09/13/2021 | News release | Distributed by Public on 09/13/2021 12:53
Key Points:
The current ransomware crime wave is rattling the cyber insurance market, and that's bad news for organizations that are buying or renewing policies. Rates are up, availability is tight and terms and conditions are tighter. If there is a silver lining, it's that insurers could be raising the standards of practice in cybersecurity as they have done in areas as diverse as fire safety and payment cards.
Shifting Cyber Insurance Market
Several trends are impacting whether and how organizations can insure their data and business operations amid mounting ransomware risks. Among them:
What Does Ransomware Insurance Cover?
Ransomware coverage varies but may include immediate costs for forensics, negotiations, ransom, business interruption, recovery efforts, related regulatory compliance and remediation. The list of what is not typically covered may include damages to intellectual property, reputation and business potential.
Even if covered, there may be caps on how much an insurer will pay for ransom. In addition, much like a healthcare insurance deductible, policyholders often agree in advance to pay a share of ransom in return for lower rates.
Insurance companies are also asking for more detailed information about their clients' security controls and procedures, audits, penetration testing, backups, business continuity plans, third-party risk management and more. The better these are, the lower your rates could be and the greater the chance of collecting on your claim. Insurers also follow threat intelligence feeds and perform their own scans of vulnerabilities on the internet.
Regulatory Risk Further Impacts Cyber Insurance
One big insurer announced in May that it was dropping ransomware payment coverage for new policyholders in France, due in part to the debate there over the legality of ransomware payments.[7]Legislators in at least three U.S. states have also proposed banning ransomware payments. But many political and industry leaders have weighed in against such a measure, saying it poses an existential threat to ransomware victims.
Six in 10 organizations say they'd pay ransom.[8]From the perspective of victims and insurers, paying ransom can cost less than the costs of business interruption and other damages. But security and enforcement agencies point out that the money often goes to fund future ransomware attacks.
Additionally, government agencies such as the U.S. Treasury Department's Office of Foreign Assets Control have warned that paying ransom could violate its rules if the money goes to sanctioned individuals. One analysis calculated that 15% of last year's ransomware payments carried sanctions risk.[9]
In recent months, major ransomware attacks have also prompted calls to make it mandatory to report incidents to authorities.And the U.S. Department of Homeland Security (DHS) issued two directives requiring owners and operators of critical infrastructure to implement specific measures to mitigate against ransomware attacks.
Some see these developments as a sign that minimum security standards could proliferate. 'Unfortunately, with organizations often reluctant to invest in cybersecurity unless necessary by law, regulation must be considered as likely inevitable,' said Carl Wearn, Head of Risk & Resilience, E-Crime & Cyber Investigation at Mimecast.
The uncertainty created by these discussions increases insurers' regulatory risks, which were already multiplying before ransomware flared up. The rise of privacy regulations in recent years is one example that also applies to ransomware, since so much personal information is encrypted and/or stolen in a ransomware attack. Organizations that don't do enough to protect that data are subject to penalties under rules such as California's Consumer Privacy Act.
Insurers Bolster Security Management
Insurance companies have been expanding their services to cyber policyholders to decrease their own exposure to risk by helping clients improve their security defenses. Free or discounted cyber risk prevention and mitigation services might include:
Recently, seven cyber insurance companies formed a joint venture to compile and analyze threats and best practices, work with authorities on ransomware and improve cyber risk mitigation across the market.[10]'The cyber insurance market is coalescing around certain baseline controls as a prerequisite to insurability,' according to the Ransomware Task Force.
The industry's history of such demands and incentives has proved successful in setting the bar for fire safety and other risks. 'In each instance, the insurance sector has identified and supported risk management practices and technologies that have bent the curve and ameliorated a significant risk, to the mutual benefit of the insured and the insurer,' the Task Force wrote.
The Bottom Line
Ransomware is making cyber insurance harder to get and driving up rates, with no clear end in sight. But insurers are also responding with strategies to help clients fight off attackers.
[1]'Insurers Must Totally Reassess Approach to 'Grim' Cyber Insurance Market,' Insurance Journal
[2]'Coalition Releases Cyber Insurance Claims Report Detailing Increased Ransomware Demands in 2021,' Coalition
[3]'Cyber Security Breaches Survey 2021,' UK Department for Digital, Culture, Media & Sport
[4]'RTF Report: Combatting Ransomware,' Institute for Security + Technology
[5]'Global Cyber Reinsurance Rates Soar by as Much as 40% During July Renewals,' Insurance Journal
[6]'2021 Cyber Insurance Market Conditions Report,' Gallagher
[7]'France's Largest Insurer Will No Longer Cover Ransomware Payments,' CPO Magazine
[8]'Ransomware: Too Many Firms Are Still Willing to Pay Up If Attacked,' ZDNet
[9]'15% of All Ransomware Payments Made in 2020 Carried a Risk of Sanctions Violations,' Chainalysis
[10]'Consortium of Leading Cyber Insurers Announce the Launch of CyberAcuView,' CyberAcuView
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly