Organizations lack sufficient levels of cyber-insurance coverage to protect themselves in case of a ransomware attack, with just 14% of businesses with 1,400 or fewer employees boasting coverage limits above $600,000.
These were among the findings of a BlackBerry and Corvus Insurance survey of 450 business decision-makers for IT and security solutions, which also revealed more than a third (37%) of respondents currently lack coverage for any ransomware payment demands.
Nearly six in 10 (59%) of respondents said they hoped the government would cover damages when future attacks are linked to other nation-states, and fully half of small to medium-size business (SMB) respondents said they hoped Uncle Sam would increase financial aid in all ransomware incidents.
Gary Davis, senior director of cybersecurity at BlackBerry, says these statistics were the most surprising — and concerning — findings from the survey.
"I think that would establish a dangerous precedent and only encourage more nefarious attacks," he says.
Davis explains he believes the best option for SMBs is to hire a cybersecurity managed service provider (MSP) to deliver the essential capabilities required by insurance providers in the most affordable and comprehensive way possible.
"Demonstrating compliance will go a long way toward an effective negotiation with the insurance providers," he says. "Also, I would encourage SMBs to share their security posture insights with their insurance provider."
The good news is, most organizations are happy to share this type of information.
"To me, that’s very much akin to how many car insurers operate today when they offer better rates for those willing to have a device in their car that reports their driving behavior to the insurance company," Davis says. "Hopefully, sharing these details will have a similar impact on what insurance providers charge for cyber insurance."
Cyber Insurance Lacking Critical Coverage
The survey also revealed that the increased software requirements demanded by insurance brokers is making cyber insurance harder to get — more than a third of respondents said they had been denied coverage due to unfulfilled endpoint detection and response (EDR) software requirements.
Overall, the findings indicated that even when organizations do have cyber insurance, the coverage lacks critical elements, with 43% of survey respondents not covered for auxiliary costs, including court fees or employee downtime.
Davis points out he has not seen any evidence that the bad actors are slowing down, which suggests that organizations of every size and type should increasingly rely on cyber insurance as another means of helping to combat the problem.
"Ideally, we will also see stronger ties between cybersecurity vendors and insurance providers to collaborate on ways we can help companies minimize their risk of being successfully attacked," he says.
As Cyber-Insurance Market Evolves, Complications Arise
The BlackBerry report follows a June study by Proofpoint, which found less than half of CISOs at US-based organizations said they have cyber insurance and are confident that it will be there when needed.
The increasing volume of ransomware and other cyberthreats is jacking up the price of cyber insurance, while insurers are simultaneously starting to demand more direct access to organizational metrics and measures.
They argue this access will allow them to make more accurate risk assessments – however, some businesses may be loath to reveal such closely held information, in part because it may wind up preventing them from receiving coverage.
At the same time, some insurers are pulling out of the market, including global insurance giant AXA, which said in May that it would stop reimbursing French companies for ransomware payments to cybercriminals.
Amid a dynamic environment where insurers have started to charge more for policies and begun setting higher requirements, debates over standards, baseline security controls, and new exclusions and limitations on coverage types continue to wreak havoc on this burgeoning market.