McAfee and CSIS Uncovers the Hidden Costs of Cybercrime

McAfee,recently released a new global report titled “The Hidden Costs of Cybercrime,” which focuses on the significant financial and unseen impacts that cybercrime has worldwide. The report, conducted in partnership with the Center for Strategic and International Studies (CSIS), concludes that cybercrime costs the world economy more than $1 trillion, or just more than one percent of global GDP, which is up more than 50 percent from a 2018 study that put global losses at close to $600 billion. Beyond the global figure, the report also explored the damage reported beyond financial losses, finding 92 percent of companies felt effects beyond monetary losses.

“The severity and frequency of cyberattacks on businesses continues to rise as techniques evolve, new technologies broaden the threat surface, and the nature of work expands into home and remote environments” said Steve Grobman, SVP and CTO at McAfee. “While industry and government are aware of the financial and national security implications of cyber-attacks, unplanned downtime, the cost of investigating breaches and disruption to productivity represent less appreciated high impact costs. We need a greater understanding of the comprehensive impact of cyber risk and effective plans in place to respond and prevent cyber incidents given the 100s of billions of dollars of global financial impact.”

The Hidden Costs of Cybercrime

The theft of intellectual property and monetary assets is damaging, but some of the most overlooked costs of cybercrime come from the damage to company performance. The survey revealed 92 percent of businesses felt there were other negative effects on their business beyond financial costs and lost work hours after a cyber incident. The report further explored the hidden costs, and the lasting impact and damage cybercrime can have on an organization, including –

  • System Downtime– Downtime is a common experience for around two thirds of respondents’ organizations.  The average cost to organizations from their longest amount of downtime in 2019 was $762,231. Thirty-three percent of survey respondents stated IT security incident resulting in system downtime cost them between $100,000 and $500,000.
  • Reduced Efficiency– As a result of system downtime, organizations lost, on average, nine working hours a week leading to reduced efficiency. The average interruption to operations was 18 hours.
  • Incidence Response Costs– According to the report, it took an average of 19 hours for most organizations to move from the discovery of an incident to remediation. Many security incidents can be managed in-house, but major incidents can often require outside consults with high rates that form a significant portion of the cost of a large-scale incident.
  • Brand and reputation damage– The cost of rehabilitating the external image of the brand, working with outside consultancies to mitigate brand damage, or hiring new employees to prevent against future incidents is part of the cost of cybercrime. 26 percent of the respondents identified damage to brand from the downtime experienced because of a cyber-attack. 

 

Companies Unprepared for Cyber Incidents 

Through the research and analysis, the report found a lack of organization-wide understanding of cyber risk. This makes companies and agencies vulnerable to sophisticated social engineering tactics and, once a user is hacked, not recognizing the problem in time to stop the spread. According to the report, 56 percent of surveyed organizations said they do not have a plan to both prevent and respond to a cyber-incident. Out of the 951 organizations that actually had a response plan, only 32 percent said the plan was effective.

The report concludes with keyways for businesses to deal with cybercrime. These include uniform implementation of basic security measures, increased transparency by organizations and governments, standardization, and coordination of cybersecurity requirements, providing cybersecurity awareness training for employees, and developing prevention and response plans.

Methodology

McAfee commissioned independent technology market research specialist VansonBourne to undertake the research that this report is based on.

Between April and June 2020, the quantitative study was carried out, interviewing 1,500 IT and line of business decision makers. Respondents came from the US (300), Canada (200), the UK (200), France (200), Germany (200), Australia (200) and Japan (200). Respondents’ organizations have 1,000 or more employees and were from all sectors except construction and property. However, only IT decision makers were interviewed in the Government sector.

Interviews were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates were given the opportunity to participate.

Additionally, CSIS utilized a survey of open-source material on losses accompanied by interviews with Government officials, and an estimate adjusted by national income levels using International Monetary Fund (IMF) income data to determine the cost of cybercrime.

Everything you need to know about what it covers and how it works

Cyber insurance is becoming increasingly popular. But what does it cover, what doesn’t it cover and what should you know?

Cyberattacks of all types are an increasingly large problem for all organizations, and as a result many are turning to cyber insurance as a means of protection against some of the effects of an incident. But what is cyber insurance, how does it work and what are some of the things that your business needs to be considering when deciding on a cyber insurance policy?

What is cyber insurance?

Cyber insurance – also known as cyber-liability insurance – is an insurance policy that helps protect organizations from the fallout from cyberattacks and hacking threats. Having a cyber insurance policy can help minimize business disruption during a cyber incident and its aftermath, as well as potentially covering the financial cost of some elements of dealing with the attack and recovering from it.

However, there are things that cyber insurance can’t protect against and an organization will need to make sure it understands what is covered and perhaps more importantly what isn’t covered when they sign up to a coverage plan. While having some form of cyber insurance in place can help a business in the event of an attack, a business is also responsible for its own cybersecurity – the responsibility isn’t something that is just shifted to the insurer.

Cyber insurance will not instantly solve all of your cybersecurity issues, and it will not prevent a cyber breach/attack, according to the National Cyber Security Centre.

Who needs cyber insurance?

Any business with an online component or one that sends or stores electronic data might benefit from cyber insurance, as may any organization that relies on technology to conduct its operations, which is pretty much every business.

Private personal data such as contact details of customers or staff, intellectual property, or sensitive financial data are all potentially very lucrative to cyber criminals who could attempt to break into the network and steal it.

There is also the potential for hackers to cripple a network with ransomware. A cyber insurance policy that covers ransomware could go a long way to helping organizations that fall victim to attacks like this find a way out of the predicament.

What sort of attacks result in cyber insurance claims?

Cyber insurance claims can be triggered by many sorts of incidents, but right now the most common are ransomware, fund-transfer fraud attacks, and business email compromise scams.

How much does cyber insurance cost?

The cost of a cyber insurance policy will depend on a number of different factors including the size of the business and the annual revenue. Other factors can include the industry the business operates in, the type of data that the business typically deals with, as well as the overall security of the network.

An organization that is deemed to have poor cybersecurity or has previous history of falling victim to hackers or a data breach would likely get charged more for a cyber insurance policy than one that has a good reputation for keeping itself secure.

Sectors such as health and finance are likely to find that cyber insurance policies cost more due to the sensitive nature of the fields, they operate in.In the wake of frequent cyber-attacks affecting businesses, cyber insurance has become a highly researched and debated topic. This industry has been constantly growing for a couple of decades now. As per Zion Market Data research, the global cyber insurance market is expected to reach $22.8 billion globally by 2024, with a compound annual growth rate of 24%.

In spite of the high availability of cybersecurity protection and prevention tools, there still might be a chance for a company to become a data breach victim. However, this doesn’t mean measures such as employee training and cybersecurity solutions should be left behind. By all means, you should not be relying solely on reactive practices, like buying insurance policies. It’s always better to prevent a cyber disaster than deal with the consequences.

Why do companies generally purchase cyber insurance policies?And how manyorganizations out there are actually covered by cyber insuranceAccordingto Spiceworks data, 38% of organizations are covered by a cyber-insurance plan, with nearlyhalf having had a policy for under 2 years, 32% for 3-4 years, and 24% having been covered for 5+ years.

Source: Spiceworks study

What’s more, 71% of survey respondents stated that they purchased a policy for precautionary reasons. This seems to be the top driver for organizations to get coverage, followed by an increased priority on cybersecurity (44%), handling a high volume of personal data (39%), and industry-specific regulations (28%). On top of that, only 14% seem to have bought insurance coverage due to customer requirements and an additional 14% as a result of new data protection regulations, such as GDPR. Additionally, IT professionals admit to choosing cyber insurance coverage just to get some peace of mind and hope they never use it.

Source: Spiceworks study

What does cyber insurance cover?

Cyber risk is without a doubt one of the most difficult aspects to deal with as it has a high impacton both societies and businesses worldwide. Cyber insurance plans are typically created withdigital risk in mind in order to ensure (in the best way they can) the continuity of a business and ultimately enable companies to become cyber resilient.However, not all cyber insurance policies are created equal. Sometimes, decision-makers may be tempted to choose low-price services and end up with a bad deal. This typically happens because in some cases, cyber insurance providers trying to safeguard their existence in the face of harsh competition, tend to create packages that leave high-risk areas uncovered. Why does this happen, you may be wondering. Because some cyber insurance vendors are inexperienced in cybersecurity and don’t fully understand an organization’s actual needs in the current threats’ cape.

Before deciding to purchase a cyber-insurance policy, you will want to know what it covers to be able to better assess if a certain insurer is a good fit for your company. So, evaluate your options carefully.

Source: Spiceworks study

Before deciding to purchase a cyber-insurance policy, you will want to know what it covers to be able to better assess if a certain insurer is a good fit for your company. So, evaluate your options carefully.

A Cyber insurance coverage checklist

Here are the main items typically covered by cyber insurance policies:

  • Restoration of damaged data and software destructed by forms of malware (such as viruses, spyware, worms, etc.)
  • Extortion losses (ransomware)
  • Setting up a temporary environment so your company can continue to operate
  • Business interruptions that resulted directly from a cyber-attack (such as DDoS attacks)
  • Temporary security experts hired to defend your company against the attack
  • Legal expenses and fees
  • Costs with notifying employees and the public
  • Costs associated with the reputation damage

What does cyber insurance NOT cover?

Even though your cyber insurance may fix some of your post-cyberattack problems, keep in mind that it will not sort everything out. Below are some aspects that are (usually) not covered:

  • Physical property loss and damageNormally, cyber insurance coverage excludesphysical loss that happened as a direct result of a cyber-attack. For instance, think about manufacturers and energy suppliers that may be more likely to become victims of cyberattacks meant to cause physical damage. If machines are destroyed due to malicious hackers overriding them, losses will not be covered by cyber insurance and instead, they would most likely fall under other types of business insurance, such as crime insurance.
  • Social engineering attacksOftentimes, cyber insurance policies have social engineeringreduction clauses. Some sources are mentioning a payout reduction if employees fall victim to social engineering attacks. For instance, according to a city government, and unfortunately, customers who are not aware that 70% to 90% of all successful data breaches happen due to social engineering attacks, are potentially wasting up 90% of they were expecting to be covered.

What is more, according to a report, many insurance policies contain grey areas. Below you can see what they normally don’t cover.

  • They do cover attacks or hacks but exclude accidents and errors
  • They do cover costs imposed by law, but not total incident costs
  • They only cover the time of the network interruption, but not the overall business disruption moving forward
  • They may exclude systems delivered by third-party service providers
  • They may not cover software or systems currently in development
  • Policies may sometimes not cover incidents caused by contractors
  • Customers may not be able to choose their own IT, PR or legal specialist since the insurance policy only covers appointed advisors.

Thus, the points above would typically need to be negotiated before signing the insurance contract. Therefore, you really need to bear in mind these common exceptions when you are evaluating cyber insurance vendors and be sure you choose the plan that best matches your business and cybersecurity needs. And better yet never put large amounts of money and your trust in cyber insurance policies and invest in proactive cybersecurity measures instead.

Is cyber insurance really worth it after all?

It depends on several factors. Ultimately, it is up for you to decide, according to your current business needs.For instance, would it be better to spend $15,000 to buy a cyber insurance policy or to use that money to upgrade your current cybersecurity offering and train your employees to recognize and react at the first signs of cyber compromise? Or split the amount between these areas?Often, cyber insurance may create a false sense of security, so be careful how much you actually invest in it and what items it includes. Also, keep in mind that after choosing a certain insurance policy, you should not just leave it there to gather dust indefinitely. In fact, your cyber insurance contract should be constantly reviewed and updated depending on your evolving needs and current cyber-threat dangers.

So, how much cyber insurance coverage do you really need?

On average, data breaches cost companies 150$ per record, according to the IBM and Ponemon Institute 2019 Cost of a Data Breach Report. Furthermore, the study also concluded that the average time to identify and contain a data breach was 279 days. If you do decide to purchase a cyber insurance policy, these figures can be some good starting points.

You should take into consideration aspects such as:

  • How much sensitive information you store
  • Where is the sensitive information stored
  • What measures you would need to take if you experienced a data breach
  • What would the costs be to replace the damaged software (and perhaps hardware)
  • Do you have any employees trained to mitigate the damage, or do you need external security specialists?
  • Is there any PR staff able to deal with crisis management if you experienced a data breach?

Trying to find answers to these questions and come up with answers to other questions formulated by yourself taking into account your own business model will help you get an idea of how much insurance coverage you would need in case of an emergency.

Should you replace cybersecurity with cyber insurance?

No, never! Cyber insurance should never be used, under any circumstances, as a cybersecurity replacement. Do not operate with the it-won’t-happen-to-me mentality and try to cut down costs associated with security tools. You may “save” some money for a while, but in the long run, this practice will only damage your business.

Cyber insurance and ransomware payouts, a controversy

Some cyber-insurance companies seem to encourage ransomware victims to pay the ransom. Apparently, this practice is seen as the cheapest way to reverse ransomware attacks and at the same time ensure the least downtime possible. And this happens despite warnings and discouragement from law enforcement agencies that are saying “ransoms shouldn’t be paid because they fund criminal activity.” What’s more, in the past, we saw ransomware strains that deleted data even if the victims paid, so the ransomware payment behavior certainly comes as a red flag. Sadly, the main goal of insurance companies here is to get the issues resolved at the lowest price possible.

What should companies do instead of paying the ransom? Use the proper cybersecurity tools, apply system and software updates as soon as they are released, and always back up their sensitive data. Alongside your employees’ cybersecurity training. And only then, if you choose to, create a cyber insurance plan tailored to your company and be certain it gets constantly revised and updated.

THOR FREETHOR FORESIGHT HOMETHOR ENTERPRISEPRODUCT COMPARISON

However, there are things that cyber insurance can’t protect against and an organization will need to make sure it understands what is covered and perhaps more importantly what isn’t covered when they sign up to a coverage plan. While having some form of cyber insurance in place can help a business in the event of an attack, a business is also responsible for its own cybersecurity – the responsibility isn’t something that is just shifted to the insurer.

Who needs cyber insurance?

Any business with an online component or one that sends or stores electronic data might benefit from cyber insurance, as may any organization that relies on technology to conduct its operations, which is pretty much every business.

Private personal data such as contact details of customers or staff, intellectual property, or sensitive financial data are all potentially very lucrative to cyber criminals who could attempt to break into the network and steal it.

There is also the potential for hackers to cripple a network with ransomware. A cyber insurance policy that covers ransomware could go a long way to helping organizations that fall victim to attacks like this find a way out of the predicament.

What sort of attacks result in cyber insurance claims?

Cyber insurance claims can be triggered by many sorts of incidents, but right now the most common are ransomware, fund-transfer fraud attacks, and business email compromise scams.

How much does cyber insurance cost?

The cost of a cyber insurance policy will depend on a number of different factors including the size of the business and the annual revenue. Other factors can include the industry the business operates in, the type of data that the business typically deals with, as well as the overall security of the network.An organization that is deemed to have poor cybersecurity or has previous history of falling victim to hackers or a data breach would likely get charged more for a cyber insurance policy than one that has a good reputation for keeping itself secure.

Sectors such as health and finance are likely to find that cyber insurance policies cost more due to the sensitive nature of the fields, they operate in.It is also the case that some cyber insurance companies cover the cost of actually giving in and paying a ransom – even though that’s something that law enforcement and the information security industry doesn’t recommend, as it just encourages cyber criminals to commit more attacks.

Important To Remember What isn’t covered by cyber insurance? 

There are some things that could be important to organizations that don’t tend to be covered by cyber insurance and it’s vital to understand what isn’t covered, so protecting these assets can be properly managed. 

The financial damage caused by loss of intellectual property isn’t covered by cyber insurance and neither is the reputational costs that can be incurred following a cyberattack.

For example, cyber insurance could pay out for the costs associated with dealing with the direct aftermath of a cyberattack, but in the longer run the company might lose business due to public perception of having poor cybersecurity. A cyber insurance policy won’t cover the cost of losing customers due to the bad reputation it picks up as a result of a cyberattack.

What do I need to apply for a cyber insurance policy? 

Cyber insurance isn’t a silver bullet for solving your cybersecurity problems – far from it. In fact, in order to get a good deal for coverage, your business will likely need to prove that it’s responsible with cybersecurity in the first place. Insurers will not want to take on a client that looks almost certain to be the victim of a data breach.Insurers will want to know what cybersecurity your company has in place when applying for a policy and you’ll be expected to maintain accurate details about your cybersecurity as time moves forward – as, in many cases, policies are reassessed every 12 months, so even after acquiring cyber insurance, organizations still need to ensure they maintain proper cybersecurity procedures or risk losing the insurance down the line.

It’s also important to understand which are the systems and data that are essential to your organization, and to understand whether the level of cover you have is adequate. That means deciding on a cyber insurance policy is a question that goes beyond IT and is a question for broader executive management, too.

An organization cannot just decide it doesn’t want to invest in cybersecurity any longer because it now has a cyber insurance policy.

What is the future of cyber insurance? 

As the frequency of cyberattacks continues to increase and cyber criminals get more brazen with campaigns, the way cyber insurance operates is going to evolve. As previously noted, cyber insurance providers are unlikely to want to offer policies to organizations that pay little attention to their cybersecurity. 

Paying out an insurance claim is a purely reactive activity and is costly for the insurance provider. That’s why some are starting to take a more proactive approach to cybersecurity, not only there to offer a payout if things go wrong, but actively aiding clients to take a better approach to cybersecurity.

Cyber insurance claims on the rise

External attacks on companies result in the most expensive cyber insurance losses, but it is employee mistakes and technical problems that are the most frequent generator of claims by number, according to a report from Allianz Global Corporate & Specialty (AGCS).The study analyzes 1,736 cyber-related insurance claims worth EUR 660mn (US$ 770mn) involving AGCS and other insurers from 2015 to 2020. Employers and employees must work together to raise awareness and increase cyber resilience.”

Growth of the global cyber insurance market fueling cyber insurance claims

The number of cyber insurance claims has steadily risen over the last few years, up from 77 in 2016, when cyber was a relatively new line of insurance, to 809 in 2019. In 2020, there were already 770 claims in the first three quarters. This steady increase in claims has been driven, in part, by the growth of the global cyber insurance market which is currently estimated to be worth $7bn according to Munich Re.The report also highlights that there has been a 70%+ increase in the average cost of a cybercrime to an organization over five years to $13mn and a 60%+ increase in the average number of security breaches.

Losses resulting from external incidents, such as DDoS attacks or phishing and malware/ransomware campaigns, account for 85% of the value of claims analyzed according to the report, followed by malicious internal actions (9%) – which are infrequent but can be costly.

Accidental internal incidents, such as employee errors while undertaking daily responsibilities, IT or platform outages, systems and software migration problems or loss of data account for 54% of cyber claims analyzed by number but, often, the financial impact of these is limited compared with cyber crime. However, losses can quickly escalate in the case of more serious incidents.

Business interruption, the main cost driver behind cyber losses

Business interruption is the main cost driver behind cyber losses, accounting for around 60% of the value of all claims analyzed, followed by costs involved with dealing with data breaches.Businesses and insurers are facing a number of challenges such as the prospect of more expensive business interruptions, the rising frequency of ransomware incidents, more costly consequences of larger data breaches given more robust regulation and litigation, as well as the impact from the playing out of political differences in cyber space through state-sponsored attacks.

The huge rise in remote working due to the coronavirus pandemic is also an issue. Displaced workforces create new opportunities for cyber criminals to gain access to networks and sensitive information.Malware and ransomware incidents are already reported to have increased by more than a third since the start of 2020, while coronavirus-themed online scams and phishing campaigns about the pandemic continue. At the same time the potential impact from human error or technical failure incidents may also be heightened.

Ransomware threats surge

Already high in frequency, ransomware incidents are becoming more damaging, increasingly targeting large companies with sophisticated attacks and hefty extortion demands.There were nearly half a million ransomware incidents reported globally last year, costing organizations at least $6.3bn in ransom demands alone. Total costs associated with dealing with these incidents are estimated to be well in excess of $100bn.

Business interruption and digital supply chain vulnerability growing

Whether due to ransomware, human error or a technical fault, the loss of critical systems or data can bring an organization to its knees in today’s digitalized economy. The inability to access data for an extended period of time can have a significant impact on revenues – for example, if a company is unable to take orders. Similarly, if an online platform is unavailable due to a technical glitch or cyber event, it could bring large losses for companies that rely on it, particularly given today’s increasing reliance on online sales or digital supply chains.”

Data breaches and state-sponsored attacks

The cost of dealing with a large data breach is rising as IT systems and cyber events become more complex, and with the growth in cloud and third-party services. Data privacy regulation, which has recently been tightened in many countries, is also a key factor driving cost, as is growing third-party liability and the prospect of class action litigation.So-called mega data breaches (involving more than one million records) are more frequent and expensive, now costing $50mn on average, up 20% over 2019.

In addition, the impact of the increasing involvement of nation states in cyber-attacks is a growing concern. Major events like elections and COVID-19 present significant opportunities.During 2020 Google said it has had to block over 11,000 government-sponsored potential cyber-attacks per quarter. Recent years have seen critical infrastructure, such as ports and terminals and oil and gas installations hit by cyber-attacks and ransomware campaigns.