The Federal Bureau of Investigation, Internet Crime Report 2021, received reports of potential losses exceeding $6.9B from cybercrime and nearly 4,000 complaints attributing to ransomware alone, costing $49M+ in financial loss. It’s no secret that ransomware and security incidences have increased drastically over the years with zero indication of decline. According to Cybersecurity Ventures Report, it will continue to rise 15% year over year.
Cybercriminal tactics have consistently evolved since the onset of the COVID-19 pandemic. The attacks target every industry and have increased in frequency, size, and sophistication. Cyber breaches continue to cause business disruptions, compromising a company’s reputation when customer data is at large – on top of significant financial loss. When cyber incidents occur, organizations scramble and struggle to remediate, and some never recover.
A new market trend is the rise of global cyber insurance. According to Vantage Market Research, the cyber insurance market is expected to grow over 24% during 2022-2028, reaching up to $28B by 2028. In addition, as a result of the growing number of cyber incidents, some organizations are taking a proactive approach by investing in cybersecurity insurance to reduce the financial impact.
Cyber insurance is relatively new to the broker’s portfolio. Most companies with existing insurance policies saw premiums increase by 30-50% with cyber insurance. However, premiums could be reduced if the companies provide proof that they have proper security controls in place via the cyber insurance application.
Cyber insurance is like home or auto insurance; premiums will increase when the number of claims and the severity of losses rise. From 2015 to 2019, the average ransomware demand increased from $23k to $175k and the average incident cost, in total, rose from $118k to $275k during the same time. The rates can be extremely high in relation to the protective measures that need to be put into place as it relates to the “if/when” a breach may occur. Even with the higher premiums, most companies aren’t adequately prepared for a breach with the right security plan, personnel, and technologies.
Underwriting standards have increased, and more insurance providers are asking the hard questions and running audits on the answers to ensure accuracy; at the same time, the complexity of the questions continues to increase. In addition, insurance providers have specific language in their policies that clarifies how they will treat certain breaches and what would be excluded from coverage. Therefore, it’s essential to fully understand the coverage terms and conditions to avoid potential claim denials.
Many insurance providers will not provide coverage unless a standard level of security controls is in place. Some areas include access management, multi-factor authentication (MFA), education and privileged identity. In addition, the contracting limits have significantly changed from large lines of $10M to smaller $2M and $5M policies. Some customers would prefer having more coverage and higher limits. However, the premium costs would be extremely high, possibly more than they would be willing to invest. In the coming years, we expect to see even more change in the underwriting approach requiring companies to invest heavily in security controls.
While insurance requirements are now driving security control demands, organizations still have reputational risk, and customer trust to contend with that may see them opt for even tighter measures. It gets down to asking the question, “what value do we place on our brand?” and assessing the reputational impact of a breach.
When gaming organizations plan to invest or renew an insurance policy, it’s becoming more common for insurance providers to send a cyber insurance application with the goal of better understanding the customer’s security posture and risks. With that, who is responsible for completing the application within a company? Is it the IT department, legal counsel, compliance, human resource, or senior executives? The answer, everyone. It’s everyone’s role to contribute and understand the importance of cybersecurity, what measures are currently in place, where the risks are, what the impacts are, etc.
No matter what role you play, everyone is impacted by cyber risks. Cyber risks aren’t just a technology problem; they are constantly evolving and must be aggressively managed across departments. Cyber insurance applications can be daunting and cause frustration, ranging from seven pages long or longer. The topics can include a series of questions relating to PCI, cybersecurity e-learning, managed security services, computer and network security, business continuity, security assessments, media, e-crime, etc.
Answering all the questions accurately is essential to ensure the right coverage is selected for the organization, reinforcing the importance of selecting the right stakeholders/decision-makers from various departments who can weigh in. If a cyber incident occurs, the goal is to recover and remediate it quickly. This response requires cross-departmental alignment, a security plan, the right insourced or outsourced team, and the proper technologies.
Organizations with no plan will be caught off-guard and left scrambling to pull together the pieces when a system interruption happens or if data is breached, costing reputational, financial, and operational damages. Answering assessments accurately and having solid plans will mitigate the risk of a claim denial.
It’s not just insurance requirements that are evolving. As we know, state and federal rules and regulations are constantly evolving and becoming more stringent as cybercrime continues to skyrocket. Every organization must comply with an increasing set of regulations and standards. Organizations that are proactive and have a plan will be better equipped to mitigate risks and prevent breaches in the future.
The Strengthening American Cybersecurity Act that was passed in March 2022 by the Senate and is currently awaiting President Biden’s approval is one change that organizations will be required to adhere to. This new law will require reporting to the Department of Homeland Security of all breaches and ransomware payments deemed critical to the United States’ infrastructure within 72 hours and within 24 hours of a payment for a breach.
In addition, state regulators are requiring sports wagering and iGaming for both casinos and gaming suppliers to complete security assessment and security controls reviews. As a result, some gaming customers are starting to build their security plans to the strictest standards. These higher standards ensure they are compliant across all jurisdictions in which their business operates
Another example is that the State of Nevada revised its privacy laws in 2021, which now stipulates that companies cannot sell personal data they collected. This requirement allows customers to opt-out of having their data sold to third parties. Customers have the right to know what personal information is being collected, how/where/how long it is being stored, and who can access the data collected.
Since Europe brought forward GDPR, many other countries have followed in their footsteps and enhanced their privacy standards. Has your business integrated these changes into your operations?
What can you do to secure your gaming organization properly?
• Talk to your peers. Learn what others are doing in the industry, get educated, and ask for help!
• Start investigating if Cyber insurance is something your organization wants to invest in. While cyber insurance offers protection for financial loss, it’s not a silver bullet in cyber defense. Organizations must be diligent about improving their security defense, and cyber insurance can be helpful if you still have an attack.
• Implement multi-factor authentication (MFA) ASAP if you haven’t already done so.
• Do regular back-ups consistently and test them to ensure they work. Depending on the maturity of the tools and solutions, there could be malicious information in your backup if it’s not maintained.
• Offer cybersecurity training courses to your employees and test them regularly. If you don’t have cybersecurity training courses, find one that is user-friendly and engaging for your employees. Consider using a managed education service so your IT teams can focus on what is most important to the business. You can turn your most valued assets into cyber defenders!
• Complete cybersecurity assessments regularly (e.g., Ransomware Security Posture Assessments, etc.) and do quarterly scanning.
• Implement proper network segmentation and have an independent security company check to ensure it was set up and is still segmented correctly.
• Develop an incidence response and recovery plan.
• Consider implementing endpoint protection and leveraging best-of-platform solutions to ensure you are covered end-to-end.
If you’re not sure where to start, ask for help. There are security experts available who live and breathe cybersecurity. It’s essential to work with a trusted cybersecurity partner if the unthinkable happens.