Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

9/10/2020
05:40 PM
50%
50%

Two Years on from GDPR: Has It Driven Growth in Cybersecurity Insurance?

Whilst GDPR has put the spotlight on data privacy and cyber issues, there are other more prominent trends that are driving a greater take-up of cyber insurance, says Ben Maidment, Class Underwriter - Cyber, Physical & Technology at Brit Insurance.

Many in the insurance industry, myself included, expected the introduction of GDPR in May 2018 to drive a boom in demand for cyber insurance products in the UK and Europe, as data protection and privacy became a board-level conversation for companies both big and small. However, whilst it has contributed to the growth of the cyber insurance market, we have seen other significant trends contribute to the real uptick in demand — namely, the exponential rise in size, frequency and sophistication of ransomware attacks and increased understanding of "silent cyber" risks.

GDPR: Cybersecurity in the Spotlight
Data privacy legislation and regulation implemented in the US in the mid-2000s drove demand for cyber insurance in the North American market, as businesses looked to protect their digital assets. We expected much the same trends to translate to Europe with the introduction of GDPR, with the enforcement of the legislation and prohibitive potential fines leading to an increase in cyber insurance uptake.

CyberResilience-20Undoubtably, we have seen demand increase for cyber insurance products since the introduction of GDPR across Europe in May 2018, as well as following high profile data breaches. The loss of customer data and large resultant fines totalling in the hundreds of millions have demonstrated just how severe the impact of cyber-attacks could be. As a result, data intensive businesses and sectors which handle and transfer large volumes of sensitive personal data such as healthcare and retail banking, have been quick to see the benefits of taking out cyber insurance policies.

However, we have not seen the pick-up we expected in industries which are less data intensive (such as manufacturing) and SMEs who believe they are unlikely to be the target of a cyber-attack due to their low profile and size.

One additional explanation for the muted pick-up of GDPR driven cyber insurance is the lack of clarity from the regulatory authorities over whether the potentially very large fines levied against businesses under the legislation can be recovered under insurance policies. GDPR sets a maximum fine of €20 million (about £17.5 million) or 4% of annual global turnover — whichever is greater. Understandably, if a company is unsure if this potential fine would be covered under their policy, they are less likely to seek cover.

For these reasons, whilst GDPR was certainly an important milestone in Europe’s data privacy landscape, it could be argued that a number of other factors have played a more prominent role in the last two years in driving the growth in the cyber insurance market.

Ransomware on the Rise
When speaking to our clients, the growing frequency, severity and sophistication of the ransomware threat to their businesses has been their biggest concern and the true catalyst for cyber insurance adoption. And the numbers support this; McAfee Labs Threats Report in 2019 recorded an astonishing 118% rise in ransomware attacks in the first quarter of last year.

The threats presented by ransomware are twofold: first, ransomware is designed to encrypt a file system, potentially causing an irreversible damage or loss of data – leading to financial losses from interruption to business operations. Second, an increasing number of cyber criminals are using this ransomware to extort money from their victims in exchange for a release of their systems.


INFOGRAPHIC: Cyber Security Breaches Report 2020


2017 saw the emergence of new and destructive strains of malware and ransomware such as WannaCry and NotPetya. The threat, however, continues to evolve, becoming more sophisticated as new variants emerge, posing significant threats to even the most resilient of companies.

More recent strains include REvil/Sodinokibi, a Ransomware-as-a-Service (RaaS) operation which recently targeted New York law firm Grubman Shire Meiselas & Sacks, leaking personal documents of celebrities such as Lady Gaga.

This year has also seen NetWalker, another RaaS tool, pose an increasing threat, recently announcing a significant recruitment drive to expand its network of affiliates to disseminate its ransomware more widely.

Ransomware attacks have not just impacted those who handle data governed by GDPR, but those for whom business interruption can be catastrophic: logistics, manufacturing and shipping. As a result, cyber insurance demand has rocketed in the face of this growing ransomware threat facing all sectors and sizes of businesses.

Listening out for "Silent Cyber"
The third factor driving the uptake of cyber insurance is the industry and regulatory push to eliminate ambiguity over coverage for cyber incidents in non-specific policies commonly purchased by companies, with the mandate to either explicitly provide such coverage or to exclude it altogether.

Traditional Property and Casualty policies were not created with cyber exposures in mind and customarily neither implicitly include nor exclude cyber risks. This causes obvious concerns as companies may be under the impression they have adequate cover through their traditional policy, but find themselves mistaken depending on how the coverage in their policy is interpreted at the time of loss.

In addition to coverage considerations, with the increase in high profile cyber related losses in recent years, regulators have become increasingly concerned that such exposures are being neither adequately underwritten nor priced for in certain Property and Casualty policies and such “silent cyber" or "non affirmative cyber" coverage should be eliminated.

This has led to less cyber coverage being available under traditional policies, and instead the purchase of standalone and specific cyber products. In doing so, companies benefit from greater certainty and clarity over their coverage in the event of a breach or hack, while regulators can be more confident that cyber exposures are being adequately underwritten, priced and monitored.

The Role of Insurance
It is crucial, therefore, in the face of these three trends driving the awareness of cyber risks, that management teams engage with the insurance industry to better understand the risks that they face — and to ensure that their policies provide cover for it.

And insurance doesn't just provide financial cover if the worst should happen, they can also support companies to mitigate risks before the fact as well as helping the company recover. Insurers such as Brit are able to provide additional "value-add" services, including education, risk management training, access to global cyber experts, including IT and forensic specialists, lawyers and crisis PR advice.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.