Loss trends and emerging risks: Cybersecurity

Cybersecurity continues to be one of the biggest risks – if not the biggest – for businesses.¹ As part of our second annual Q&A series, Sovereign’s Lynda David, Senior Underwriter, Technology & Cyber, shares her thoughts on the major cyber loss claims from 2022 and what businesses need to watch out for in 2023. 

What are the loss trends/key exposures you saw in the past year? 
 
Ransomware and business email compromise have been the leading causes of cyber claims over the past year. Ransomware is malicious software (or malware) that blocks a user from accessing their own files or device. Access is only provided if a ransom is paid to the attacker, typically in cryptocurrency. Business email compromise is a sophisticated scam that targets companies through phishing emails that appear to come from trusted sources. In this type of attack, an employee is tricked into revealing sensitive information, opening malicious files, or transferring funds to a cyber criminal who might be posing as a supplier, the company’s CEO, or someone from the IT team. 

The costs associated with these incidents continue to rise. For example, one study found that for Canadian organizations, the average ransom payment demanded is nearly $450,000.² While no business is immune, the industries most affected are healthcare, financial (including banking, insurance, and other financial institutions) and professional services, which include organizations such as consulting firms, law firms and accounting firms. 
 
What are some of the emerging risks to keep an eye out for next year? 
 
Internet of Things (IoT) is all around us, with an estimated 43 billion devices connected to the internet in 2023.³ From smart watches to household appliances to home security systems, more and more products are becoming connected to the internet each day, which increases the number of entry points for cyber criminals to infiltrate a network. Organizations need to be aware of these new gateways and protect themselves accordingly. The perpetual concern is, as organizations become more diligent with their controls and protocols, cyber criminals are responding with increased sophistication in their attacks. 
 
How can organizations mitigate these risks?
 
Insurers have been enforcing certain mandatory requirements in terms of controls that their Insured must implement prior to obtaining a cyber insurance quote. Multi-factor authentication (MFA) is an example of one control that is quickly becoming an industry standard. When signing into an account, MFA requires the user to provide two or more verification factors, such as a one-time password or code, to prove who they are. While this can sometimes feel like a tedious task, I would compare this to adding a security chain to your front door and a peephole to verify who is actually knocking versus only having a single lock.
 
Finally, one of the most effective ways an organization can be proactive is to provide employee training on privacy and data security, as many breaches are caused by employee error. This training should include random phishing tests throughout the year. With heightened awareness, an organization can better protect their data and help mitigate breaches that have occurred to reduce claims costs. Awareness is key, so spread the word.

To learn more about mitigating cyber risks, see: Cyber loss prevention: How to mitigate cyber risks to your business


Sources 
¹ ICAEW, “Businesses face perfect storm of risks,” Oct. 10, 2022 
² Palo Alto Networks, “2021 Palo Alto Networks Canada Ransomware Barometer,” Dec. 9, 2021
³ Forbes, “The top 4 internet of things trends in 2023,” Nov.7, 2022