the role cyber insurance can play in protecting them. So how can you educate your customers about cyber?

CFC sat down with some of their top-performing cyber brokers to discover their secrets to success. Here are six things they say every broker selling cyber should know:

  1. How to explain cyber exposure simplySince lots of businesses are new to cyber, jumping straight into granular detail can feel unrelatable and unconvincing. Businesses don’t need to know the difference between the Cobalt Strike infection and the Log4Shell vulnerability. They care about how they’re at risk, the potential consequences of that risk and how they can prevent it. So stick to the basics and avoid unnecessary jargon.

    It helps to ask the right questions. What cyber security practices do you have in place? Do you consider data privacy? Have you been impacted by a cyber attack before? Your client’s answers will paint a picture of their cyber exposure, so they can understand their risk and how cyber insurance is here to help.

    And there’s nothing better than a strong statistic to back up your points—did you know 72% of businesses worldwide have been impacted by ransomware in 2023?

  2. Key factors that influence the priceCyber insurance provides great value for businesses big and small, but in many circles its cost is a topic of discussion. Those new to cyber may point to the price of cyber insurance coming close to more traditional lines, so it helps to know the three big factors that influence the cost:

    1.    Cyber incidents, particularly against SMBs, are the top business risk for the fifth year running
    2.    The average cost of a cyber claim is significant
    3.    Today’s cyber policies offer sophisticated technical services that would be too pricey for SMBs to get on their own

    Learn more about why cyber insurance is a great investment for any business, plus a breakdown of cyber incident costs, in this quick read.

  3. How to handle these top objections“I already invest in cyber security.”
    Cyber insurance provides a different service to cyber security, it’s not a question of either/or. Good policies will support the business’s internal IT team or external managed service provider with an expert incident response and business recovery team, while being there to cover financial loss if the worst happens.

    “Cyber attacks only affect big businesses.”
    While it’s attacks on household names that make the news, any business can find itself hit by a cybercriminal. And since smaller businesses tend to have less mature cyber security practices in place, cybercriminals often see them as the more attractive target.

    “We don’t collect sensitive data.”
    Two of the most common and costly cyber attacks we see are actually ransomware and funds transfer fraud, which aren’t necessarily aimed at stealing data. The cost to contain threats, repair networks and restore business operations—or to recover stolen funds—are the insured’s biggest worry. Thankfully, both types of incident are covered under CFC’s cyber policy.

    Use this checklist to find answers for more common objections.

  4. Security assessments don’t tell the full storyBusinesses often use third-party risk reports and vulnerability scans to evaluate their cyber risk. While these assessments give a good snapshot of network health at a specific time, IT environments can change any day. This means assessments don’t reveal much around the level of security across a network, potentially presenting a far more positive picture than is the case.

    Fully understanding when and how risk reports are beneficial will help your clients understand their risk and purchase the correct coverage. We explain risk reports in more depth here.

  5. Good policies offer proactive and reactive servicesCyber insurance doesn’t just cover financial loss when an incident occurs. A good policy offers proactive protection to stop attacks from happening in the first place, and reactive support to respond to the incident efficiently and effectively.

    From the moment a CFC cyber policy is bound, their global team of cyber experts works around the clock to detect and alert their customers to cyber threats targeting their business. If they discover a cyber security issue, their team notifies the impacted business though their Response app, and takes steps to remediate the threat before it escalates.

    The value these services offer to small businesses in particular might just be the greatest benefit a cyber policy can provide.

  6. The perfect analogy that shows the true value of cyberTaking out property insurance in case of a fire is seen as standard practice. Alarms and sprinklers can reduce fire damage, but they can’t remove the possibility of you facing a costly bill and business interruption. It’s the same principle for cyber.

    The most advanced cyber security available can still get caught out by a new vulnerability or threat. Without cover, the impacted business won’t receive support in their incident response and recovery, and it’ll bear the financial burden alone.

    CFC’s cyber policy is the full package. For a smoke alarm they offer proactive cyber attack prevention, for a sprinkler system the largest in-house team of incident responders in market. And at the end they cover any damage and loss of income, helping policyholders get back on their feet.

With today’s cyber policies broadening their cover and protection, and cyber risk escalating at an alarming rate, cyber insurance is set to play a bigger role than ever before. By helping your clients to understand their cyber risk- and how cyber insurance is such a gamechanger – you and CFC can help protect businesses and perhaps even turn the tide on cybercrime.

See how you can best speak to your clients about cyber risk and insurance in CFC’s on-demand webinar.

Source: www.cfcunderwriting.com

Does Cyber Insurance Cost Too Much?

Posted on by

We often hear that cost can make cyber insurance a non-starter for businesses. We get it; broad coverage comes at a price given the value of services provided with a policy these days.

So, CFC has listed below the 5 key reasons a cyber insurance policy, is worth the financial investment.

Cyber is a business’ largest exposure
We’re in a digital age and businesses no longer rely on paper trails and filing cabinets. This digital reliance has shifted a business’ assets from tangible to intangible, making them wildly accessible and opening even the smallest of businesses to a whole new era of risk.

Subsequently, most companies today state that cyber risk is in their top three, if not their number one business risk given their reliance on technology. Since the frequency of loss is that much greater for a cyber event than traditional perils, such as a fire – it makes sense that the cost of cyber insurance today will mirror a business’ largest exposure.

CFC has created a cyber risk heat map, which explains the varying levels by industry. Hint, nearly no business is safe!

Premiums are a fraction of the cost compared to a cyber claim
The price of cyber insurance may seem higher than expected given many still consider it a discretionary purchase, but when you compare the thousands, hundreds of thousands, or even millions in costs that cyberattacks can incur for business, it’s an easy decision to make.

And the severity of those claims continues to rise. According to the latest Coveware report, it’s been noted that fewer victims are paying ransomware demands, so threat actors are demanding more money to compensate for the lower hit rate, making individual claims more expensive.

This lower hit rate on ransomware has also meant hackers are pivoting back to previous attack techniques, with the likes of business email compromise attacks showing an increase of 147% across the second half of 2022 (for SME businesses).

A good cyber policy should offer proactive protection from attacks
At CFC, from the minute the policy is bound, their cyber security team works around the clock to protect businesses against cyber-attacks.

This is a proactive, protective service that identifies potential threats using insights from a variety of sources, including public and private threat intelligence feeds that go well beyond the usual outside-in scanning tools available to insurers. If a cyber security issue is found, their team will reach out through their Response app to work with a potentially compromised business, to eliminate the threat before it can cause harm.

To pay for this level of monitoring externally, a business would need multiple providers, all individually costing upwards of thousands every year. Whereas, all of this work is done for free, as part of the standalone CFC cyber policy, as well as expert incident response and recovery.

Expert incident response and recovery
One of the other critical elements of a cyber policy is the availability of in-house cyber incident response. At CFC, their team of cyber threat analysts, digital forensic specialists and incident responders, CFC Response, is available 24/7 to triage incidents, contain threats, and repair networks if a cyber incident occurs.

Cyber policies cover a lot
A good, stand-alone cyber policy, such as a CFC cyber policy, includes comprehensive coverage.

Many small businesses do not have access to enterprise-grade security teams, threat intelligence feeds that can inform them of whether they are listed on a threat actor’s target list, or access to a multi-disciplinary team of experts who know how to respond to cyber-attacks and compliment existing IT personnel.

Equally, should the worst happen, cyber insurance policies cover cyber incident response costs, including IT forensics, legal, breach notification and crisis communications to cybercrime costs that include social engineering, theft of personal funds and cyber extortion.

All told, this can cost anywhere from thousands to hundreds of thousands, and there is no limit to the range of support required during a cyber incident. CFC’s security team estimates that the average downtime following a ransomware attack can be up to 2-3 weeks, and that’s only with the expert assistance of a cyber incident response team provided by an insurer. With a broad policy, the insured can focus on getting their business back up and running, rather than worrying about what will and won’t be covered by their insurer.

It is estimated that that cyber-attacks will cost the globe $8 trillion dollars in 2023. Yet, we estimate, only less than 20% of businesses have taken out a cyber insurance policy as of today. Cyber insurers are not just there to step in after an attack has taken place, ready to pay the many external teams a business needed to pull in to recover.  Instead, coverage from a cyber insurer like CFC protects and prevents attacks on businesses from the minute they bind a policy.

Cyber insurance is not expensive, cyberattacks are. And with the right cyber insurance product, it should be the easiest purchase a business has ever made to cover its largest exposure.

Source: www.cfcunderwriting.com

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN