Adapting to evolving cyber threats

As cyber threats grow more complex, organizations must be prepared for resultant claims that are more frequent, severe, and difficult to resolve. Here are seven ways organizations can mitigate potential losses and facilitate better claims outcomes.

01 Seek to better understand your cyber risks, including those arising out of your supply chain.

As cyber claims can take many forms and arise from several areas, it’s important that businesses understand the nature of the risks they face. This includes modeling potential losses to better measure how likely they are to occur and how much they could cost businesses.

Given that vendor relationships can contribute to a variety of cyber risks, businesses should look to map their technology networks to document which vendors provide or facilitate critical processes and which vendors access or store specific data, including PII and PHI. Organizations should also try to identify which technology providers their own providers rely on, which can help to pinpoint potential dependencies and vulnerabilities.

Similarly, companies should review:

Their use of tracking technologies — including cookies and pixels — that plaintiffs’ attorneys are focusing on, and consider whether the use of such technologies outweighs their potential risk.
Policies governing what data organizations and their partners collect and how such data is used, shared, stored, and protected.
Contracts with key vendors to ensure their language reflects how they want risk to be managed, including via minimum insurance limits.

02 Develop and test an incident response plan.

Even with strong controls, no organization can become an impenetrable fortress. It’s therefore vital that companies are prepared for potential cyber events.

Most incident response plans include three major components, which follow the sequence of how an organization will react to events. These include:

Detection, which includes the monitoring of systems, suppliers, and environments to detect events.
Analysis of events for their operational impact and escalation according to established criteria.
Response activities to be executed to minimize operational impact and fully restore operations.

Organizations should identify key resources they will need to access in the event of a loss and seek to have key vendors in place before an event. This includes forensic accounting services critical to business interruption losses, ransomware consultants, and outside counsel specializing in various types of cyber losses.

As basic, generic, and/or outdated plans will not be useful during a crisis, it’s important that organizations’ written plans be printed, disseminated, and stored in multiple locations so they are easily accessible during an incident. Plans should also be tested and updated at least once a year, in conjunction with other elements of an organization’s broader business continuity plans.

03 Maintain cyber hygiene and invest in strong cybersecurity infrastructure.

Robust cybersecurity controls and a culture focused on protecting data and systems from outside attacks represent the most effective ways for businesses to mitigate potential claims. Underwriters also now view these are minimum conditions that policyholders must meet to secure cyber insurance coverage.

Hallmarks of strong cyber hygiene include:

Multifactor authentication (MFA), which requires users to provide two or more pieces of evidence of their identity before gaining access to corporate systems.
Endpoint detection and response, through which user phones, laptops, and other devices are continually monitored to prevent potential intrusions.
Regular data backups on secure offline or offsite platforms.
Segmentation of information technology and operational technology networks to protect critical systems.
Email filtering software to scan for malicious links or attachments.
Privileged access and password management software.
Timely patching of critical software and systems.
Regular training of all employees — including C-suite executives — on key topics, including phishing, social engineering, secure use of mobile devices, videoconferencing, and more.

Managed detection and response tools (MDR) are also crucial, enabling organizations to minimize — if not eliminate — threats from entering their systems. A critical component of this is a security operations center, staffed 24 hours a day, 7 days a week, tasked with engaging and containing abnormal activity before it becomes a larger issue.

04 Optimize insurance coverage.

Even the best-prepared organizations can suffer cyber losses, which is why effective insurance coverage is essential. A well-crafted cyber insurance policy can include

First-party coverage that reimburses insured organizations for the cost of investigating a cyber event and restoring normal operations. These include costs related to incident response, defense, forensics, business interruption, and more.

Third-party coverage for liabilities to others, including damages owed to third parties, regulatory penalties, and additional costs and expenses, including legal defense costs. In some cases, policies will provide access to specific “panel” counsel to defend policyholders from liability claims, along with vendors that can assist in incident response.

Before a cyber event occurs, organizations should work with their insurance brokers to understand what is and is not covered under their cyber insurance policies. If any gaps in existing coverage are identified, policyholders should work with brokers to seek to fill those gaps during upcoming renewal discussions. The expansion and evolution of BEC and social engineering threats also underscores the need for effective crime insurance, the procurement of which should be coordinated with the purchase of cyber insurance.

05 Prioritize data privacy and governance.

Beyond a robust cybersecurity framework, more rigorous data privacy laws in the U.S. and elsewhere require businesses to develop and maintain specific policies to protect critical data. Among other actions, organizations should:

Develop and document guidelines for how data should be collected, stored, processed, and shared.
Implement strategies to minimize each of these actions and ensure transparency.
Ensure access to sensitive data is strictly limited.
Include data privacy best practices in cybersecurity training programs.

Data-related policies and procedures should be regularly reviewed and updated to address potential gaps in cybersecurity and ensure compliance with all applicable laws.

06 Leverage threat intelligence and collaboration.

Collaborating with other cybersecurity stakeholders, including law enforcement, can enable swift and strong action against cybercriminals, which benefits all businesses. For example, the Department of Treasury’s Office of Foreign Assets Control (OFAC) encourages businesses and other organizations to report and share information about ransomware attacks, which the FBI and other U.S. law enforcement entities can share with Interpol and other counterparts around the world.

Such collaboration can often enable authorities to take out attack groups and obtain ransomware decryption keys, ultimately allowing for speedier returns to normal operations and lower costs for businesses. In 2024, for example, information businesses shared about ransomware attacks helped to fuel Operation Endgame, a massive law enforcement initiative carried out by the FBI and law enforcement authorities across Europe. According to the FBI, Operation Endgame “took down or disrupted more than 100 servers to defeat multiple malware variants.”

07 Develop a plan for submitting your claim.

Before a potential cyber loss, organizations should be ready to file potential claims and have key resources lined up to expedite essential processes. In the event of a claim, businesses should be prepared to:

Notify brokers and insurers as soon as possible.
Obtain prior consent from insurers for the use of any vendors and keep both brokers and carriers updated on any and all actions taken to mitigate losses and prepare claims.
Identify key advisors to assist in claims preparation, loss mitigation, and legal defense, including forensic accountants, ransomware specialists, communications specialists, and outside counsel, which may be part of panels preselected by insurers.

Contents