Ransomware attacks, and the sophisticated threat actors and groups behind them, have evolved considerably over the past few years, from opportunistic and transactional attacks, to the threat landscape we see today, dominated by debilitating, targeted ransomware campaigns.
In response, many organizations obtain cyber insurance coverage from their insurance providers to offset the rising costs of a damaging ransomware attack, including ransom and extortion payments, system recovery costs, investigation costs, customer notifications and credit protection, public communications services, and other legal costs.
According to a report published by Howden, an insurance provider, the gross written premiums for the global cyber insurance market could reach $20 billion USD by 2025, up from under $5 billion USD in 2016.
However, the cyber insurance market is still relatively new, so many providers have limited understanding of how much risk exposure organizations have to cyber attacks. Lacking well understood actuarial data and resulting risk quotients for cyber risks and the ever changing costs resulting from cyberattacks, underwriters struggle to understand the financial risk associated with a specific policy, and policy fees, coverage and requirements vary greatly.
Heavier restrictions may be on the horizon
Most affirmative cyber insurance policies (i.e. standalone policies strictly underwritten for cyber risk) provide protection to organizations against six types of security incidents: data breaches, network security liability, cyber extortion, technology disruption, cyber theft & fraud, and communication & media liability.
To reduce their own risk exposure, cyber insurers have not only begun to offer more restrictive policy terms and coverage limits, but also increased premiums for midsize and large companies by upwards of 20%.
Many reports claim that the sharp demand for cyber insurance has further emboldened cyber criminals to launch more cyber attacks. Since insured organizations can receive a payout to recover their costs, they may be more likely to give in to the adversaries’ demands. There may be some merit to this belief; Joseph Blount, CEO of Colonial Pipeline, publicly stated that the company had filed a claim with their cyber insurance provider for the $4.4 million ransom it paid.
Cyber criminals are also taking note of the global demand for cyber insurance. It's likely that many threat actors are targeting organizations with good cyber insurance coverage. DarkSide, the group responsible for the Colonial Pipeline attack, allegedly does reconnaissance on cyber insurance coverage when hunting for potential targets.
In response, cyber insurance providers have begun to implement heavier restrictions in how companies can use their payouts. AXA, a major insurance carrier in Europe, will no longer cover ransom payments as part of any cyber insurance policies underwritten in France. It’s interesting to note, that within weeks of this public statement, one of their subsidiaries was shut down in a ransomware attack attributed to Avaddon, a well-known ransomware group.
Cyber risk management is key for favorable cyber insurance pricing
In addition to restrictive coverage and rising premiums, many cyber insurance underwriters are expecting organizations to provide detailed plans of how they are managing cyber risk.
The lack of strong cyber risk management protocols can send a signal to providers that the organization is not only over-exposed to a cyber attack, but is also unwilling to take the required precautions to prevent one from occurring, making it a ripe target for cyber criminals in the future.
Therefore, organizations need to prove the specific measures they're taking to prevent cyber attacks, such as enabling multi-factor authentication (MFA), roles-based access rules, etc.
Some cyber insurance providers are actively taking steps to ensure that their policyholders are aware of where they stand with regards to cyber risk. In May 2021, Liberty Mutual Insurance announced a strategic partnership with SecurityScorecard to help policyholders receive a rating score with a detailed analysis of their cyber risk management practices.
What does this mean for your business?
We have already seen the crippling effects of ransomware attacks on industry giants, such as Colonial Pipeline, SolarWinds, and more. The fact of the matter is that even if businesses are able to recover their data and restore faith in their business operations, the effects of ransomware can linger for years to come.
The best way your organization can combat a ransomware attack is by focusing on threat prevention and detection first. To effectively manage cyber risk, we recommend that businesses should:
Conduct social engineering tests and place an emphasis on security awareness training
Implement network segmentation to limit the spread of ransomware
Proactively identify your blind spots & gaps in distributed systems and design a detailed roadmap to eliminate them
Work with an external security firm to conduct a combination of a penetration test and Red Team exercises to test the defensive capabilities of your in-house security team
The message from cyber insurance providers to organizations is clear: your ability to manage cyber risk will play a significant role in the premium you pay and the coverage you receive. Those that are well-prepared for ransomware attacks will likely be in a more favorable position to receive better coverage and premiums than those who adopt a laissez-faire approach.
So, as a cybersecurity leader, ask yourself: what kind of an organization do you want yours to be?
To learn more about how Managed Detection & Response can help your organization detect and contain threats before they become business-disrupting events, book a meeting with an eSentire security specialist.
