Cybercriminals have become the modern mafia and ransomware attacks are the new shake-downs.
Not only has the ask of the ransoms skyrocketed, but the average ransomware payment has also increased by 43% and reached $220,000 (from $154,108 in Q4 2020). A ransom of this size could easily push some small and medium-sized businesses to the brink of bankruptcy or lead to a halt of operations that they simply can not afford. Therefore, a lot of businesses are turning to cyber insurance for help.
Cyber insurance is typically meant for businesses that depend heavily on their IT systems to be functional 24/7. Today that covers almost all businesses, especially healthcare, critical infrastructure, municipalities, manufacturing, and distribution industries. However, some companies that purchase a full-coverage plan start to let down their guard and may simply pay out a ransom because they know the insurance company will later cover it.
The original purpose of cyber insurance is to cover the extortion losses of a business if a successful ransomware attack happens, and the business has no other options but to pay the ransom demand for business continuity or to mitigate future losses. But this growing lack of vigilance and responsibility from some insured companies is tilting the balance of the cyber insurance market, forcing the insurance companies to raise the premium price and adjust the underwriting standards to lower their own risks of loss.
According to a report published by the Howden Group in June 2021, the average global cyber insurance premium rate has increased by 32% year on year. Additionally, the insurers now require third-party IT companies to conduct a field examination on the companies’ cybersecurity protocols to see if they reach the standard. Before, the checking process was mainly conducted via a self-assessment sheet; now, if the company doesn’t meet the standards, the vendor the insurers hire will tell the applicant companies what they need to add, and the insurer won’t sign the contract until everything is in place.
Smaller size enterprises are now faced with a dilemma: on one side there is the risk of rapidly growing malicious attacks, on the other side is the expensive premium packages with complex prerequisites and clauses that might not necessarily cover all the losses. If this vicious cycle continues, the only beneficiary will be the criminals.
Maintaining a healthy ecosystem for the cyber insurance market should be a responsibility that falls on both the insurers and the insured businesses. To proactively change this downward trajectory, businesses should take the first step.
What companies should know
Every company owner should be aware of what they are looking for when it comes to cyber insurance. They should always read the fine print and understand the specifics of coverage, deductibles, and exclusions. This safety net can be highly effective if the policy is correctly written and the business is fully aware of its coverage.
According to Dan Burke, the Vice President at Woodruff Sawyer (a national insurance provider), cyber insurance typically doesn’t cover three types of losses: potential future lost profits, loss of value due to the theft of intellectual property, and betterment (i.e., the cost to improve internal technology systems after the attack, such as IT upgrades after a cyber event). That said, losses other than the initial ransom are not likely to be covered by insurance.
Today, most ransomware attacks do not stop at the initial breach. Take the SolarWinds incident as an example: instead of locking SolarWind’s IT systems, attackers planted malicious code into the company’s Orion technology platform, which is used by more than thirty thousand customers, including the U.S. Department of Energy, Department of Homeland Security, and other national agencies. In this case, hackers didn’t even ask for a high amount of ransom, but the damage and potential vulnerabilities this attack caused is immeasurable and cannot possibly be covered.
Ransomware insurance alone is not enough. A well-written policy should also cover data breach liability, regulatory compliance, and other cyber risk-related threats. There are also firms that specialize in cyber insurance and understand the risks related to the specific business or organizations. The simplest way for business owners to find an insurance plan that best fits their company is to start with the current business liability insurance provider and ask if they have special experts that deal with cyber insurance.
Lastly, business owners should never let their guard down – even when there is a “parachute”. Putting an employee cybersecurity training program in place and implementing robust cybersecurity tools should always be the priority because this helps to mitigate the risks from the root. Conduct regular IT checks and system updates to ensure all the patches are implemented, eliminating backdoors for attackers.
With the ever-changing cyberattack landscape, businesses should be extra cautious. While cyber insurance can be a smart move, businesses should also learn to utilize other tools to protect themselves.
Owners should always choose the insurance plan that best fits the company’s situation, read the fine print, do their due diligence on cybersecurity updates, and maintain a healthy and positive ecosystem between the insurers and the insured companies. The insurance companies should also keep the balance and ensure there are feasible plans for all sized companies. It requires common efforts from both business owners and insurance companies to defend against the growing cyber threats.