With increased cyber crime comes higher demands and stakes, meaning there is more need for cyber insurance. Not only has the ask of ransoms skyrocketed, but the average ransomware payment has also increased by over 40% and reached over £150,000.
A ransom of this size could easily push some small and medium-sized businesses to the brink of insolvency or lead to a halt of operations that they simply cannot afford. Therefore, many businesses are turning to cyber insurance for protection against cyber risk.
Cyber insurance is typically meant for businesses that depend heavily on their IT systems to be functional 24/7. Today, that covers almost all businesses, especially healthcare, critical infrastructure, municipalities, manufacturing, and transport and logistics industries. However, some companies that purchase a full-coverage plan start to let down their guard and may simply pay out a ransom because they know the insurance company will later cover it.
The original purpose of cyber insurance was to cover the extortion losses of a business in the event of a successful ransomware attack, if the business had no other option but to pay the ransom demand for business continuity or to mitigate future losses. But a growing lack of vigilance and responsibility from some insured companies is tilting the balance of the cyber insurance market, forcing insurance companies to raise the premium price and adjust the underwriting standards to lower their own risks of loss.
The average global cyber insurance premium rate has increased by 32% year-on-year. Additionally, the insurers now require third-party IT companies to conduct a field examination on the insured company’s cyber security protocols to see if they reach a set standard. The checking process used to be mainly conducted via a self-assessment sheet; now, if the company doesn’t meet the standards, the vendor the insurers hire will tell the applicant company what they need to add, and the insurer won’t sign the contract until everything is in place.
Smaller enterprises are now faced with a dilemma: on 1 side there is the risk of rapidly growing malicious attacks, on the other side is the expensive premium packages with complex prerequisites and clauses that might not necessarily cover all their losses. If this vicious cycle continues, the only beneficiary will be the criminals.
Every company owner should be aware of what they are looking for when it comes to cyber insurance. They should always read the fine print and understand the specifics of coverage, deductibles and exclusions. This safety net can be highly effective if the policy is correctly written, and the business is fully aware of its coverage and its likelihood of facing cyber risk.
Cyber insurance typically doesn’t cover 3 types of losses: potential future lost profits, loss of value due to the theft of intellectual property, and betterment (i.e., the cost to improve internal technology systems after the attack, such as IT upgrades after a cyber event). That said, losses other than the initial ransom are not likely to be covered by insurance.
Today, most ransomware attacks do not stop at the initial breach. Take the SolarWinds incident as an example. Instead of locking SolarWind’s IT systems, attackers planted malicious code into the company’s Orion technology platform, which is used by more than 30,000 customers, including the U.S. Department of Energy, Department of Homeland Security, and other national agencies. In this case, hackers didn’t even ask for a high amount of ransom, but the damage and potential vulnerabilities this attack caused is immeasurable and cannot possibly be covered by insurance.
Ransomware insurance alone is not enough. A well-written policy should also cover data breach liability, regulatory compliance, and other cyber risk-related threats. There are also firms that specialise in cyber insurance and understand the risks related to specific organisations. The simplest way for business owners to find an insurance plan that best fits their company is to start with the current business liability insurance provider and ask if they have experts who deal with cyber insurance.
Lastly, business owners should never let their guard down. Putting an employee cyber security training programme in place and implementing robust cyber security tools and processes should always be the priority, as this helps to mitigate the risks from the root. Conduct regular IT checks and system updates to ensure all patches are implemented, eliminating backdoors for attackers. Training, education and awareness are absolutely vital.
With the ever-changing cyber attack landscape, businesses should be extra cautious. While cyber insurance can be a smart move, businesses should also learn to utilise other tools to protect themselves, including a robust training regime and a fit-for-purpose policy that meets the company’s situation.
If you require advice on cyber risk or would like to know more about cyber insurance, contact Cyber Risk & Security Consultant Graeme McGowan at email@example.com, on +44 (0)843 515 8686 or via our contact form.