Cybercriminals have pounced on the COVID-19 crisis, made clear by the number of ransomware attacks increasing by at least 150 percent in 2020. As a follow-on consequence, organizations have started purchasing cyber insurance policies to hedge against the financial risk of a successful cyber attack.
Between 2016 and 2020, the take-up rate for cyber insurance policies nearly doubled from only 26 percent in 2016 to 47 percent in 2020. In 2021, thanks to ransomware’s continued explosive growth, the number of businesses looking for insurance against cyber threats is likely even higher.
Ransomware is rapidly becoming the main reason organizations take out cyber insurance policies and, for that matter, put in cyber insurance claims. Almost half of all cyber insurance claims in the first half of 2020 were related to ransomware attacks, and the insurance provider AIG experienced a 150 percent increase in ransom and extortion claims between 2018 and 2020.
Because many insurance providers cover both the cost of recovery from a ransomware attack and the ransom payment itself (or at least some of it), insurance is undoubtedly an attractive idea for organizations that worry about the rising threat of ransomware. However, rather than helping organizations bounce back after a cyberattack, cyber insurance policies may actually be making them more susceptible to a ransomware attack in the first place.
For business leaders, cyber insurance can seem like a sensible hedge against some of the financial pains that come with falling victim to a ransomware attack. However, this is a dangerous mindset to have. In many cases, organizations that take out cyber insurance policies are more at risk of a ransomware attack than those that don’t.
In an interview with the cyber intelligence news site “The Record” earlier this year, a member of the REvil ransomware group said that the group specifically goes after companies with cyber insurance. Tellingly, the anonymous cybercriminal described victims with insurance as “one of the tastiest morsels.”
The ransomware operator also gave some insight into how insurance works in cybercriminals’ favor, stating that they (cybercriminals) typically “hack the insurers first—to get their customer base and work in a targeted way from there. And after you go through the list, then hit the insurer themselves.”
For insurance companies, providing funds to pay a ransom is usually far cheaper and quicker than helping a victimized organization restore its data from scratch. As a result, attacking companies that have taken out cyber insurance policies is almost always a safe bet.
Even when cybercriminals don’t know that it’s the insurers paying their ransom demands, easy capitulation from victimized organizations gives cybercriminals the confidence to ask for more. As a result, cyber insurance perpetuates a negative cycle: the more organizations (or insurance providers) pay, the more threat actors attack and the higher ransom demands get.
While the cyber insurance industry inadvertently drives the ransomware threat level higher, purchasing these policies is an increasingly elusive and expensive option for businesses. In response to more frequent cyberattacks, soaring ransom demands, and a growing appetite for cyber insurance, such companies are raising their premiums.
In one survey, more than half of insurance brokers reported premiums that went up by at least 10 percent, and in some cases by as much as 30 percent, in late 2020. Higher premiums apply to everyone, not just companies unlucky enough to be affected by ransomware. As a result, some smaller companies have had no choice but to give up cyber insurance.
In addition to rising premiums, coverage limits are also decreasing, especially for risky industry sectors like healthcare and education. Some providers now sublimit ransomware so that the insured can only claim a fixed amount for all cyberattack costs, while others are also implementing co-insurance provisions that would require policyholders to pay anywhere from 20 percent to 30 percent of a ransomware claim.
One major cyber insurance provider, French insurer AXA, recently decided to stop reimbursing ransom payments altogether. Some experts predict that it is only a matter of time before other cyber insurance providers follow suit, likely to limit the payouts they have to make.
Whenever possible, insurers may also try to get out of paying insurance claims via loopholes in their policies. For example, after the NotPetya malware infected organizations globally, some insurers argued that they did not have to pay claims due to war exclusions that were written into their policies.
Other insurers, like Allianz, are also considering separating ransomware coverage from general cyber coverage because of the risk to their overall business. Cyber insurance providers that are not taking such drastic measures are making their underwriting guidelines stricter and spending more time scrutinizing organizations’ cybersecurity controls.
Insurers have taken this avenue to ensure that their clients have taken appropriate precautions. This has already made filing a claim after a ransomware attack increasingly challenging, and it will only become even more so in the future.
For example, underwriters may refuse to cover organizations that don’t use multi-factor authentication or those without specific categories of endpoint protection products. Highlighting the increasing due diligence insurance companies require from customers, the Zurich Insurance Group gives precedence to companies with network features that stop attacks from spreading through the system when considering who to underwrite.
Cyber insurance can be valuable as a financial hedge for organizations with the ability to afford it, but the changes to the market as a result of the ransomware epidemic makes clear that it should be considered as part of a company’s overall security strategy. Ultimately, the cost of a cyber attack is rarely something that can be covered by any degree of insurance. Almost half of all organizations that experience a data breach also end up with severely damaged reputations, which is not something that any insurance policy can remedy.
Instead of relying on something that should really be little more than a backstop, organizations that want to avoid a ransomware attack should instead adopt a proactive approach to ensuring their attack surface is minimized. This isn’t done through taking out a cyber insurance policy, but rather through adopting a proactive approach to preventing breaches.
In addition to preparing backups, patching up vulnerabilities, and training employees on best cybersecurity practices, companies should look to invest in preventative cybersecurity tools, such as Morphisec. Leveraged with built-in Windows security features like Defender AV, Morphisec will greatly reduce your organization’s risk exposure to ransomware — at a fraction of the cost of a cyber insurance policy.
Cyber insurance is an important tool in the security tool belt because it, in theory, allows for organizations to recoup some of their financial losses incurred in the event of a successful cyberattack. What has become abundantly clear, however, is that these insurance policies should not be relied on as a compensating control to fully repair losses from a successful cyberattack. Instead, organizations need to adopt a proactive approach to security and harden critical systems against attack with a solution like Morphisec that makes breach prevention easy.