Dave Russell, Vice President of Enterprise Strategy, Veeam

Rick Vanover, Senior Director Product Strategy, Veeam

Data protection against ransomware and cyberattacks is becoming increasingly critical. According to Veeam’s latest Data Protection Trends Report 2023, 82 per cent of organisations in the APAC region experienced at least one attack in 2022, and 23 per cent experienced four or more. Cyber risks are an unavoidable reality and have necessitated the urgent adoption of new cybersecurity and data protection measures. It is simply not sufficient for organisations to invest in prevention strategies and hope their business does not falter and succumb to an attack. Instead, organisations must be fully prepared for the inevitable: facing a data breach or a security incident.

Cyber insurance serves as a form of risk management against cyber risks, playing a crucial role in mitigating losses from cyber incidents and building cyber resiliency. It complements an organisation’s overall cyber resiliency and should be integrated into its data protection strategy.

Benefits of purchasing cyber insurance

Cyber insurance can cover all or some of the costs associated with data breaches, ransomware, and other cybersecurity incidents. These costs may stem from investigation, recovery, and remediation. An insurance policy not only helps businesses recover from a cyberattack, it also protects data long before a breach occurs, by nudging the business to formulate a more comprehensive data protection plan. This is key for ensuring a healthy recovery in the face of a cyberattack, as it mitigates much of the financial repercussions associated with data breaches and cyberattacks. According to IBM, the average cost of a data breach in six ASEAN countries reached an all-time high of USD 2.87 million in 2022.

With cyber threats becoming increasingly sophisticated, all businesses, regardless of size and industry, face a high risk of having their IT systems attacked. It is therefore paramount that businesses of all sizes soften the direct financial impact of a cyber incident through cyber insurance. The question businesses need to answer urgently is not whether they need cyber insurance, but how much and against which forms of cyber incidents.

More companies are now recognising the importance of cyber insurance amidst increasing threats, making cyber insurance one of the fastest-growing lines of business in the insurance field. In fact, research has shown that the market is expected to reach $29.2 billion by 2027.

Cyber insurance for SMBs

In particular, small-to-medium businesses (SMBs) face an elevated cyber risk, as they often do not have the proper cybersecurity infrastructure or technology to address new threats. This puts them in a disadvantageous position, where they are more vulnerable to new forms of exploitation.

Basic cyber insurance policies can offer a more affordable option for SMBs and aid with monetary payouts in the case of a cyberattack. However, with the increasing number and severity of ransomware attacks, a cyber insurance policy of adequate scale is often beyond reach for many SMBs. Insurance bodies are also imposing more regulations on their policies, meaning businesses must invest in additional cybersecurity measures to be eligible for a claim. For example, some policies require businesses to have asset management systems and documented vulnerability patching processes. These hidden costs have made it even harder for SMBs to fund cyber insurance.

Purchasing cyber insurance does not fully offset ransomware risks

Cyber insurance only forms part of the puzzle in bolstering cyber resilience. If a company is subjected to a breach, cyber insurance serves as a lifeline to support recovery efforts. However, it does not negate the fact the business risks data leaks and disruption to normal processes. Depending on the chosen cyber insurance policy, businesses might not be covered for all costs incurred in the attack.

Security hygiene best practices continue to form the foundations of a robust cybersecurity strategy. Even if businesses engage in cyber insurance, they should not consider themselves immune from ransomware attacks. They must still implement cyber hygiene practices as part of a holistic data protection and recovery strategy. Doing so will also ensure they can demonstrate due diligence when lodging a claim – a requirement of cyber insurance policies.

While insurance companies can support businesses in times of a cyberattack, the insurance cannot protect a company against everything. It is vital that every organisation still has a comprehensive data protection infrastructure that provides full visibility and control of data, after all, the cybersecurity of a company is ultimately its own responsibility.