You've heard it before, but I'll say it again, "Cyberattacks are not a matter of if, but when." According to a recent report by Cybersecurity Ventures, cybercrime will cost the world $10.5 trillion annually by 2025, up from $3 trillion in 2015. That’s more than the combined GDP of Japan, Germany, and the UK!
By this point, every business owner or leader knows cyberattacks don't only target large corporations or government agencies. It's a well-known fact small and medium-sized businesses (SMBs) are the most vulnerable and the most affected by cyber incidents. According to the 2023 Verizon Data Breach Investigations Report, 43% of breaches involved SMBs, and the average cost of a data breach for SMBs was $3.86 million.
That’s why cyberinsurance is a must-have for businesses of all sizes in 2024 and beyond. Cyberinsurance is a type of insurance that covers the financial losses and liabilities arising from cyberattacks, data breaches and other cyber incidents. Cyberinsurance can help you recover from the direct and indirect costs of a cyber incident, such as data recovery, business interruption, legal fees, regulatory fines, and reputational damage. Here are some more resources on cyberinsurance:
In this article, I will share with you some of the key cyber risks and threats that businesses face in 2024, such as ransomware, business email compromise, data collection and privacy issues, and artificial intelligence. I will also discuss the current state and trends of the cyber insurance market, such as the increase in demand, premium rates, coverage options and underwriting criteria for cyber policies. Finally, I will provide some best practices and recommendations for businesses to improve their cybersecurity posture and reduce their cyber exposure, such as implementing security controls, conducting risk assessments, educating employees, and working with reputable cyber insurers and service providers.
Kosh Solutions is a leading IT and cybersecurity provider in the Southwestern United States, and we have witnessed the devastating effects of cyberattacks on SMBs throughout the communities we serve. We have also helped many of our clients secure and optimize their cyber insurance policies, and leverage our expertise and resources to enhance their cybersecurity resilience.
We hope you find this article useful and informative.
If you have any questions or comments, please feel free to contact us at cyber@koshsolutions.com or 888-979-5674
Get a FREE 50+ question Cybersecurity Assessment PDF: Security Assessment Sign Up | Kosh Solutions
Let’s get started! 😊
Cyber Risks and Threats in 2024
Cybersecurity is a dynamic and evolving field, and so are the cyber risks and threats that businesses face in 2024. Here are some of the main types and sources of cyber risks and threats that you need to be aware of and prepared for:
Ransomware: Ransomware is a type of malicious software that encrypts the victim’s data and demands a ransom for its decryption. Ransomware attacks have become more sophisticated and prevalent in recent years, targeting not only individual devices, but also entire networks and systems. Ransomware can cause significant disruption and damage to businesses, as they may lose access to their critical data and operations, and face hefty ransom demands and recovery costs. According to the 2023 Cyber Claims Study by NetDiligence, ransomware was the most frequent and costly cause of cyber claims, accounting for 41% of the incidents and 27% of the losses.
Business Email Compromise (BEC): BEC is a type of fraud that involves impersonating a legitimate person or entity, such as a CEO, a vendor, or a customer, and tricking the recipient into transferring money or disclosing sensitive information. BEC attacks rely on social engineering and phishing techniques, and often exploit the human factor and the trust relationships within and between organizations. BEC can result in substantial financial losses and liabilities for businesses, as well as reputational harm and legal issues. According to the FBI, BEC scams cost businesses over $1.8 billion in 2020, and the trend is expected to continue in 2024.
Data Collection and Privacy Issues: Data is the lifeblood of modern businesses, and it is also a valuable asset for cybercriminals and other malicious actors. Data collection and privacy issues refer to the risks and challenges associated with the collection, storage, processing, sharing, and protection of personal and sensitive data, such as customer information, employee records, intellectual property, and trade secrets. Data collection and privacy issues can expose businesses to various cyber threats, such as data breaches, identity theft, fraud, espionage, and extortion. Data collection and privacy issues can also subject businesses to complex and stringent regulatory and legal obligations, such as the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the New York SHIELD Act, which impose strict requirements and penalties for data protection and privacy compliance.
Artificial Intelligence (AI): AI is a broad term that encompasses the use of machines and algorithms to perform tasks that normally require human intelligence, such as learning, reasoning, and decision making. AI has many applications and benefits for businesses, such as improving efficiency, productivity, innovation, and customer experience. However, AI also poses many cyber risks and threats for businesses, such as malicious use of AI by cybercriminals, ethical and social implications of AI, and vulnerabilities and biases of AI systems. AI can also create new and unknown cyber risks and threats, as AI systems can evolve and act in unpredictable and unintended ways.
These are some of the cyber risks and threats that businesses face in 2024, and they can have serious and lasting impacts and consequences for businesses in terms of financial, operational and reputational damages. For example:
In 2023, Colonial Pipeline, a major US fuel pipeline operator, was hit by a ransomware attack that forced it to shut down its operations for several days, causing widespread fuel shortages and price spikes across the country. The company reportedly paid $4.4 million in ransom to the attackers, and incurred additional costs for recovery and restoration.
In 2022, CNA Financial, one of the largest US insurance companies, was the victim of a BEC scam that resulted in the loss of $40 million. The scammers impersonated the CEO of CNA and instructed the finance department to wire the money to a fraudulent account in Hong Kong. The company was able to recover some of the money, but still suffered a significant financial loss and reputational damage.
In 2021, SolarWinds, a US software company, was the target of a massive data breach that compromised the data and systems of thousands of its customers, including government agencies and Fortune 500 companies. The breach was orchestrated by a sophisticated state-sponsored hacking group, and involved the insertion of a malicious code into the software updates of SolarWinds. The breach exposed sensitive and classified information, and caused severe security and operational risks for the affected organizations.
In 2020, Clearview AI, a US facial recognition company, was sued by several civil rights groups for violating the privacy rights of millions of people. The company collected and analyzed billions of images from the internet, and sold its services to law enforcement agencies and private entities. The company was accused of creating a dangerous and invasive surveillance system, and of violating various data protection and privacy laws.
These are some of the recent cyber incidents and claims that illustrate the cyber risks and threats that businesses face in 2024. As you can see, these cyber risks and threats can have devastating and far-reaching effects on businesses, and they can affect any business, regardless of its size, industry, or location.
That’s why cyber insurance is a vital tool for businesses to mitigate or transfer these cyber risks and threats. Cyber insurance can provide businesses with financial protection and support in the event of a cyber incident, such as:
Covering the direct and indirect costs of a cyber incident, such as data recovery, business interruption, legal fees, regulatory fines, and reputational damage
Providing access to expert and specialized services and resources, such as incident response, forensic investigation, breach notification, credit monitoring, and public relations
Offering guidance and assistance in complying with the relevant laws and regulations, such as data protection and privacy laws
Enhancing the cybersecurity awareness and preparedness of the business, such as through risk assessments, training, and best practices
Cyber insurance can help businesses reduce the impact and severity of a cyber incident and enable them to recover and resume their operations faster and more effectively. Cyber insurance can also help businesses gain a competitive edge and increase their trust and credibility with their customers, partners, and stakeholders.
Cyber insurance is not a substitute for cybersecurity, but a complement and a partner. Cyber insurance and cybersecurity work together to create a comprehensive and resilient cyber risk management strategy for businesses in 2024.
Cybersecurity Compliance and Best Practices in 2024
Cybersecurity compliance is the process of adhering to the laws, regulations, standards, and guidelines that govern the protection of data and systems from cyber threats.
Cybersecurity compliance is essential for businesses of all sizes and industries, as it helps them avoid legal liabilities, reputational damages, and financial losses. However, cybersecurity compliance is also challenging, as it requires businesses to keep up with the changing cyber threat landscape and the evolving regulatory environment. In this section, I will explain some of the main cybersecurity compliance requirements and challenges that businesses need to be aware of in 2024, and discuss some of the best practices and resources that can help them achieve and maintain compliance.
Cybersecurity Compliance Requirements and Challenges
There are various cybersecurity compliance requirements and challenges that businesses face in 2024, depending on their industry, location, and type of data they handle. Some of the most relevant and prominent ones are:
Payment Card Industry Data Security Standard (PCI DSS) 4.0: PCI DSS is a global standard that provides technical and operational requirements for protecting cardholder data. PCI DSS 4.0 is the latest version of the standard, which was released in March 2022 and will become effective in 2024 PCI DSS 4.0 introduces several changes and enhancements to the previous version, such as allowing more flexibility and customization in implementing security controls, emphasizing the importance of risk-based approaches and continuous improvement, and aligning the requirements with other industry standards and best practices2. Businesses that process, store, or transmit cardholder data need to comply with PCI DSS 4.0 to avoid fines, penalties, and breaches.
Federal Trade Commission (FTC) Data Breach Reporting Rules: The FTC is a U.S. agency that enforces consumer protection laws and regulations. In December 2023, the FTC published the final rule on data breach reporting under the Safeguards Rule, which requires financial institutions to protect customer data3. The rule requires financial institutions to report any notification event involving customer information of at least 500 consumers to the FTC within 10 business days after discovering the event, and to provide specific information about the event, such as the types of information involved, the number of customers affected, and the general description of the event4. The rule also allows the FTC to delay the disclosure if it poses a substantial risk to national security or public safety. Financial institutions that fail to comply with the rule may face civil penalties and enforcement actions by the FTC.
Securities and Exchange Commission (SEC) Breach Disclosure Rules: The SEC is a U.S. agency that regulates the securities markets and protects investors. In July 2023, the SEC adopted rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies5. The rules require public companies to disclose on a new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material within four business days after determining the materiality, and to describe the material aspects of the incident, such as its nature, scope, timing, and impact6. The rules also require public companies to disclose on a new Regulation S-K Item 106 their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the board of directors’ oversight and management’s role and expertise in cybersecurity risk management7. These disclosures are intended to increase the visibility and consistency of cybersecurity information for investors and companies.
Cybersecurity Maturity Model Certification (CMMC) 2.0: CMMC is a program developed by the U.S. Department of Defense (DoD) to enhance the cybersecurity of the Defense Industrial Base (DIB), which consists of contractors and subcontractors that provide products and services to the DoD. CMMC 2.0 is the next iteration of the CMMC cybersecurity model, which was released in December 2023 and will be implemented in 20248. CMMC 2.0 streamlines the requirements to three levels of cybersecurity and aligns the requirements at each level with well-known and widely accepted NIST cybersecurity standards9. CMMC 2.0 also introduces a new assessment methodology that allows self-assessments for Level 1 and some Level 2 contracts, and third-party assessments for Level 2 and Level 3 contracts. Businesses that work with the DoD need to comply with CMMC 2.0 to be eligible for DoD contracts.
These are some of the cybersecurity compliance requirements and challenges that businesses need to be aware of in 2024. However, compliance alone is not enough to ensure cybersecurity. Businesses also need to adopt and follow best practices and leverage resources that can help them improve their cybersecurity posture and reduce their cyber exposure. In the next section, I will discuss some of these best practices and resources.
Cybersecurity Best Practices and Resources
There are various cybersecurity best practices and resources that businesses can use to enhance their cybersecurity in 2024. Some of the most effective and recommended ones are:
Creating and Updating a Written Information Security Plan (WISP): A WISP is a document that details an organization’s security controls, processes, and policies. A WISP helps an organization identify and mitigate its cybersecurity risks, comply with its regulatory obligations, and respond to and recover from security incidents. A WISP should be tailored to the organization’s size, scope, activities, complexity, and data sensitivity, and should be reviewed and updated regularly to reflect the changing cyber threat landscape and regulatory environment. A WISP is not only a good business practice, but also a legal requirement for some businesses, such as tax and accounting professionals who handle sensitive financial information. A WISP can help businesses protect their data, reputation, and revenue from cyber threats. Learn more about WISP requirements here: https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0
Implementing Security Controls: Security controls are measures that are implemented to protect an organization’s data and systems from cyber threats. Security controls can be classified into three types: administrative, technical, and physical. Administrative controls are policies and procedures that govern the organization’s security activities, such as access management, incident response, and security awareness. Technical controls are hardware and software tools that prevent, detect, and respond to cyber threats, such as firewalls, antivirus, encryption, and backup. Physical controls are devices and mechanisms that prevent unauthorized access to the organization’s premises and equipment, such as locks, alarms, and cameras. Implementing security controls can help businesses reduce their attack surface, deter and detect cyberattacks, and minimize the impact and severity of security incidents.
Conducting Risk Assessments: Risk assessments are processes that identify, analyze, and evaluate the cybersecurity risks that an organization faces. Risk assessments help an organization prioritize its security efforts and resources, and align its security strategy with its business objectives and risk appetite. Risk assessments should be conducted periodically and whenever there are significant changes in the organization’s environment, such as new technologies, regulations, or threats. Risk assessments should involve relevant stakeholders from different functions and levels of the organization, and should follow a systematic and consistent methodology, such as the NIST Risk Management Framework. Conducting risk assessments can help businesses understand their cybersecurity posture, identify their strengths and weaknesses, and implement appropriate risk mitigation measures. Risk assessment resources: https://dodcio.defense.gov/CMMC/Model/ https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub
Educating Employees: Employees are often the weakest link in an organization’s cybersecurity, as they may lack the knowledge, skills, or awareness to protect themselves and the organization from cyber threats. Employees may also be the target of social engineering attacks, such as phishing, which aim to trick them into revealing sensitive information or performing malicious actions. Educating employees is therefore a crucial component of an organization’s cybersecurity strategy, as it can help them recognize and avoid cyber threats, follow security policies and procedures, and report and respond to security incidents. Educating employees should be an ongoing and interactive process, that involves various methods, such as training sessions, newsletters, quizzes, and simulations. Educating employees can help businesses create a security culture, reduce human errors, and enhance security performance. Kosh works with Breach Secure Now to deliver engaging Cybersecurity Training. See their annual training trailer below!
Working with Reputable Cyber Insurers and Service Providers: Cyber insurers and service providers are external parties that can help an organization improve its cybersecurity and mitigate its cyber risks. Cyber insurers are companies that offer financial protection and support to an organization in the event of a cyber incident, such as covering the costs of data recovery, business interruption, legal fees, regulatory fines, and reputational damage. Cyber insurers may also provide access to expert and specialized services and resources, such as incident response, forensic investigation, breach notification, credit monitoring, and public relations. Cyber service providers are companies that offer various cybersecurity solutions and services to an organization, such as security assessments, audits, testing, monitoring, consulting, and training. Working with reputable cyber insurers and service providers can help businesses reduce the impact and severity of a cyber incident, and enable them to recover and resume their operations faster and more effectively.
These are some of the cybersecurity best practices and resources that businesses can use to enhance their cybersecurity in 2024. By following these best practices and leveraging these resources, businesses can not only achieve and maintain compliance, but also gain a competitive edge and increase their trust and credibility with their customers, partners, and stakeholders. Cybersecurity is not a one-time event, but a continuous and dynamic process that requires constant vigilance and improvement. Businesses that adopt a proactive and informed approach to cybersecurity will be better prepared and protected from the evolving cyber threats and challenges in 2024.
Cyber Insurance Coverage and Pricing in 2024
Cyber insurance is a fast-growing and dynamic market, driven by the increasing demand and awareness of businesses for cyber risk protection. However, cyber insurance is also a complex and challenging market, influenced by various factors and uncertainties that affect the coverage and pricing of cyber policies. In this section, we will discuss the current state and trends of the cyber insurance coverage and pricing in 2024 and explain the factors and challenges that shape the market. We will also provide some tips and best practices for businesses to choose and negotiate the best cyber insurance policy for their needs and budget.
Current State and Trends
More and more businesses are seeking cyber insurance as a way to mitigate and transfer their cyber risks and liabilities. According to a report by Standard & Poor’s Corp., cyber insurance premiums, which now total about $5 billion annually, will increase 20% to 30% per year on average in the near future.
However, the cyber insurance market is not homogeneous or standardized. Different insurers offer different types and levels of coverage, rates, and terms for cyber policies. Moreover, the cyber insurance market is constantly evolving and adapting to the changing cyber threat landscape and regulatory environment. Some of the current trends and developments in the cyber insurance market are:
Increasing demand: The demand for cyber insurance is growing across all industries and sizes of businesses, as cyber risks become more prevalent and severe. According to a survey by The Doctors Company, 70% of healthcare professionals plan to purchase or increase their cyber insurance coverage in 20242. According to a survey by CyberPolicy, 65% of nonprofits plan to purchase or increase their cyber insurance coverage in 20243. According to a survey by Travelers, 51% of retailers plan to purchase or increase their cyber insurance coverage in 20244. https://www.forbes.com/sites/forbestechcouncil/2022/10/21/cyber-insurance-premiums-are-up-and-thats-not-the-only-industry-shakeup/
Increasing premiums: The premiums for cyber insurance are rising as the frequency and severity of cyber incidents and claims increase. According to a report by AdvisorSmith, the average premium for cyber insurance in 2024 is $1,740 per year, up from $1,485 in 20235. According to a report by Forbes, the premiums for cyber insurance in the US increased by 79% in Q2 2024, compared to 2023. According to a report by Investopedia, the premiums for cyber insurance in the UK increased by 50% in 2024, compared to 2023.
Increasing limits: The limits for cyber insurance are increasing as the potential losses and liabilities from cyber incidents and claims increase. According to a report by Cybersecurity Ventures, the average cost of a data breach in 2024 is $4.24 million, up from $3.86 million in 2020. According to a report by NetDiligence, the average ransomware claim in 2023 was $175,000, up from $46,000 in 2019. According to a report by Insureon, the average limit for cyber insurance in 2024 is $1 million, up from $500,000 in 2023.
Increasing coverage options: The coverage options for cyber insurance are expanding as the types and sources of cyber risks and threats expand. Cyber insurance policies typically cover first-party losses (such as data recovery, business interruption, ransom payments, and reputational harm) and third-party liabilities (such as legal fees, regulatory fines, and breach notification costs). However, some insurers also offer additional or optional coverages, such as media liability, cyber extortion, social engineering, contingent business interruption, system failure, cyber terrorism, and cybercrime.
Increasing underwriting criteria: The underwriting criteria for cyber insurance are becoming more stringent and detailed as the insurers try to better assess and price the cyber risks and exposures of the insureds. Insurers typically require the insureds to complete an application form that asks about their revenue, number of records, industry, security controls, and incident history. However, some insurers also ask for more information, such as risk assessments, penetration tests, security audits, compliance certifications, and incident response plans.
These are some of the current state and trends of the cyber insurance coverage and pricing in 2024. However, the cyber insurance market is not static or predictable. There are many factors and challenges that affect the market and create uncertainties and variations.
Conclusion
Cybersecurity is a vital and urgent issue for businesses of all sizes and industries in 2024. As cyber risks and threats become more prevalent and severe, businesses need to adopt and follow best practices and resources to enhance their cybersecurity posture and reduce their cyber exposure. However, cybersecurity alone is not enough to ensure protection and resilience. Businesses also need to invest in cyber insurance, a tool that can provide financial protection and support in the event of a cyber incident.
In this article, we have shared with you some of the key cyber risks and threats that businesses face in 2024, such as ransomware, business email compromise, data collection and privacy issues, and artificial intelligence. We also discussed the current state and trends of the cyber insurance market, such as the increasing demand, premium rates, coverage options and underwriting criteria for cyber policies. Finally, we have provided some best practices and recommendations for businesses to improve their cybersecurity compliance and awareness, such as creating and updating a Written Information Security Plan, implementing security controls, conducting risk assessments, educating employees, and working with reputable cyber insurers and service providers.
As a leading IT and cybersecurity provider in the Southwestern United States, Kosh Solutions has witnessed firsthand the devastating effects of cyberattacks on SMBs. We have also helped many of our clients secure and optimize their cyber insurance policies, and leverage our expertise and resources to enhance their cybersecurity resilience. We hope you have found this article useful and informative, and that it has helped you make informed and confident decisions about your cyber security needs.
If you are a business owner or leader in the Southwestern United States, you should also be aware of the specific cybersecurity compliance requirements and challenges that apply to your state. For example:
In New Mexico, you may need to conduct an annual cybersecurity audit and submit regular risk assessments to the CPPA if your processing of consumers’ personal information presents a significant risk to consumers’ privacy or security. https://www.doit.nm.gov/programs/cybersecurity/
In Colorado, you may need to comply with the PCI DSS 4.0, the FTC data breach reporting rules, the SEC breach disclosure rules, and the CMMC 2.0, depending on your industry, location, and type of data you handle.
In California, you may need to comply with the CCPA, the CPPA’s proposed cybersecurity regulation, and the Cal-Secure roadmap, which impose strict requirements and penalties for data protection and privacy compliance.
In Arizona, you may need to comply with the Cybersecurity Act, the Information Security Policies, Standards, and Procedures, and the Statewide Cyber Grant Program, which establish a Cybersecurity Office and a cybersecurity advisory committee for the state. https://azdohs.gov/cyber
These are some of the cybersecurity compliance requirements and challenges that businesses in the Southwestern United States need to be aware of in 2024. However, these requirements and challenges may change and evolve over time, so it is important to stay updated and informed on the latest developments and trends.
If you have any questions or comments about this article, or if you need any assistance with your cybersecurity or cyber insurance needs, please feel free to contact Kosh. We would love to hear from you and help you achieve your cybersecurity goals. Thank you for reading and stay safe! 😊
Disclaimer
The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.
Comments