Due to a sharp increase in cyber attacks and consequently high loss figures, it has become more difficult for companies to take out cyber insurance. But what role does such insurance play at all in the context of a company’s own IT security concept? Alexandra Köttgen, Deputy Division Manager of the Digital Risks Industry Division at Funk, and Andreas Pankow, CEO of DGC Switzerland AG, explain what matters in information security today and how the transfer of risk toward cyber insurers can succeed.
How do you assess the risk for companies to become victims of a cyberattack?
Andreas Pankow: We are seeing a significant increase in cyber attacks. This can be attributed both to the current geopolitical situation and to the potential threats that have been growing continuously for several years due to the exponential advance of digitization. In practice, this can be seen, for example, in the fact that our experts are detecting a sharp rise in the number of vulnerabilities using our IT security tool cyberscan.io® , among other things. At the same time, we are seeing a significant increase in the number of phishing e-mails, which can be seen as an early indicator of an increasing threat situation. Attackers use fictitious emails and links to try to gain access to systems or to trick unknowing employees into releasing confidential information in order to carry out a cyber attack later.
For medium-sized companies, the acute danger lies primarily in the fact that they are hardly prepared for the dynamics and scope of digitization. IT security was not considered to the necessary extent during accelerated digitization processes during Corona, but also in the course of the generation change in corporate management – partly due to ignorance, partly due to a lack of time and skilled workers. Most companies are not equipped to deal with growing IT risks, either in terms of personnel or infrastructure. The fact is, however, that a successful cyberattack on SMEs occurs every 30 seconds in Germany. Decision-makers should respond to this toxic situation.
Alexandra Köttgen: I can only confirm this assessment from the perspective of an insurance broker and risk consultant in the field of information security. At Funk, we have been seeing a sharp rise in the number of claims we report to cyber insurers for several years now. The increase is enormous: qualitatively, but above all quantitatively.
it-sa Expo&Congress – 25.10. – 27.10.:
Meet our experts in Nuremberg
You can find out more insights on the topic of “Cyber insurance: The right IT security concept for risk transfer” during the joint expert talk by Alexandra Köttgen and Andreas Pankow at the it-sa Expo&Congress in Nuremberg.
Is that why medium-sized companies need cyber insurance?
Alexandra Köttgen: Interest in cyber insurance has increased significantly in view of the threat situation. In many places, there is a rethinking of the importance of IT security. However, we still see a lot of catching up to do when it comes to introducing necessary measures and continuously improving these standards. Decision-makers should know that appropriate budgets must be created for these important tasks. Cyber insurance should be seen as the last logical step in this process. For successful conclusion, existing security standards must be continuously optimized and adapted to new requirements – this is what providers demand today. Only when these framework conditions are met and awareness is also present at management level, does cyber insurance prove to be a sensible and important addition.
Andreas Pankow: First and foremost, companies need a coherent IT security concept. This should address all aspects of cybersecurity, from prevention to the day-to-day handling of vulnerabilities and attacks to response. Because one thing is clear: cyber insurance only covers a residual risk – and there will always be one, even with the greatest efforts – if all possible security measures have really been taken in advance.
The main reason for the residual risk is that developers and programmers at software companies make mistakes after an average of 1,000 characters have been coded. In view of the rapid pace of digitization, fast release cycles and constant updates, new security vulnerabilities are constantly emerging in software products or network environments. Manufacturers, cybersecurity experts and ethical hackers do not always succeed in finding these gaps in time. It happens that previously unknown vulnerabilities are exploited beforehand by cybercriminals – we speak of zero-day exploits in this context. Insuring the associated imponderables therefore proves to be effective in combination with a coherent security concept.
How is the cyber insurance market responding to the tense IT security situation?
Alexandra Köttgen: Insurers are confronted with a large number of claims. In 2021, for example, this led to individual insurers using up all their premium income from claims figures and reserves as early as January. The market reacted to this with massive premium adjustments of over 100 percent in some cases. In some particularly drastic cases, we have even seen premium adjustments of up to 3,000 percent.
Insurance capacities have also changed significantly: In 2015, it was still possible to purchase capacities of 25 million euros and more from one risk carrier. Today, we are miles away from that. In the meantime, only five million euros, or even ten million euros with individual providers, can be insured per cyber insurer.
In addition, insurers have increased the requirements for IT security measures.
Overall, this development may be annoying for companies. However, it also ensures significantly more transparency, since it is communicated very clearly what can be insured at what value – and what cannot.
Andreas Pankow: DGC is also observing a paradigm shift in the market, ranging from the original completion of a simple questionnaire to today’s in-depth IT security audit. Cyber insurers are thus striving to significantly reduce claims, otherwise their business model would hardly be profitable in the future. As a result, companies today must meet much higher security standards.
What should companies do to gain access to cyber insurance?
Alexandra Köttgen: In a nutshell, the insurers want companies to deal independently with the entire complex of information security and the growing threat situation in order to initiate the necessary countermeasures. Currently, the focus of cyber insurers is strongly on the area of ransomware resilience: they are taking a close look at how companies are positioned in the area of vulnerability and patch management. Current must-haves for taking out insurance are also multi-factor authentication and contingency planning.
Andreas Pankow: Companies should approach the topics mentioned strategically and holistically. In addition to penetration tests, with which the IT infrastructure is deeply scanned for vulnerabilities, it is, for example, a matter of continuous vulnerability monitoring. It must be ensured that sufficient personnel resources and expert knowledge are available to interpret any vulnerabilities found and to close them promptly. This important task should always be tackled in collaboration with a specialized service provider.
In the course of this, it is essential to sensitize all employees to this topic as part of security awareness training and other training measures. All employees must be continuously informed about dangers and trained in how to deal with risks and use tools.
How are the Funk Group and DGC helping to increase IT security levels and resilience against cyber attacks?
Alexandra Köttgen: We try to prepare our customers as best as possible for the risk transfer and start with a detailed inventory of the technical and organizational IT measures. Based on this, we can assess whether a company meets the requirements of the insurance market. If a risk transfer is not possible, we provide gap analyses to show what is lacking. Since it happens time and again that companies cannot optimize the required areas of IT security themselves, we make recommendations for service providers. For this purpose, we have established trusting cooperations such as the one with DGC. This enables our customers to purchase those services that lead to the best possible implementation of the necessary measures and ultimately to the successful conclusion of an insurance policy. A good example of this is cyberscan.io®: Using these external vulnerability scans, we prepare our customers in the best possible way for the risk assessment by the insurers, as they use comparable tools.
Andreas Pankow: DGC supports companies in establishing the highest security standards along the entire value chain. Ideally, this is done within the framework of our partnership model, where we also speak of cyber security partnerships due to the close cooperation with our customers. Companies receive an individual cyber security package and thus the products and services that are important for their own continuous monitoring of the IT infrastructure and for all-round protection.
In the area of prevention, we provide support in the form of pentests and analyses of the IT infrastructure for vulnerabilities. This is done automatically by our vulnerability scanner cyberscan.io® as well as manually by our so-called penetration testers.
The Cyber Defense Operation Center Team (CDOC) offers SOC-as-a-Service services for all company sizes – from 24/7 monitoring to security awareness training on phishing and other social engineering tactics to incident response and forensics. In this way, we meet the need of many IT managers to work with only one IT security partner in order to create and continuously optimize a security concept with smart interlocking solutions.
What are the mistakes to avoid when handling cyber attack damage?
Alexandra Köttgen: In the event of an insurance claim, it is important to know that all the players involved can make mistakes. Close cooperation and coordination between all parties involved – the policyholder, service providers involved, insurer and broker – are therefore essential. On the company side, recovery plans are enormously important. On the service provider side, it is important to keep an eye on availability and response times, as there can be enormous consequences if a company does not respond quickly enough.
Andreas Pankow: It is fundamentally important to have established sensible emergency plans and to react efficiently and effectively on the basis of the corresponding processes and responsibilities. Only in this way is a company able to get back to productive operations as quickly as possible.
This usually goes beyond restoring the company’s own systems. For example, a data breach that very often accompanies a cyberattack must be reported in a timely manner, completely and in the correct format. There is a legal deadline of 72 hours for this, otherwise there is a risk of legal consequences.
At the same time, it is not uncommon for a deadline to be set by the extortionists: here, too, the response must be fast and consistent in many respects.
To avoid further sensitive costs, companies should also strive to get operations up and running again as quickly as possible and restore IT systems. However, this can only be achieved with the aforementioned emergency plans as part of disaster recovery.
You want to increase your IT security standards and are wondering how to do this in the best possible way? We will be happy to advise you – contact us.