Monthly Archives: February 2024

The State of Cybersecurity Insurance Adoption

The cost of a single data breach, ransomware attack or other security incident can adversely impact the most solid financial balance sheet. The growing threat from sophisticated cybercriminals targeting organizations of all sizes elevates cybersecurity insurance from an IT security concern to a critical business priority, demanding the attention of senior leadership and boards of directors. But what are the limitations of these cybersecurity policies and what are the benefits and hurdles to purchasing a policy that protects organizations? In the event of a cyberattack, how satisfied are organizations with their insurers’ response? Sponsored by Recast Software, the purpose of this research is to address these questions and help organizations prepare for the purchase of insurance.

It’s about the money. Respondents do not expect any decrease in cyber risks targeting their organizations. Instead, according to 75 percent of respondents, their organizations’ exposure will increase (47 percent) or at best stay the same (28 percent). As cyberattacks increase in severity and sophistication, the potential for a significant financial consequence is becoming more likely. According to 61 percent of respondents, the average total financial impact of all security exploits and data breaches experienced by their organizations since purchasing insurance averaged $21 million.

The top two reasons for purchasing insurance are the increasing number of cybersecurity incidents (41 percent of respondents) and concerns about the financial impact (40 percent of respondents). According to the research, 65 percent of respondents say their organizations are purchasing limits between $6 million to more than $100 million. However, 50 percent of respondents say it is difficult to comply with insurers’ requirements. More than 51 percent of respondents say insurers require regular scanning for vulnerabilities that need to be patched.

Ponemon Institute surveyed 631 IT and IT security practitioners in the United States who are familiar with cyber risks facing their companies and have knowledge about their organizations’ use of cybersecurity insurance. Seventy-six percent of respondents say their organizations have completed the purchase and 24 percent of respondents say their organizations are in the process.

 

In this section, we provide an analysis of the research. The complete findings are presented in the Appendix of this report. The report is organized according to the following topics.

 

  • What keeps organizations’ IT security posture from being strong?
  • How helpful is cybersecurity insurance in protecting organizations from adverse financial consequences?
  • Dealing with the hurdles organizations face when purchasing cybersecurity insurance

 What keeps organizations’ IT security posture from being strong?

 Technology and governance challenges are affecting the ability to improve organizations’ security posture. Less than half (49 percent) of respondents rate their IT security posture in terms of its effectiveness at mitigating risks, vulnerabilities and attacks across the enterprise as very effective. The primary reasons are the ineffectiveness of security technologies and the complexity of the IT security environment.

Other challenges that need to be addressed are having a complete inventory of third parties with access to their sensitive and confidential data, keeping senior management up to date about threats facing their organizations and convincing management that cyberattacks are a significant risk.

Understanding the level of cyber risk is important because organizations realize cyber threats are not decreasing. Sixty-three percent of respondents say they assess the level of cyber risk to their organizations. According to 75 percent of respondents, cyber risks will increase (47 percent) or stay the same (28 percent).

The internal assessments are informal (23 percent) or formal (21 percent). However, 37 percent of respondents say their organizations do not do any type of assessment (21 percent) or rely on intuition of gut feel (16 percent). Only 19 percent hire an independent third party to conduct the assessment.

How helpful is cybersecurity insurance in protecting organizations from adverse financial consequences?

 Cybersecurity insurance can improve organizations’ security posture. As reported, 76 percent of respondents have completed the purchase of cyber insurance. On average, these organizations have held their policies for two years, which gives them an understanding of the benefits and effectiveness of cyber insurance.

Almost half (49 percent) of respondents say following the purchase of cybersecurity insurance their cybersecurity posture improved greatly or significantly. However, 48 percent of these respondents changed insurance companies. The primary reasons for the change were the cancellation of the policy or the high expense.

Since purchasing cybersecurity insurance, the threats to organizations did not decrease. While only 27 percent of respondents say cyberattacks have increased and only 17 percent of respondents say their IT security costs have increased,  45 and 44 percent of respondents say cyberattacks and IT security costs have stayed the same.

Forty-three percent of respondents say cyber insurance coverage is sufficient with respect to coverage terms and conditions, exclusions, retentions, limits and insurance carrier financial security. Sixty-seven percent of respondents are extremely satisfied (23 percent), very satisfied (21 percent) or satisfied (23 percent) with coverage.

The financial consequences of all security exploits and data breaches experienced since the purchase of insurance averages $21 million, which includes all costs including out-of-pocket expenditures such as ransomware, consultant and legal fees, indirect business costs such as productivity losses, diminished revenues, legal actions, customer turnover and reputation damage. Sixty-one percent of respondents experienced a significantly disruptive security exploit or data breach since the purchase of cybersecurity insurance.

Fifty-three percent of respondents say their organizations filed a claim following the incident and an average of 46 percent of the losses were covered or approximately $9.7 million. When asked how satisfied their organizations were with the insurance company’s response to the claim, less than half (46 percent of respondents) were very or highly satisfied with the response.

And 65 percent of respondents say their organizations have experienced cyberattacks such as ransomware or denial of service and 61 percent of respondents say cyberattacks have resulted in the misuse or theft of business confidential information, such as intellectual properties.

Dealing with the hurdles organizations face when purchasing cybersecurity insurance

 Insurance companies’ assessment of organizations’ security posture is mainly focused on the existence of an adequate budget. Only half (50 percent) of respondents say the insurance company assesses their security posture. If they do, it is to determine if there is adequate budget (65 percent of respondents). Other factors included are evidence of security and training programs conducted (52 percent of respondents), effectiveness of incident response team (45 percent of respondents) and ability to detect and prevent cyberattacks (45 percent of respondents).

To read the rest of this report, visit the ReCastSoftware.com website

Taylor Swift, the FCC deepfake ban, and why you are the last (only?) line of defense

Twitter (X) briefly blocked Taylor Swift searches in reaction to deepfake posts. A good, if brutal, response.

Bob Sullivan

Hold on tight, fellow humans, there’s artificial turbulence ahead.  Like it or not, the time has come to stop believing what you see, what you hear, and perhaps even what you think you know. Reality is indeed under attack and it’s up to us to preserve it.  The only way to beat back this futuristic nightmare is with old-fashioned skepticism.

Lately, it feels like all anyone wants to talk about is AI and how it’s going to make life much easier for criminals, and much harder for you.  I’ve annoyed several interviewers recently by saying I don’t believe the hype. There is not an avalanche of voice-cloning criminals out there manipulating victims by creating fake wailing kids claiming to need bail money.  The so-called grandparent scam has operated successfully for many years without AI.  But I think that misses the point. First of all, as many journalists have demonstrated (even me!) it’s trivial to create deepfakes now. An expert cloned my voice for $1. But more important, a recent offensive, vile Taylor Swift deepfake was viewed 47 million times before it was removed from most of social media.  This kind of violation is here, today, and it’s going to be very hard to stop.

There are celebrated efforts, of course. The FCC just made voice cloning in scams explicitly illegal, which is certainly welcome, but if FCC efforts to stop robocalling are a guide, AI scams won’t be stopped by this. There are also some high-tech efforts to separate what’s real from what’s fake, and that’s also welcome. Watermarking — even in audio files — can be used by software to declare items as AI-generated, so our gadgets can tell us when a Joe Biden video has been manipulated. Naturally, I wish tech companies had built such safety tools into their AI-generating software in the first place, but this kind of retrofitting is what we’ve come to expect from Big Tech.

I don’t have high hopes that an “AI-generated” label on a negative presidential candidate video is going to do much to stop the coming attack on reality, however. I’m afraid to say this, but it’s true: the problem, dear Brutus, lies not in our stars but in ourselves.

I am the last person to lump responsibility for the failures of billion-dollar tech companies onto busy human beings.  And that’s not what I’m doing here. I still want tech workers to speak up when managers ask them to make tools that can be used to hurt people. I still want regulators to staff up and lock down companies that behave recklessly.  But when it comes to defending reality, the truth is, we are on our own right now.  Human beings are going to have to develop radical inquisitiveness when it comes to things we see, hear, and feel while interacting with technology.

This is going to be hard. Many of us want to see a video of our least-favorite politician looking stupid.  A large number want to see “exclusive” video of famous people in….candid…moments.  We would love for them to contact us directly and offer to be our friend, or even our lover.

We have to help each other learn to resist these base urges, to choose reality over this dark fantasy world that’s being foisted on us.

As if often the case with tech crises, this problem isn’t really new.  Marketers have always manipulated consumers. Propagandists have always lied to populations.  Many dark periods of history can be blamed on large groups failing to exercise proper skepticism, their prejudices and predispositions used against them.  What’s different about our time is the scale.  As we learned back in 2016, a room full of typists half-way around the world can persuade thousands of Americans to attend real-world rallies. The tools for liars and criminals are very powerful; we have to respond with equal force.

I recently interviewed Professor Jonathan Anderson, an expert in artificial intelligence and computer security at Memorial University in Canada, about this problem, and he’s persuaded me that humans must react by adjusting to this new “reality” of un-reality.  We must stop believing what we see and hear. And there is precedence for this.  At the dawn of photography, many people believed that photos couldn’t lie.  Most folks now know that it’s trivial to manipulate images, perhaps even on a subconscious level. If you see something that doesn’t look right — a man’s head on an animal’s body — your first instinct is to react as if Photoshop is the culprit.  Hopefully, we’ll all engage in a learning curve now where this is how we react to any media that’s unexpected, be it a fake desperate child, a celebrity asking to meet with us, or a politician doing something foolish.

My fear is that people will still believe what they want to believe, however.  A “red” person will believe only “blue” fakes, and vice versa.  And that, in my view, is the greatest threat to reality right now.