The State of Third-Party Insurance Verification – Research Report
August 31, 2021
Last year, the FBI reported a 400% increase in cyber attacks, in large part due to the increase in working remotely. Among them were two major data breaches: SolarWinds and FireEye — both third-party technology partners hired to protect their clients from data breaches and then becoming victims themselves. In that same report, the FBI noted that ransomware attacks made up about 85% of all cyber attacks in 2020 (dubbed The Year of the Digital Pandemic) — a trend that has ramped up significantly in 2021 and shows no signs of slowing.
Then came the high-profile Colonial Pipeline ransomware attack in May 2021 that disrupted the country’s largest fuel and oil pipeline. Many insurers have understandably begun to focus most of their efforts on ransomware risk protection despite the fact that there are other new vulnerabilities emanating from the new remote work trend. This new class of attack could result in claims damages that amount to much more than a single ransomware attack.
Recent statistics point to not only a troubling increase in ransomware, but also in phishing, web application attacks, and other emerging cybercriminal tactics. Still, the focus on ransomware is warranted, and, without proper insurance coverage, can become quite costly.
The Colonial Pipeline incident is what directly prompted the Biden Administration to announce a national security directive to boost defenses against ransomware attacks to critical infrastructure. While it’s progressive in setting performance standards, it doesn’t provide any real way to enforce them, which is why businesses have to assume that cyber attacks are inevitable, and take matters into their own hands.
Companies can take regain control over cybersecurity risks with strong management process, outlined here in six main steps (and a seventh bonus step):
Managing cyber risk follows the same basic process and principles as managing any risk; however, the best risk management plans are only as strong as their weakest link, and when it comes to cybersecurity, that weak link is often a business’ third-party vendors.
Hiring a cybersecurity expert (or external consultant), purchasing password protection software, backing up your files, and enabling multi-factor authentication are some quick and easy ways to “lock the door” to cybercriminals, but as ransomware and other attack vectors become more lucrative and easier to initiate, companies of all sizes will need to implement additional, more layered security measures, especially if they’re working with third parties that are equally at risk.
Companies should start by taking inventory with a thorough gap assessment of both capabilities and personnel and find a way to address any discrepancies with either an internal expert or an external consultant (or both, depending on the companies’ needs). Next, they should prioritize which risks are worse than others and build out a continuity plan to manage them and recover if disaster strikes.
To cover losses when an incident inevitably occurs, companies should purchase or shore up their own cybersecurity insurance policies as well as requiring that their third-party partners (e.g. suppliers, vendors, contractors, franchisees, etc.) carry a certain amount of cybersecurity coverage to pay for damages and the cost to remediate them.
It’s not enough just to carry cybersecurity coverage — companies need to make sure the policies are adequate and haven’t lapsed. This is where verification, and ongoing re-verification, of third-party cybersecurity insurance comes into play. This simple measure is one of the most effective ways for businesses to protect themselves and their customers from the financial risk of stolen data, ransomed files, and more.
Additionally, an increasing trend in cybersecurity is that many cyber insurers now verify a company’s cyber risk controls as part of the underwriting process, so the act of verifying cybersecurity insurance can actually add a second layer of verification in one. This ensures that not only do third-party vendors have coverage, but also that they’ve prioritized cybersecurity protection and developed a comprehensive plan of defense.
If the Digital Pandemic has taught us anything, it’s that nobody and no business is immune from an attack. Businesses need to be better about verifying their supply chains and making sure that each vendor they’re working with is sufficiently covered.
Data breaches are inevitable, but businesses can (and should) protect themselves and their customers from third-party risk by verifying that their partners’ cybersecurity and ransomware insurance policies are active and appropriately meet the company’s needs.