Recent ransomware attacks have dominated the headlines this year. Predictions estimate that the financial impact caused by ransomware could reach $265 billion globally by 2031. That means cyberattacks targeting enterprises and individuals are happening at a rate of about one attack every few seconds.
The average ransom payment made by a business to restore data after a cyberattack was $220,000 in the first quarter, up 43% from the last quarter of 2020. Cyberinsurance is designed to protect organizations against the financial fallout of cyberattacks. It can play a role both in what a company does when it experiences an attack and in preventing attacks from occurring in the first place. The threat of increased cyberinsurance premiums and stricter security controls also play a strong role in motivating companies to shore up their security systems.
Cyberinsurance is as Essential as Health Insurance
Cyberinsurance for businesses is becoming as necessary as health insurance for individuals. Some businesses, especially smaller ones, are reluctant to commit to the expense of the insurance itself in addition to the expense of improving their security protocols. However, the rampant increase in cyberattacks has illustrated it’s no longer a matter of if a company will be attacked, but when—and that means companies ultimately can’t afford to not have cyberinsurance.
When an attack inevitably happens, a company will be faced with the decision to pay ransom to decrypt its files or not to pay. If the company is uninsured, often it will find that it cannot pay the ransom and, if it can, the amount will be astronomically high.
It’s no longer safe for companies to forego having insurance—even if a company has a strong disaster recovery plan and can recover most of its systems without paying the ransom. The benefits of cyberinsurance go beyond just recouping the cost of paying the ransom and can also improve the likelihood of data being recovered and protect the company’s reputation, for example.
The Cyberinsurance Landscape
Cyber insurers analyze data to assess how risky an organization is to insure. However, this assessment and cybersecurity risk modeling have become more complicated since the pandemic, including the move to remote work and the accompanying rise of remote systems. Furthermore, cloud migrations and new technology adoption have offered hackers a variety of new opportunities, upending insurance risk prediction models.
Insurers realize that organizations that do not use security controls such as multifactor authentication (MFA) and identity-bound biometrics (IBB) are at a substantially increased risk of attacks. In an effort to reduce cybersecurity risk, insurers are requiring customers to implement specific security controls, such as MFA, and, in some cases, are increasing premiums for those who don’t implement those controls. MFA requires end users to provide two or more verification factors and is an added layer of security on top of a single factor, such as a password. It often includes a personal identification number or user-generated password as well as outside verification such as a phone or hardware token.
Insurers are implementing stricter qualification requirements because the cybersecurity dynamic has changed. This is similar to a health insurance provider changing its list of requirements, such as lists of pre-existing conditions, and how stringent it is in what it covers because the health dynamic of its insured population has changed.
What to Keep in Mind
For companies who already have insurance, check your policy and be prepared for renewal and changes:
Organizations should check their policies and pay special attention to what happens in the event of a ransomware attack. They should also look at what conditions and what changes to the policy the insurer might try to make upon policy renewal.
Companies that had insurance prior to the pandemic or that secured coverage during the pandemic should plan for their renewal and make sure they are complying with the suggested security protocols. Companies may get a warning to update security protocols by the following year.
Unfortunately, updates to security systems are not changes that companies can make overnight. Organizations must have a project plan in place to establish these security controls. Insurers will not give companies the roadmap to implement these security protocols, so organizations must be prepared to do so on their own.
For organizations who are buying insurance for the first time:
Companies should carefully review the details of potential policies and make sure the terms and requirements meet their needs. Pay special attention to the recovery response requirements and data backup requirements, as well as the requirements for receiving payment on claims when a breach occurs.
Collecting after a breach can be challenging and organizations often have to prove the impact of a breach or prove that it meets the requirements around expected security controls. This is similar to health insurance where patients prove that they meet the qualifications for treatment and if they can’t provide proof, they have to pay out of pocket. When insurers tighten security requirements, they often also tighten claim requirements. Insurers demand proof that the incident does indeed fall under their cyberinsurance policy and that it’s something that’s actually covered.
Risk Assessment is Vital
Risk assessment is a standard foundation any organization should have before it implements security controls and buys insurance. A risk assessment will reveal where an organization is the most vulnerable and thus has the most risk. Organizations should conduct full data and asset inventory to assess their level of preparedness and where the greatest risk lies.
Third-party risk assessment is another crucial area to pay attention to as third-party breaches are on the rise. Consider the story of SolarWinds, which demonstrated how an attack on one company’s systems affected others.
Cybercriminals were able to gain a backdoor into downstream companies by compromising software code prior to its distribution to SolarWinds’ customers and partners. CISA explained that while the actual number of customers that were hacked through Sunburst was fewer than 100, companies need to realize that they’re inheriting the cybersecurity risk of the vendors they work with.
Organizations should also remember to conduct a full third-party risk assessment on their prospective insurers, taking a close look at their level of risk. Cyber insurers also can be targets of attacks themselves and, if an insurer gets hacked and hackers find out a company’s insurance plan details, that can not only label them as a target but also indicate to the hacker how much ransom to demand.
Cyberinsurance is Only One Piece of the Puzzle
Once organizations understand where their risks lie, they can implement effective security measures, such as MFA, to reduce the risk of attacks occurring. Companies shouldn’t wait until insurers require them to implement these protocols and should proactively implement them to reduce their chances of being attacked.
Attacks are inevitable and if organizations do not assess their risk, buy cyberinsurance and implement stronger security measures, they will be in serious trouble when they are attacked. Companies should be proactive in addressing their cybersecurity risk, doing due diligence in checking cyberinsurance policies and requirements and updating their security protocols before they are required to. Well-prepared organizations take action both to prevent attacks and to mitigate the damage when attacks inevitably occur.