What We Do
How We Do
Get Started

How to Obtain Cost-Effective Cybersecurity Insurance in 2023

BY Eldon Sprickerhoff

January 25, 2023 | 6 MINS READ

Cyber Risk

Managed Detection and Response

Cybersecurity Strategy

Want to learn more on how to achieve Cyber Resilience?


The last two years have brought significant upheaval in the cybersecurity insurance market, and the vast majority of the blame can be laid at the feet of successful ransomware attacks.

The earliest simple ransomware attacks typically involved a single machine, immediate encryption, and a relatively low ransom (e.g., $500 USD worth of BTC). This simple attack pattern has evolved to employ tactics previously used by Advanced Persistent Threat (APT) actors.

When a single machine obtains a toehold through an exploit, instead of immediately starting the encryption/lockdown process, the attacker immediately reaches out to as many systems in parallel and establishes a firmer beachhead by enlisting as many systems as possible with the same exploit.

By this means, persistent access may be maintained unless all systems are cleaned. When many systems have been exploited, the attacker quietly waits for the appropriate time to encrypt systems en masse. This is usually initiated on the first evening of a long holiday weekend – while support staff may be unable to respond with the same speed as expected during the work week.

Whereas a single exploited machine that’s quickly encrypted may be easily restored with minimal data loss so long as some backup rigor is in evidence, the effort to restore many (conceivably thousands of) systems while an external attacker maintains access and control is difficult.

Even if excellent backup systems exist, it may be difficult to confirm the integrity of the restored data as the attacker lay in hiding during the successive backup cycles. If your Domain Controllers and/or your Backup systems have been exploited, the path is even more difficult. As a result, many times the exploited enterprise ultimately chooses to pay (often after a cycle of negotiation) the ransom. These ransoms could easily sit in the seven-figure zone.

As well, the original authors of the ransomware software itself chose to open marketplaces where they could sell ransomware as a business. No longer did an attacker need to understand how to develop malicious code or find vulnerabilities within operating systems. All that is needed is access to the marketplace.

In the early days of cybersecurity insurance, insurance companies discovered that it was a very profitable product. Before the spectre of ransomware, the financial damage from cyberattacks was generally small. Indeed, there were attacks, sometimes involving the loss of personally identifiable information (PII) but actuaries could build risk models to provide policy guidance that could be successfully underwritten.

Companies in the mid-market concerned about their exposure could easily purchase millions of dollars worth of coverage for as little as fifteen to twenty thousand dollars per year. The insurance company, confident in their models, could be practically guaranteed to make a healthy profit with few payouts and it was this way for well over a decade.

When ransomware evolved from individual systems to higher-profile attacks, that model was upended. Along with the higher ransom payouts, the Advanced Persistent Threat (APT) flavor of ransomware required the enlistment of Incident Response teams, further increasing the price to restore the company to its regular state.

Secondly, insurance companies tend to build models based on geographic and vertical diversity. For example, fires do not occur everywhere simultaneously. Actuarial data can be analyzed to determine the frequency and the severity of occurrence, underlying factors that may increase or decrease probability, and the true cost of recovery.

The new version of APT-styled ransomware forced insurance companies to abandon their old models. It is not possible to hedge cybersecurity insurance based on geographic diversity; on the Internet, we are all neighbors. With the spate of new cybersecurity insurance claims, insurance companies were (as per contract) obliged to pay claims in a manner they had never needed to before. Their profit margin decreased abruptly and significantly. They were forced to review their practices and began to deny claims.

There are three main points that I generally need to point out regarding cybersecurity insurance:

In addition, insurance companies started to perform deeper investigations into the cybersecurity stance of potential policyholders. Due diligence that was previously cursory at best was now considerably more onerous. Insurance companies began to rely more heavily on sources of “external threat intelligence” that had scanned the vulnerabilities of external-facing Internet infrastructure, map it to specific companies and provide a scorecard.

Companies that had previously enjoyed relatively inexpensive cybersecurity insurance discovered that they did not qualify because they fell below a specific “score threshold” as stated by a third-party snapshot.

Some insurance companies have chosen to entirely leave the cybersecurity space.

So, in 2023, given this rather difficult situation, what is a company (i.e., the policyholder) to do? I have several specific recommendations to improve the chances that your organization will be able to obtain improved cost-effective cybersecurity insurance:

When you can document and demonstrate that you are taking reasonable and defensible steps to defend your organization, it should be considerably easier to obtain cybersecurity in this new age.

If you want to receive a more valuable and cost-effective policy, along with strengthening the technical stance of your environment, you will need to enter a deeper relationship with your insurance provider. It will be worth it and in 2023, it is necessary for your mutual benefit.

Eldon Sprickerhoff
Eldon Sprickerhoff Founder and Advisor

Eldon Sprickerhoff is the original pioneer and inventor of what is now referred to as Managed Detection and Response (MDR). In founding eSentire, he responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over 20 years of tactical experience, Eldon is acknowledged as a subject matter expert in information security analysis. Eldon holds a Bachelor of Mathematics, Computer Science degree from the University of Waterloo.

Read the Latest from eSentire