The explosion of ransomware and similar cyber incidents along with rising associated costs is convincing a growing number of insurance companies to raise the premiums on their cyber insurance policies or reduce coverage, moves that could further squeeze organizations under siege from hackers.
A report this month from the Government Accountability Office (GAO) found that the number of companies seeking cyber insurance coverage has steadily risen since 2016 and that insurers are increasing the prices of their policies and lowering their coverage limits as the number of cyberattacks rise.
In addition, the U.S. congressional office said insurers “increasingly have offered policies specific to cyber risk, rather than including that risk in packages with other coverage. This shift reflects a desire for more clarity on what is covered and for higher cyber-specific coverage limits.”
Ransomware policies were under pressure even before this month’s dramatic Colonial Pipeline attack, which is likely to make matters worse.
COVID-19 Accelerates Attacks
A report by Verizon Business found the COVID-19 pandemic and the related shift to remote work accelerated the rate of attacks over the past year, with the number of phishing attacks increasing 11 percent and the number of ransomware incidents growing 6 percent.
“As the number of companies switching business-critical functions to the cloud increases, the potential threat to their operations may become more pronounced, as malicious actors look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures,” Verizon Business CEO Tami Erwin said in a statement.
Given the rise in cyberattacks, the percentage of insurance clients opting for cyber coverage has increased from 26 percent in 2016 to 47 percent last year. Cyber insurance premiums have jumped about 12 percent between the beginning of 2018 and the end of 2020. According to a report by credit-rating organization Fitch Ratings, cyber insurance premiums in the United States rose 22 percent year-over-year in 2020, to almost $3 billion.
Insurers Assessing Risks
Insurance companies face a number of challenges, such as the limited historical data on losses, which makes it more difficult for them to estimate potential losses caused by cyberattacks, which in turn hinders setting appropriate price policies. There also is a lack of standard definitions for such terms as “cyberterrorism,” which can make it harder to understand what is covered. Federal and state governments as well as industry players can help in both regards, according to the GAO report.
“The fundamental problem is that there is no consistent or accurate methodology to assess the security posture of an organization,” Snehal Antani, co-founder and CEO of Horizon3.AI, told eSecurity Planet. “How long does it take them to detect a threat? How long does it take them to remediate critical findings? How secure is their architecture? Underwriters need to stop relying on stale insurance application forms. What they need is a way to take an active snapshot of an organization’s cybersecurity posture, as well as how that posture has improved or degraded over time. That allows underwriters to understand the risk of that organization.”
Being able to continuously assess a constantly evolving set of critical attack vectors would allow organizations to demonstrate risk management and insurance companies to reward such diligence with lower premiums, Antani said.
In the meantime, businesses continue to come under costly attacks. The Verizon Business report found that the median financial impact of a data breach is $21,659, with 95 percent of incidents falling between $826 and $653,587. In recent months, high-profile incidents have included the far-reaching supply-chain hack of IT management software maker SolarWinds (which a report by cyber risk vendor BitSight and cyber risk modeler Kovrr found could cost insurers as much as $90 million). More recently, after the ransomware attack on Colonial Pipeline, the company paid a ransom of about $4.4 million (in about 75 Bitcoin).
One Insurer Stops Covering Ransom Payments
The paying of ransoms is another issue for cyber insurers. Despite governments in such countries as the United States and France discouraging companies from paying a ransom – worried that doing so puts a lot of money into the pockets of bad actors and encourages more ransomware attacks, some organizations bet that paying the ransom is the fastest way to regain access to their data and resume normal business. Earlier this month, global insurer AXA reportedly said it would stop reimbursing companies in France for extortion payments in ransomware attacks.
“This is really challenging,” Andrew Barratt, managing principal of solutions and investigations at cybersecurity firm Coalfire. “There is a major difference between not covering ransomware events and not covering the cost of ransom. Ransomware events – if the ransom isn’t paid – can often be quite costly to recover from, but on the flip side the paying of any kind of ransom can have some serious legal considerations to make sure it’s not falling foul of antiterrorism or money laundering laws. Ultimately, the underwriters will make the decisions based on the legal limitations placed on them.”
Barratt said that ransoms often seem to be commensurate with a company’s ability to pay and that threat actors do their homework before picking the amount of ransom they demand.
Insurers Demand More From Insured
Organizations should expect insurers to continue to protect themselves against the skyrocketing incidences and costs of cyberattacks, with more demand being put on those being insured, according to Sean Cordero, security advisor at security firm Netenrich.
“In the year ahead, more cyber insurance providers will seek to minimize their exposure from high-risk policies they’ve written or are considering underwriting, making it more difficult to secure or renew policies,” Cordero told eSecurity Planet. “For the first time, some insurers will request new evidence and validation from their policyholders to prove the policyholders’ controls’ adequacy. This validation is complex and many insurers still rely on client self-attestation as the primary input to risk and policy determination. These insurers will hopefully transition to more data-driven models specific to the cybersecurity industry.”
This may include third-party audits for larger companies before the underwriting is completed, he said. Cordero also noted the “rise of specialized cyber insurers and servicers that leverage technologies and approaches such as attack surface intelligence, data science and cyber-specific actuarial models, which rewards policyholders through reduced premiums and may lead to broader coverage when the insured can prove their controls and readiness.”
Coalfire’s Barratt said he expects to see “some of the insurance carriers put exclusions in place or insist that their coverage will only be valid if you have a ransomware response strategy, which I think is probably a positive outcome. In the same way cars have immobilizers now as a function of the insurance industry’s desire to keep hotwiring incidents to a minimum, we’ll probably see insurance carriers say they will only provide coverage if a robust ransomware response strategy has been implemented.”
Further reading: How Zero Trust Security Can Protect Against Ransomware
Companies Must Evolve
Companies will have to adapt their behavior by taking a threat-focused risk-management approach, he said, adding that they don’t want to be focused only on such high-profile threats as ransomware.
“The challenge we face then is that if excess focus is placed on defending against one very specific threat in order to meet an external expectation, it’s not unusual to leave blind spots to others,” Barratt said. “As always, cyber defenses need to be continually evolving to the adversarial nature of the threat. It’s not a random occurrence, it’s an invisible enemy looking to profit from your weakness. Our defenses need to evolve the same way.”