An explosion in costly cyberattacks created a rapidly growing niche business: cyber insurance.
The industry generated $8 billion in revenue in 2020. The number may grow to $20 billion by 2025.
"Seven or eight years ago, this was never discussed," said Rob Clyde, the past ISACA board chair who currently serves as an executive advisor for ShardSecure and executive chair for White Cloud Security. "You've had boards go from very little discussion around cyber to, now, intense discussions around cyber."
Research indicates that about 75% of Fortune 500 companies invest in cyber insurance.
"We're way better off than we were a decade ago when the number was closer to zero," Clyde said.
Before the onset of cyber insurance, many companies tried to get their general insurance companies to foot the bill.
In a case that settled earlier this year, Merck successfully sued its insurer for $1.4 billion in damages related to a NotPetya attack in 2017.
The insurance company attempted to deny the claim under its "act of war" provision.
A judge ultimately ruled that the defense held no merit since "cyberattacks" were not explicitly excluded in the policy language.
In the years since the NotPetya attack on Merck, "insurance companies have learned about not including all things cyber in general business insurance," according to Clyde.
"It's becoming more and more often that it's excluded from your general business insurance, or that there are a lot of limits on it, so you need to now pay for special cyber insurance."
Those cyber insurance policies come with strings attached.
Many companies force their clients to meet essential security criteria.
"The number of settlements and claims has continued to increase, so insurance companies are becoming more and more strict about how they'll cover policies," said Ryan Toohil, the CTO of digital security company Aura. "It's to the point that it'll be in the underwrite. If you don't have active endpoint security, solid backups, basically if you aren't in a position that you could recover from the attack, they might not underwrite you, or they may not pay out the policy."
The evolving landscape can be challenging for small businesses to navigate. Thirty-five percent of the security professionals surveyed for ISACA's State of Cybersecurity 2021 said their enterprises were experiencing more cyberattacks.
"The top threats are not new," Clyde said, pointing to social engineering as the top threat to businesses. "Think of the phishing attacks that we're all familiar with. They can occur over email, social media, or via text message. We've all seen them. Now they're far more sophisticated."
Clyde also highlighted advanced persistent threats: A threat that sticks around in a company network and attacks multiple angles.
"Think of it as a multi-headed hydra," Clyde said. "While you might chop off one head, there are still others that eventually spring back up again. It's malicious code that has infected your network that is really hard to completely eradicate."
Both experts agree that a proactive security program is one of the best investments a company can make.
"The two things I think are most important are endpoint security and backups," Toohil said. "Endpoint security reduces the risk by closing how many vulnerabilities you might have and identifying when you've installed something malicious. Backups allow you to recover when you have a problem. You shouldn't do one without the other."
Clyde said that as more companies raise their cybersecurity standards and create high-quality backups, the number of ransoms paid to hackers could decrease.
"There are situations where companies are well-prepared, and maybe for a little inconvenience and additional cost, they can avoid paying the ransom and recover," Clyde said. "The calculation that might go into those companies would be, 'Do we really want to continue to reward criminals for holding our data hostage?' And if less and less would do that - ideally, none would do it - perhaps ransomware would go away."
