Skip to content

Is cybersecurity insurance relevant for SAP?

Cybersecurity insurance

Cybersecurity is a top-of-mind priority for organizations of all types. From businesses to government agencies and non-profits, leaders must consider a growing number of cyber threats, risks, and vulnerabilities. All organizations face uncertainty or risk. Typically, it is the risk manager’s job to guide the C-suite toward the most appropriate options for each identified hazard. The size and growth of the cybersecurity insurance market suggests an extraordinary demand.  

Renowned experts estimated that the cybersecurity insurance market will peak at $12.2 billion by 2022 and expects it to exceed double its size in 2027 at ~$28 billion. As a CISO or CRO, you must constantly ask yourself whether the risks you face are covered. Usually, when securing SAP ERP, the security departments are often helpless, especially since common processes, insights, and standardization are missing or hard to achieve.  

However, cybersecurity insurance is only one of many tools that organizations can use to manage their risk profile (a prioritized inventory of their most significant risks).  

What is cyber insurance?

Cyber insurance protects your business from a threat in the event of a hacker attack, for example, on mission-critical SAP applications.  

Frequently, a cyber-attack encrypts essential data or folders to paralyze your business and then extorts a ransom in exchange for releasing the company’s data.  

For SAP customers, a data breach usually occurs after being threatened about making sensitive customer data such as payment information, patient records, commercial conditions, and trade secrets publicly available on the internet or darknet. 

Meaning that a hacker attack brings several problems, such as: 

  • Business downtime 
  • Incurred ransoms 
  • Damage claims for damages caused by unknowingly passing malicious content to third parties or data protection violations. 

As a result, this is where cyber insurance comes into play. Cyber insurance includes the following benefits: 

  • Compensation for financial damage. i.e., caused by lost sales in the event of a business interruption, like if production is “paralyzed” or the SAP ERP is “down”.  
  • Assumption of notification and legal costs in the event of a data breach (patients, customers, etc. must be informed immediately, depending on the type of attack, and you must defend against DSGVO fines)  
  • It assumes the costs of possible damages incurred during third parties’ personal rights violations due to unknowing disclosure of the virus or malware. In addition, cyber insurance defends you against unjustified claims for damages against you.  
  • Some insurers even pay the ransom to the extortionists if this is the last resort. (AND we do not recommend doing so! 
  • Many companies rely on the trust of their customers, and suffering from a cyberattack can cause a significant reduction in business. If insured, damaged reputation coverage compensates the insured for lost income caused by damage to their reputation following a cybersecurity event for a specified duration.   

What are the minimum requirements for cyber insurance?

A positive basis for cyber insurance is always a holistic cybersecurity concept because cyber insurance cannot replace it but only supplement it.  

Especially in the SME market, the requirements are vague and, according to my research, almost always include the following: 

  • An ongoing virus protection that is always up to date  
  • Use of firewalls  
  • A concept with firmly defined and graduated access rights  
  • Regularly performed data backups to external systems  

Today, cyber insurance policies offer coverage beyond data breaches. They offer protection against a broad range of cyber threats. To determine your level of insurance coverage, you need to know your risk profile – before picking any items from the insurer’s menu card. When selecting specific insurance coverage, new requirements always come to light. Like with all insurances, you must deal in detail with the clauses in the contract, especially with the exclusion clauses.  

For example, SAP systems require documentation and enforcement of segregation of duty concepts. As a manufacturer of a cybersecurity solution for SAP that covers vulnerability management, code analysis, security patch management, and real-time monitoring, we are asked by insurance companies what belongs to the holistic protection of SAP besides an authorization concept. 

What are the costs for cyber insurance for SAP?

Many factors influence the costs of cyber insurance. The common variables used by insurers are the number of employees in the company, the countries in which the company operates, and the annual turnover. However, if you want to secure specific coverage like a Business Email Compromise (BEC), premiums will also be positively impacted by email security tools’ usage.  

Conclusion

The cyber insurance segment has boomed lately. Today, it has become a topic that nearly every business leader is thinking about, and many organizations have already purchased insurance. Regarding the operators of SAP environments, I can only re-emphasize that these applications always serve a business purpose, and their failure entails dramatic consequences.  

Before taking out an insurance policy, companies must determine their risk profile and not rely naively on the advice of a broker. Established cybersecurity standards and tools are a positive factor for many insurers when calculating premiums. Some even require the use of vulnerability management and attack monitoring solutions. 

Posted by

Christoph Nagy

Find recent Security Advisories for SAP©

Looking into securing your SAP landscape? This white-paper tells you the “Top Mistakes to Avoid in SAP Security“. Download it now.

SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.