While cyber exposure is dangerously prevalent, there are tactics that businesses can use to protect themselves and their clients.
Cyber insurance has never been more critical. Globally, cybercrime has been identified as the single greatest concern for business leaders, according to the “Allianz Risk Barometer 2024." And with more than half (56%) of all 2023 cyber insurance claims the result of funds transfer fraud (FTF) or business email compromise (BEC), according to Coalition's "2024 Cyber Claims Report," the risks of a cyberattack for any size organization is real.
“The growth in claims resulting from FTF or BEC, which both originate in the email inbox, demonstrates the importance of email security as a critical aspect of cyber risk management," says Shawn Ram, head of insurance at Coalition. “Threat actors always have the same end goal: getting paid. They will often use the easiest and quickest methods, such as phishing, to access sensitive information they can exploit for financial gain."
Additionally, the increased usage of artificial intelligence (AI)—both by legitimate businesses and cybercriminals—brings complex cybersecurity challenges.
Independent agents are at the forefront of assisting organizations in protecting themselves from cyberattacks. One of the most important areas agents can focus on is “painting a clear picture of the current cybercrime landscape and mapping out how the prevalence of cyber risk affects businesses of all shapes and sizes," Ram says.
But while cyber exposure is dangerously prevalent, there are tactics that businesses can use to protect themselves and their clients. During cybersecurity awareness month, here are four risk mitigation and risk management tips agents can provide their clients:
1) Training for employees. “Companies should be giving employees monthly, weekly or biweekly training on the next set of cybercrime attacks that some companies have been duped by," says Derek Kilmer, associate managing director, Burns & Wilcox. “You're talking about deep fakes, text-to-speech attacks, data poisoning or any of the AI-influenced cybercrimes."
For many organizations, this training is cost-prohibitive. However, agents can direct clients to carrier resources that can help implement training.
Bad actors will “often use the easiest and quickest methods, such as phishing, to access sensitive information they can exploit for financial gain," Ram says. Continuous training for all employees on potential cyber threats can alleviate or even prevent an attack. In a study by Infosecurity Group, 80% of organizations surveyed believed that security awareness training had reduced their staff's susceptibility to phishing attacks. Respondents said that training programs could reduce cyber risks from 60% to 10% in the first 12 months.
2) Cyber hygiene. Bad actors are regularly looking for vulnerabilities within an organization. To improve overall cyber hygiene, Ram recommends the following:
- Implement multifactor authentication (MFA) on all critical accounts.
- Consider using a managed detection and response (MDR) service.
- Maintain credible offline backups of critical business data.
- Establish a formal procedure for electronic payments.
- Patch all software and firmware regularly.
“Companies have to be invested in protecting their data. If they're not staying on top of making sure their systems and networks are up to date, it's just going to leave them susceptible," Kilmer says. “For many medium to small organizations, third-party managed security service providers (MSSP) will have weekly patching from a control standpoint and segregation of networks," Kilmer says.
3) Clarify procedures. “When policyholders notice something unusual, they should promptly report it to their cyber insurer," Ram says. “Speed, responsiveness and an open flow of communication and transparency between parties are essential when managing cyber risk. Many organizations don't call their insurers until it's too late because they might not be aware of the threat or its severity, or they may equate informing their insurer with filing a formal claim."
If an employee receives a phishing email or a request to send a payment elsewhere, “the answer for those kinds of events is—and has been for a while—having the right procedures in place," Zellman says. “It's often as simple as following up with a phone call to a real live person to verify the change."
Further, “for some social engineering coverages, agents must be very careful about the procedures necessary," Pope says. “Some policies will require the insured to make a phone call to verify whenever they receive new wiring instructions that vary from the normal instructions. While that's good practice, in reality, clients don't always do that, and if it turns out they wired money to a bad actor, that coverage may not pay the claim."
4) Know your insurer. Cyber insurance is a dynamic and changeable space where not all cyber policies on offer are the same. Agents can assist clients in finding a carrier that meets their needs.
“Organizations should look for insurance providers that do more than just handle claims," Ram says. “What is commonly missed is certain pre-claims services that allow the policyholder to seek counsel and help from their cyber insurer."
Olivia Overman is IA content editor.