Cybersecurity insurance is no longer a luxury. As attacks have accelerated — and become more costly — the idea of hedging against a breach has gone mainstream. The global cyber-insurance market now stands at $7.8 billion, but it's projected to reach $20.4 billion by 2025, according to an October 2020 report from ResearchAndMarkets.
Indeed, companies are incorporating cybersecurity insurance into their overall business strategies, says Alexander Chaveriat, chief innovation officer at Tuik Security Group. But – and should we really be surprised? – cybercriminals have also recognized that where there's insurance, there's opportunity.
"Many gangs do reconnaissance before they pull the trigger on a ransomware attack," Chaveriat explains. "They'll see that the business has $2 million in cyber-insurance, and so they make this their ransom."
At the center of all of this is a harsh reality: Many organizations are opting to pay the ransom. Their desire to get systems up and running fast rather than deal with the time and expense of restoring data — even when the data exists — is fueling decision-making. However, this approach is also driving up the price of policies and contributing to more aggressive tactics. A 2019 ProPublica report notes that insurance companies are contributing to a rise in ransomware attacks by paying ransoms as large as six or seven figures.
Money for Nothing
The uptick in ransomware over the past few years is staggering. Cybersecurity firm Sophos reports that 51% of organizations have been hit by ransomware attacks within the past year, and the total cost to remediate an attack has risen to $761,106 per incident. There has even been a death associated with ransomware.
Just over 40% of cyber-insurance claims now involve ransomware, according to the 2020 "Cyber Insurance Claims Report" from insurance provider Coalition. The firm also reports a 260% increase in the frequency of ransomware among its policyholders. Cyber losses for a typical claim ranges from $1,000 to $2 million, it notes.
"We see many organizations either consider cyber-insurance for the first time or taking a closer look at their current cyber-insurance programs as an effective way to provide some balance sheet protection," says Robert Barberi, director of FINEX cybersecurity and professional risk at global risk management consultancy Willis Towers Watson.
In fact, ransomware is increasingly mentioned in US Securities and Exchange Commission (SEC) filings as a key risk factor. Yet large enterprises aren't the only ones feeling the pain.
"Cyber-insurance plays a big role for organizations that may not have the financial strength to survive a ransomware attack on their own," Barberi explains.
All of this has led to an uneasy reality: Cybergangs, peering inside a company's network or using public sources, can determine the ransom it can afford to pay and adjust the sum accordingly. Making matters worse, crooks increasingly pluck sensitive data — legal information, HR records, intellectual property, for example — and threaten to post it publicly if a company doesn't comply with their ransom demands.
There's good news and bad news. Despite cybergangs adopting more menacing and potentially destructive tactics, including cyber extortion, Willis Towers Watson reports that even with claim frequency rising by about 18% in 2020, an effective backup strategy can reduce ransomware costs by upward of 70%, Barberi says.
Nevertheless, the cost of a typical policy renewal is up by 10% to 20% as the industry updates actuarial tables to reflect increased risk and payouts, including an uptick in attacks that has occurred during the pandemic, according to Willis Towers Watson.
"In addition to the continued spike in ransomware attacks, increased incident response costs are driving higher losses for companies in highly regulated industries who experience data breaches because they are requiring more resources to navigate a more complex regulatory landscape, Barberi notes.
Unfortunately, there's no end in sight.
"With so many high-profile recent events, the expectation is that the marketplace for cyber-insurance will continue to harden, especially for companies that don't implement certain compensating controls," Barberi adds.
In fact, ransomware recovery firm Coveware indicates that the average ransomware payment in Q3 reached $233,817, reflecting an increase of 31% quarter over quarter.
Finding an effective solution is difficult. Barberi says that an outright ban on payments — an idea that the US Treasury Department has promoted — would be difficult to implement and introduce unanticipated consequences.
For example, "An outright ban could keep hospitals shutdown for weeks or months, which would have a disastrous impact to patient care," he points out.
Amid all the chaos, the insurance industry is pushing for more stringent cybersecurity measures. This includes policyholders using protections like multifactor authentication, wire transfer verification, specific time frames for installing critical patches, endpoint application isolation, and implementing an effective backup strategy. Some also require cybersecurity training for employees.
"Policies are becoming much more defined and stringent," Chaveriat observes.
Adds Barberi: "Companies that haven't yet implemented these controls, or those who have suffered recent losses, may experience premium increases well in excess of the average increases we're currently observing."
In the end, perhaps only one thing is certain: Insurance will continue to play a key role in protecting companies.
"With bad actors getting more sophisticated and with easier access to malware, ransomware attacks will likely continue to increase in frequency and severity, which, in turn, will continue to increase the demand for comprehensive cyber-insurance solutions," Barberi says.