Changes Continue in Cyber Insurance

With ransomware attacks becoming more common and sophisticated, the demand for and cost of cyber insurance is rising. Here’s a closer look at the changing landscape and what organizations can do in response to it.

Cyber Insurance

5 minutes

Summary

With the business of ransomware booming, companies have turned to cyber insurers to help insulate themselves from risk. But the market is shifting rapidly as cyberattacks continue to spike and change. Prevention is the best strategy for organizations. 

image_pdfimage_print

An ounce of prevention is worth a pound of cure certainly applies to physical health. But this old adage is also sound advice to avoid the costly, disruptive damage of a ransomware attack. Prevention begins with having a robust cybersecurity plan in place and sufficient insurance to manage risk. But with attacks becoming more common and sophisticated, the demand for and cost of cyber insurance is rising—creating challenges for both enterprises and insurers.    

Read the Report: Achieving Cyber Resilience Requires Teamwork

The Threat Landscape Expands

In 2023, ransomware continued to be a primary source of global cyber threats, impacting organizations across every industry, in every region of the world. According to Statista, the percentage impacted by ransomware attacks has increased year-over-year since 2018, topping 72% in 2023

Several factors indicate that the uptick of ransomware is likely to continue. First, attackers now have the advantage of ransomware as a service (RaaS) which has eliminated the need for hackers to write their own ransomware code. With RaaS, pay-for-use malware provides easy access to the code and infrastructure to launch and maintain a ransomware attack. 

LockBit, a Russia-based ransomware group, is one of the most infamous distributors of RaaS software, providing it to cybercriminals in exchange for a percentage of the paid ransoms. LockBit has been responsible for headline-garnering attacks on hospitals, schools, and financial institutions, propelling the U.S. Department of Justice, Federal Bureau of Investigation, and its international partners to target the criminal organization and add them to the OFAC sanctions list, effectively making it illegal for US entities to pay ransoms to them or their affiliates.  

There is also a growing trend in encryption-free attacks where threat actors skip the time-consuming process of encrypting data and simply focus on stealing it. Once they have access to the data, they threaten to release it to the public or auction it off. Victims are often propelled to quickly pay up to prevent their data from being exposed. 

To add even more complexity to the mix, AI is gaining ground as a tool in ransomware attacks. Scammers are using AI-powered language models to write code and craft well-written phishing lures with voice simulation software now even being used to dupe unsuspecting victims. 

Ransoms Are Just the Start

In 2023, the average ransomware payment for a cyberattack amounted to $740,000, nearly triple what it was in 2022. Yet, the total cost of recovery after an attack is often in the millions. Downtime, people hours, legal defense, and lost reputation can have a far more costly and long-lasting impact. 

There’s also the cruel reality that businesses that have been attacked are far more likely to be targeted again. In fact, paying ransoms is an indicator to original attackers, as well as copycat ransomware operators, that you’re willing to pay. This is especially true if systems remain susceptible to attack.

Changing Requirements for Cyber Insurance

With the business of ransomware booming, it’s no wonder companies have turned to cyber insurers to help insulate themselves from risk. But the market is shifting rapidly as cyberattacks continue to spike. And unlike risk profiles for traditional lines of insurance, such as health, auto, and property, which are relatively static with large collections of actuarial data, cyber threats are continuously changing. 

In 2010, cyber insurance premiums totaled a mere $600,000. By 2021, the cyber insurance industry wrote $10 billion in premiums—and also doubled premium rates to offset losses from claims. With the threat landscape becoming increasingly active, premiums are likely to continue to rise.

Policy exclusions are also evolving. For example, in 2023, Lloyd’s of London, a key player in the cyber insurance market, added an exclusion for acts of war. Long being a staple of property and vehicle insurance, this exclusion is now being added to cyber insurance policies at a time when government-sponsored cyber warfare is a growing possibility. Underwriters are also attempting to mitigate the losses from cyber claims with much stricter underwriting requirements, including making certain cybersecurity protocols mandatory.

Businesses should plan for higher premiums, as well as boost their own cybersecurity efforts, if they want to make it through policy underwriting. According to Databarracks’ 2023 Data Health Check, more than 40% of IT decision makers have reported stricter requirements from insurers. 

In a 451 Research Voice of the Enterprise (VotE) Cyber Insurance 2023 study, 68% of cyber insurance policyholders reported increased difficulty meeting the requirements of their policies than 12 months ago, and only 43% of respondents had cyber insurance in place at their organization. 

To get a policy today, businesses typically have to provide a detailed explanation of security tools and processes. Applications are commonly rejected if fundamental controls, such as multi-factor authentication, separate backups, and endpoint detection and response, are not in place. And the list of requirements continues to grow.

A New Approach

While large-scale insurance providers remain the primary, go-to options for cyber insurance, there are new alternatives coming into play from startups, like Coalition and At-Bay, that are rethinking the way policies are underwritten and managed. 

Instead of sending prospective customers questionnaires about their current cybersecurity efforts as part of the underwriting process, these market disruptors are scanning systems as a hacker would before they issue policies. In some cases, they require specific upgrades or even decline coverage based on their findings. Once a policy is issued, they continue to scan and send alerts to control their own and their customers’ risks. With this novel approach to cyber insurance, these providers are able to offer lower premiums while helping their customers better understand and manage their risk. 

Better collaboration will also help. Security and IT operations teams can ensure rapid recovery from critical outages by working closely on systems design, implementation, and operations.

Keeping Data Safe

Of course, no company wants to be the victim of a ransomware attack, nor file an insurance claim for one. Prevention is truly the best strategy, and that means becoming educated on how hackers work and creating a plan that clearly spells out what to do before, during, and after a ransomware attack. It also means having a resilient infrastructure in place with built-in, multi-level ransomware protection to provide fast, clean recovery from attacks to minimize disruption.