Key Takeaways
Ahead of 2024, cybersecurity positioned itself as a top business concern. In its Top Strategic Predictions, Gartner reported that generative AI would further fuel malinformation — using information for phishing, catfishing, doxing, swatting, etc — creating more sophisticated cyberattacks. As a result, the role of CISOs will take center stage as they evolve with these new threats, and cyber liability remains a must-have for companies to stay ahead of the curve to protect their digital assets.
Cyber Insurance Market Update
2023 revolved around AI’s ability to empower professionals in their quest for more efficient and quality work. However, in the backrooms, malicious actors were developing generative AI to make attacks smarter and more resilient, and new threat vectors were born.
Gartner’s report highlights that 10% of cybersecurity and marketing budgets will go toward fighting malinformation. This year, as industries continue discovering the advantages of AI, they will also begin grappling with its effects when used for harm. Let’s take a look at the most common cyberattacks in 2023, the latest cyber trends and the most impacted industries.
Common Cyberattacks
As technology evolves, so do cybersecurity and its threats. To stay protected, it’s essential to review the most common cyberattacks and how they have shapeshifted to penetrate more sophisticated systems. What are some of the most common threats right now?
- Phishing: These attacks usually come in the form of links in seemingly credible emails, with many being written by AI to seem more lifelike. They target a company or individual’s sensitive data like passwords and credit card information or simply install malware in their system. In their Business Cybersecurity Threat Report, Comcast revealed that phishing attacks made up 9 out of 10 of their customers’ breach attempts in 2023.
- Malware: This attack seeks to gain access to systems to install bugs (viruses and worms), block access to critical assets (ransomware) or steal information (spyware). Some of the most high-profile cyberattacks come from ransomware, in which hackers blackmail companies or individuals to gain access to their systems in exchange for large sums of money.
- Distributed denial-of-service (DDoS): DDoS overwhelms systems or networks with fake traffic to render them useless — leading to downtime and financial and reputational losses. Recently, hackers have been using AI to automate DDoS attacks, making it easier to generate malicious traffic.
- Zero-day exploit: These attacks usually happen during the window of time between a vulnerability announcement and its resolution (patching). Many companies keep their customers updated on cybersecurity issues but often take too long to patch their systems after reporting a mishap; that’s where malicious actors exploit these vulnerabilities.
2023 Cyber Threats in Retrospect
2023 saw a surge of cyberattacks stemming from hacker groups becoming more organized and laser-focused on critical industries like healthcare. Undoubtedly, this reflects changes in how companies protect themselves with higher risk management and how insurers approach cyber liability. Let’s review some of the trends that are redefining the insurance landscape:
- AI and automation: The rise of AI marked a new concern for CISOs, but also an opportunity. While many feared AI could be used for malicious intents — and it has been — others have adopted it to defend their systems in a more efficient way. For example, automating threat analysis and attack vector monitoring, resulting in faster vulnerability detection and a higher security level.
- Greater cloud computing adoption: After 2023 filled with successful SaaS startups and cloud innovations, end-user spending on cloud services is set to grow by over 20% in 2024. More businesses are seeing the need to digitize their operations and become more functional by hiring third-party services hosted in the cloud. This is especially true for generative AI services, widely available in the cloud, for companies to improve their services and products by leveraging the latest AI trends.
- More cybersecurity awareness programs: After realizing that cybersecurity is at the core of all company operations, leaders have enhanced their awareness programs to train employees to detect possible threats and react to them. For example, the legal space is taking bigger measures in cybersecurity after a record year of cyberattacks against law firms and the government. The American Bar Association passed three resolutions in 2023 urging governments, private law practices and law schools to raise more awareness on the subject and educate the community.
- Spike in ransomware payments: While phishing attacks continue to be more prevalent, ransomware attacks managed to still break records in 2023 with the highest amount ever paid by victims — over $1 billion. This concerned companies that lowered their guard after attacks of this kind decreased in 2022, when higher cybersecurity measures became the norm. Ransomware groups upped the ante in 2023 and performed several high-profile attacks.
Industries With the Most Cyberattacks
As attacks became more targeted in 2023, industries that handled the most critical data were in the eye of the cybersecurity storm. According to Verizon’s 2023 Data Breach Investigations Report, public administration suffered the most incidents, followed by information and finance.
- Public Administration: 3,270
- Information: 2,105
- Finance: 1,829
- Manufacturing: 1,814
- Professional, Business, and Consumer Services: 1,396
- Healthcare: 522
- Education: 496
- Entertainment: 432
- Retail: 404
How Cyber Liability Benefits All-Sized Companies
Cybercrime’s sophistication lies in how organized it has become and how new technologies are ingrained in its practices, allowing hackers to target companies big and small. These days, no one can afford the luxury of being complacent about their cybersecurity.
In fact, executives might think cyber criminals just go for the big fish. However, 73% of small businesses in the US were targeted in 2022. While it seems counterintuitive, there’s a myriad of reasons why small companies make up a big chunk of the victims, like being a leeway to big companies’ supply chain and enforcing fewer cybersecurity measures, making them easy prey.
Now that it’s clear cyberattacks spare no one, companies must consider protecting themselves with Cyber Liability Insurance tailored to their needs — whether it’s a SaaS company handling sensitive customer data in the cloud or a healthtech providing vital and timely services to hospitals.
Just like a Directors and Officers insurance is crucial in protecting executives from litigations, Cyber Liability insurance helps companies weather the aftermath of a cyberattack both on the legal and financial sides. More specifically, this coverage supports companies in cyber extortion losses, costs related to notifying affected parties, loss or damage to electronic data and loss of income or extra expenses from service downtime.
The Top 3 Most Critical Cyber Liability Lawsuits of 2023
Company |
Lawsuit |
|
---|---|---|
The SEC Sues SolarWinds |
For the very first time, the Securities and Exchanges Commission (SEC) filed a lawsuit against a company instead of charging them and reaching a settlement. It was SolarWinds, a software company providing services to the US government. In late October, the SEC alleged that the company defrauded investors by not disclosing crucial cybersecurity gaps in their systems when the company was going public in 2019, leading to a major cyberattack on the Departments of State, Treasury, Homeland Security, Commerce and Energy, among others, in 2020. |
|
Class Action Lawsuit Against Five Ontario Hospitals |
A $480 million class action lawsuit was filed in November 2023 against five hospitals in Ontario, Canada, and their software provider for a cyberattack that exposed the information of over 267,000 people, some already posted on the dark web by the hackers responsible. The plaintiffs say they have suffered grave mental health consequences from knowing their sensitive information is out in the open, leaving a worrying precedent for the Ontario healthcare system and its patients’ trust. |
|
240 Class Action Lawsuits Against MOVEit Sets New Standards |
In May, file-transfer company MOVEit suffered from a massive data breach that left the information of over 2,600 organizations exposed, including US government entities, the country’s largest pension fund and IBM. With social security numbers and other personal information on the line, 240 class action lawsuits were filed against the company, consolidating into a single multi-district litigation (MDL) — the first of its kind in a third-party vendor cybersecurity case. The development of this MDL could set a precedent for how cybersecurity cases are tried regarding third-party vendors. |
Factors Impacting Cyber Insurance Pricing
Every insurance policy is different as it adjusts to specific company needs, driving prices up or down depending on internal aspects. Moreover, external factors also affect prices — like a surge in general cyberattacks in certain industries. Some experts believe prices will stabilize in 2024, while others think they might experience a spike. Here are the top reasons Cyber Liability insurance costs fluctuate:
- Industry: Industries that inherently handle sensitive information, like healthcare, fintech and SaaS, might experience more cyberattacks than other less critical industries. It all depends on the level of information industries grapple with.
- Company size: Companies with 100+ employees deal with more attack surfaces than a small or medium business with 30 or fewer employees. Company phones, laptops, third-party vendors and a higher number of customers also control insurance prices as stakes grow according to company size.
- Team location: With hybrid and remote roles rising post-pandemic, insurance companies had to start factoring team location into their premiums. For example, a fully remote team means systems are cloud-based and are exposed to each person’s laptop cybersecurity. Plus, remote team members also mean considering the state and federal laws where each is located and whether certain countries are more exposed to cyberattacks than others.
- Company revenue: A company’s financials must always be accounted for when calculating insurance price, as more revenue entails bigger losses in case of a cyber threat.
- Security levels: As risk management has it, insurance companies must perform due diligence and assert whether a company has optimum cybersecurity measures in place. The more protected businesses already are, the less insurers worry about potential cyber claims.
Cyber Insurance Outlook for 2024
The cyber insurance market in 2024 presents a mixed picture. While a period of softening rates in 2023 may have offered some relief, experts predict a potential hardening due to rising concerns about systemic cyber risks. Ransomware remains a top threat, but data breaches and privacy violations are gaining prominence.
Insurers are demanding stricter security measures from applicants and focusing on prioritizing vulnerabilities during risk assessments. This may lead to higher premiums for companies with inadequate cybersecurity practices. We expect to see insurers continue to lean on prerequisites before binding coverage.
However, for those demonstrating proactive risk management, the market may offer more favorable terms. Overall, 2024 is likely to see a renewed focus on collaboration between insurers, businesses, and security experts to combat the evolving cyber threat landscape.
5 Tips to Manage Cybersecurity Risks
Cybersecurity is a continuous effort and a journey rather than a destination. Sometimes, it feels impossible to map out all vulnerabilities and keep them under control. However, there are ways companies can reduce their risks to a minimum by enforcing practices to manage risk through cybersecurity risk management.
Cyber Risk Management Guide
Update and Upgrade Software Regularly
Quality IT teams always upgrade systems to new tech standards and ensure employees are aware of updating their software whenever needed. On the other end, employees might not always find it relevant to run updates or simply forget, so IT teams that go above and beyond must send constant reminders and bring light to the importance of updating software — as new patches and features are integrated to avoid vulnerabilities.
Control Account Access
IT teams also ensure that only the necessary people can access critical parts of company systems. Reducing the logins attached to sensitive data helps minimize attack surfaces as fewer gateways exist to this information, leaving hackers with fewer options to enter.
Enforce Resilience With Recovery Plans
A cyber resiliency report revealed that only 7% of SMBs believe they will experience a cyberattack in the next year. This leads to companies sparing disaster recovery plans (DRP) on cybersecurity; what happens after an attack is crucial to business continuity. While IT teams are the ones to design recovery plans, it’s up to every company leader and employee to get involved in risk management strategies to recover from a threat quickly. As a result, companies won’t experience as many negative impacts as those who aren’t cooperative in the face of a cyberattack.
Use Multi-Factor Authentication
Multi-factor authentication (MFA) can mark the difference between a vulnerable entry point for malicious actors and a safe entrance for staff. Enforcing an MFA in company logins helps companies foolproof their security systems by verifying users before they enter. With tech advancements, MFAs are becoming smarter with secondary authentication apps and even biometric data.
Host Cybersecurity Awareness Programs
An employee is a company’s most vulnerable entry point. As previously mentioned, phishing attacks are still some of the most prevalent due to poor employee training. Awareness programs can lower the chances of hackers penetrating systems through fraudulent links accessed by staff. Likewise, educating employees about the importance of cybersecurity will turn it into a constant habit rather than a forgettable chore.
Cyber insurance is cementing itself as essential coverage for startups, showing investors, customers, and regulators that young companies are committed to running their services securely. At Founder Shield, we recognize the importance of cybersecurity in today’s digital world and count on experts who take a detailed look at each company’s needs to tailor the most suitable cybersecurity insurance for them.