Ransomware attacks and recurring breaches cause insurers to rethink risk as prices rise and policies get increasingly harder to obtain.
That cyberattacks have been on the rise is one fact we unfortunately read every year. The cost of these attacks has also been rising steadily, standing at a global average of $4.35 million, according to the Cost of a Data Breach report. This cost is an all-time high in the report’s 17 years running and highlights the result: at the end of the day consumers foot the bill for breach costs.
But there’s another bill that is being passed on to consumers, and that’s the insurance bill that companies pay to get coverage in case of a cyber-attack. The Cost of a Data Breach report found that 83% of respondents have suffered more than one breach, and these recurring events are causing insurers to re-evaluate their risk profiles.
With more attacks taking place, they have been paying out on cyber insurance, and no longer make the same profits as risk continues to rise. Reports show that cyber insurers kept just half of the amount of premiums than they just before the pandemic. That is 27 cents of every dollar in 2021 — compared to 2019 when they earned 52 cents on the dollar. As a result, insurance premiums have been climbing sharply and policies are harder than ever to obtain – and that process is expected to become more challenging yet.
Cyber Insurance Market Grows and Gets Costlier Over Time
Not many companies nowadays can forego a cyber insurance policy. Cyber-attacks are a business risk like any other, and they can be very impactful. We can see this business need translate into major growth of cyber insurance. In the US alone, cyber insurance has become the fastest growing insurance policy for most insurers, with a growth of 74% in 2021, representing over $4.8 billion. Moreover, the cyber insurance market is expected reach a market share of $25 billion by 2026, according to an annual cyber report by The Howden Group.
This market is not only growing, but it’s also becoming more expensive to get policies. Cyber insurance pricing continued to rise significantly, up 79% in the US and 68% in the UK, respectively. Unfortunately, over 82% of global insurers expect cyber insurance premiums to continue to rise, stating the cost of ransomware attacks as a leading factor feeding into the cost of those premiums.
Pay More for Narrower Coverage
Insurance is a risk equation. The more cyber-attacks companies experience, the more they claim on cyber-insurance. The more losses insurers absorb, the higher costs are, but also, the narrower policies are getting. This is happening in three significant ways:
- Exceptions to the cyber insurance policy
- Stringent conditions to be granted a policy or renew one
- Cutting off the riskiest cost factors – like ransomware. To that effect, AXA SA announced that its French subsidiaries will no longer reimburse ransomware payments for customers within the country. Similar news from Lloyds of London state that its insurer groups globally will exclude catastrophic state-backed hacks from stand-alone cyber insurance policies starting 2023.
Prove Your Security Maturity to Get Insured
Another change that sets the bar higher is having to prove there are cybersecurity controls in place, and also prove security maturity for organizations that wish to get or renew a cyber insurance policy.
For starters, insurers are routinely asking organizations to provide details about their cyber policies and procedures to determine their risk profile in insuring them. Those who fail this test stand to pay very high premiums or be denied the policy altogether. These concepts are not foreign to anyone who ever got insurance of any other kind, but cyber insurance is fast becoming a product one must prepare for in advance , and security chiefs are understanding this process can be longer than anticipated.
It is not enough to provide answers to a questionnaire, insurers will send experts in to run a security risk assessment. Expect to see these professionals assess the attack surface your organization faces, evaluate the controls you have in place, the security architectures, and the responses your team provided to the insurer’s questionnaire. Failing to perform essential security routines, like patching systems or mitigating risks properly can simply void the policy at the worst possible moment.
This risk management process stands to get more developed over the next two years, as some insurers already demand to see reports from certain security orchestration, automation and response (SOAR) platforms they deem trusted. Their goal remains to gain additional insight into how secure their client might be, and how resilient can they expect them to be in case of a successful cyber-attack.
Ransomware, The War and Hostile Acts Exclusion, and OFAC Advisory
Like any other policy, the inclusions vary by insurer and the extras paid for on the policy. Most cyber insurance policies can cover for data breaches, ransomware attacks, business email compromise (BEC fraud), and other attacks stemming from phishing and social engineering. Some policies can cover both the victimized organization and add coverage for third party impact, but those may require a certain level of coverage to qualify for added policies.
Since claims keeps coming in, over time, insurers are becoming more specific about the context of coverage and often end up in court to have judges make the final call on whether or not they will pay out. With ransomware being a costlier attack, due to the ransom amount coming on top of other losses, and since most of these attacks are perpetrated by foreign attackers, insurers are explicitly excluding “war and hostile acts”. Defining cybercrime as an act of war has not always worked in court, but it is an important exclusion to keep in mind when preparing to deal with a ransomware attack.
Other types of cyber insurance exclusions that are rather common:
- Indirect compromise, such as incidents that started via third parties (rising in frequency and requires third-party coverage)
- Lost or stolen portable devices (a rather common occurrence requiring a different type of insurance)
- Failures to maintain agreed-upon security practices, controls and protocols.
Another related subject has been the OFAC advisory that made paying criminals in sanctioned countries a federal crime. Is it stopping companies from paying cybercriminals? IBM X-Force says organizations are still paying as cybercriminals shift tactics to hide and confuse investigators as to where they might really be operating from.
That said, OFAC includes anyone involved in paying out the ransom to be part of their targets. That includes insurers. Those who plan to consider paying a ransom have to take this into account – if it is revealed at some point that the attackers operate out of a sanctioned country, the consequences of the breach can get legally complicated for all parties involved.
Both the OFAC and CISA advise against paying ransoms, a piece of advice that insurers are happy to consider: “Every time a ransom is paid, it confirms the viability and financial attractiveness of the ransomware criminal business model.” CISA
Alas, as long as paying criminals for cyber-extortion, companies will pay out and will continue to buy insurance. It is not farfetched to envision that more insurers will decide to stop paying out for ransom, but only time will tell.
Navigating the Cyber Insurance Waters with Risk Quantification
Obtaining a cyber insurance policy is a business endeavor that is managed through the typical channels businesses have in place for other types of insurance, but in this case, it also requires CISOs and their management to work together. Guided by risk appetite and risk assessments, executives can determine what type of coverage the organization would require and what sort of policies would best address their needs. Securing the right coverage can provide adequate protection and minimize risk in the event of a major cyber-attack.
One method that can help make this process more structured, and also aid in annual re-assessments and renewals, is Risk Quantification, translating cybersecurity risk into financial terms.
Quantifying risk in monetary value can help empower cyber insurance business decisions that everybody understands, including the CFO and CEO who have to approve the amount they will pay for coverage based on the “amount” of risk they are addressing.
A good example of using risk quantification within the context of calculating coverage, is using the Cost of a Data Breach report. The benchmark data in the report helps companies understand the cost of cyber-attacks and then calculate the amount of coverage they would likely need in their sector and geography, the types of attacks they can potentially face, the cost data records they have, etc. This data is added to existing risk profiles and supports the decision with data from real-world attacks.
The FAIR institute is a great resource for all things risk quantification for those looking for more information.
Insurance is Good, Improving Security is Better
Obtaining cyber insurance is often known as risk transference – handing the risk to a willing third party. Companies do this in many instances, but when it comes to cybersecurity, it is actually better to count on a good security posture than have to come to the point of using insurance. With insurers placing a strong emphasis on security and asking for proof of risk mitigation efforts, the conclusion should always come back to maturing the security program. And that mature security posture is also what will get companies the best coverage from insurers at better costs.
One great way to becoming more secure is getting on a Zero Trust journey. It has been a unanimous advice from security experts and organizations, and insurers favor it as well. To learn more about Zero Trust, you can visit the CISA’s website or look at their Zero Trust Maturity Model.
IBM Security offers Zero Trust solutions for organizations who need expert guidance and technology for implementing Zero Trust principles both on-prem and in the Cloud.
The post Cyber insurance costs soar amid ransomware attacks appeared first on Security Intelligence.