The evolving landscape that is cybersecurity insurance

cyber security
(Image credit: Pixabay)

A decade ago, the thought of needing cybersecurity insurance may have been at the bottom of the pile of priorities for business leaders. Yet today, it has risen to become a necessity in how organizations respond to costly cyberattacks like ransomware, which is the main threat. In fact, not a day goes by that we don’t see a ransomware attack make the headlines as just recently, the world’s largest meat supplier was impacted and forced to pay $11 million.  

While it is always discouraged for businesses that are ransomware victims to actually pay the ransom, many still do. Not too long ago, the average ransom paid was below $20,000 but today we are witnessing multi-million-pound pay-outs. And this is taking a toll on the insurance providers as they have quickly learned how expensive paying out ransomware attacks can be.    

Of course, the world was a simpler time a decade ago, where insurers were offering protection to organizations against cyber threats as claims were rarely made. Alarmingly, few questions were asked as to how secure that company was in the first place.    

Historically and more broadly, insurance in any industry has always been highly correlated with increased pay-outs and prices in whatever market insurance has entered. There are similarities in how cybersecurity is viewed. Cybersecurity is about risk management and if those risks are well managed, then there is supposedly less need to worry. Yet, if an organization suffers a ransomware attack but is covered, with guarantees of being paid out, then naturally, prices rise. 

Knowing this fact, ransomware hackers who already felt little to no remorse when attacking a company feel even freer to do so as there was always a guarantee that the victim was getting its money back from the insurer. Some ransomware gangs view insurance-covered organizations as a “victimless crime”. However, with the propagation of ransomware in the past 18 months, a seemingly endless list of victims seeking payouts, changes in the cybersecurity industry are being seen, especially with insurance. 

Hardened stance

Many insurance companies are trying to step away from cybersecurity altogether or are adding clauses in the contracts that refuse for the insurer to pay out if a ransomware attack occurs. All insurers now charging higher premiums and insuring for less. The typical cybersecurity coverage for ransomware has plummeted. Roughly two years ago, most firms could get $1M to $5M in coverage without a lot of effort while premiums were low. However, those days are long gone as now, most organizations would be lucky to get $100K in cover and most won't get that, especially with the premiums being far higher for the same amount of coverage. 

Cybersecurity insurance providers are also seeking assurances that security controls are in place before granting a policy. Many are actively scanning clients to see if they can detect any vulnerabilities before insuring them, and if they find any, either decline coverage or tell the customer they have to fix all the vulnerabilities first or they will rescind the coverage for non-performance.  

We are definitely seeing a hardened stance from insurers who are now doing more to protect themselves. This has become necessary as ransomware gangs have begun targeting organizations that are known customers of cybersecurity insurance providers. These cybercriminal groups carry out their due diligence to the point where they know how much of a payout an organization is set to receive in the wake of a cyberattack. Attacks have happened where the ransomware gang specifically broke into a cybersecurity insurance firm, stole the firm's customer list and amounts, and then used those lists like a shopping list. 

Going forward, for anyone that has cybersecurity insurance coverage, get that policy offline, or protect it in a way that a complete compromise of your environment will not allow the attacker to learn the specifics of your cybersecurity coverage. 

All in all, the cybersecurity insurance industry is in a bit of an implosion or reinvention at the moment. The insurance firms are paying out so much so often that the incredible profits they were making just a few years ago are gone. It's a losing proposition for most firms now. 

Full-managed service providers

The issue of rising cyberattacks has even led to some cybersecurity insurance firms into becoming full-managed service providers, where they will essentially not only insure you but do complete soup-to-nuts management security service provider roles which include helping you to find vulnerabilities, patch, event log management, incident response, and other services that were not previously part of the cybersecurity insurance service palette. 

Moreover, if your organization does suffer a ransomware attack, some cybersecurity insurance providers now have their own dedicated incident response experts and departments. This used to be outsourced externally, but now they are quickly becoming the experts. In one instance, I was informed that a particular cybersecurity insurance firm had more incident responders than underwriters and will even do a blockchain search and to determine how legal it is for you to pay the ransom. 

It could be stated that we have entered the “golden age” for cyberattacks and for ransomware gangs in particular. They are reaching the highest peak it terms of the most profits they will be getting. But with political pressure and financial sanctions being discussed for organizations to not engage and pay the ransoms, along with less insurance coverage and higher premiums, we will likely see a decline in the number of ransomware payouts. At the end of the day, organizations need to be taking a proactive stance to cybersecurity to ensure the correct safety measures, awareness and training are in place to avoid being hit by a cyberattack.

Roger Grimes, data driven defense evangelist, KnowBe4

Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses.