9
May 2023
Cyber insurance, ransomware and the Van Gogh equation
Graham Hawkey
Cyber insurance is definitely one of the hottest topics in town at the moment.
I’ve seen it for myself.
Three years ago, it was barely ever mentioned in the conversations I have with UK businesses.
But now, and over the last six to twelve months or so, I find it’s coming up more and more. It’s become a key driver for organisations to speak to us as they look to strengthen their cybersecurity.
People are coming to us and saying, 'we need a PAM solution to get or renew our cyber insurance policy’.
It’s become such a catalyst, in fact, that I recently concluded one of the quickest agreements I’ve ever worked on to provide a PAM solution. The organisation in question wanted to get software in place as quickly as possible in order to meet the requirements set out by their cyber insurer. Their IT team had clearly listened very carefully to what the insurance provider had set out in terms of the necessary security tools to obtain a policy.
There was another example not long ago where another business I was speaking with suddenly accelerated their interest in buying our PAM solution. It came after senior executives had spoken with a broker regarding their cyber insurance renewal. They came to realise the importance of having the right technology in place to get the correct cyber cover they needed and decided to act immediately.
Just a few weeks ago, I hosted a talk at UK Cyber Week about cyber insurance, and a packed audience demonstrated further how big a subject it has become. We had some great questions and a really engaged group of delegates.
It was enlightening to hear the perspective of Ed Ventham, a very experienced broker (and my interviewee for the presentation), as he listed Privileged Access as one of a few key requirements that insurers are now looking to see covered when considering an application from a business.
Ed, the Co-Founder of Assured, a specialist provider of cyber cover, told me: “They (insurers) are really scrutinising privileged accounts and user administration. That’s the single biggest weakness at the moment from an insurance point of view, that is where they are seeing claims coming through.”
It’s easy to see from an insurer's perspective why they insist on a certain level of security if they’re going to underwrite a policy.
You wouldn’t expect a home insurer to be ok with a house having no locks. Neither would you expect them to pay out if you went out and left your front door and windows open and found the Van Gogh painting you’d left on the table had been stolen!
Nor would you expect them to pay out when you suffer a ransomware attack if your business lacks key security tools like privileged access management.
There's been quite a lot of talk about cyber attacks and the need for greater protection in the news lately on TV, including coverage of the NCSC conference. The message people will take away, I believe, is businesses need to up their game in the UK.
This is only going to spur more business leaders into considering the need for cyber insurance. If they don't have it, it could leave them exposed.
Yet the obvious downside for cyber insurance is the increasing costs. We’ve seen premiums continue to rise and examples of where an organisation has found it unaffordable, only then to succumb to an attack. Parliament is even investigating the subject. And a policy is likely to get more expensive.
I do fear for public sector bodies in particular, who are often struggling with stretched budgets. They do appear to be particularly vulnerable and the loss of data for key organisations in education and healthcare can have startling and awful consequences. There have been numerous examples of cyber attacks in this space. As our CTO Andy Harris wrote recently, some school and educational bodies may be a major target for ransomware attackers this year.
If you’d like to understand how Osirium could help your organisation to meet cyber insurance requirements and bolster its cyber resilience, contact me or one of our team.