The Evolution of Cyber Insurance Policies: The Unintended Consequences of Ransomware
The rise of ransomware over the past two years has been well reported as it has crippled organizations around the world.
The rise of ransomware has led victim organizations to seek the cheapest and most legally compliant solution to an attack. Thus, many organizations have prioritized the adoption of cyber insurance programs. While cyber insurance has developed alongside cyber risks, staying ahead of these risks and being able to predict outcomes has proven to be a difficult task and a unique challenge for underwriters and insurers. brokers.
Insurance market growth
As a result, the cyber insurance market has been valued at $3 billion and is expected to reach $25 billion by 2026. The industry is measured by gross written premiums and, given the steady increase in reliance With regard to an interconnected technological world, it is easy to understand how cyber insurance was once considered a profitable business. However, as ransomware increases steadily, so do the payouts accompanying these attacks, with the average ransomware payout reaching nearly $250,000 in 2021.
The common thread running through all of these attacks is that ransomware gangs are “suddenly everywhere, seemingly unstoppable and highly effective.” The insurance vernacular would qualify these attacks as “frequent and serious”. This is a measure that puts underwriters on high alert as corporate profits may be in jeopardy if the loss ratio starts to rise.
Cyberinsurers in this space do not have the same decades of actuarial loss data as other lines of business, such as environmental or property. This is a significant drawback when the severity of ransomware incidents reached a noticeable level in 2020 and has been increasing ever since. If and when there is not enough capacity in the market, and if claims payouts exceed policy limits, it becomes more difficult for underwriters to adjust pricing matrices, encapsulating the uncertainty of the market.
Cyber assurance on security technology and processes
The best way to secure any organization and have the most relevant insurance policy in place is to ensure that cybersecurity best practices are in place. While many basic cybersecurity processes can go a long way in protecting organizations, the biggest hacks require substantial cybersecurity investments. However, disparities in this ideology occur when companies operate in a market that encourages purchases of cyber insurance policies at the expense of massive IT spending.
Cyber insurance policies shouldn’t mean a business becomes complacent with its cybersecurity. Bad actors have learned about the rise of cyber insurance and in some cases use it against the victim. DarkSide, a successful ransomware gang, recommended Guess9, a recent target organization, “…use your insurance, which only covers this case.” The group went on to suggest that “…we don’t demand more than the amount of cyber insurance…” An example of this happened even more recently when ransomware group Hive demanded 500,000 £ after an attack on Wootton Upper School in Bedfordshire knowing that amount was the same amount covered by their cyber insurance premium.
These threat actors are now able to identify which companies will give in and which insurers are willing to fund these payments, adding a layer of complexity to double extortion methods.
The company no longer needs money to pay as long as hackers can access the data room, find the insurance policy, and demand a ransom that matches or is less than the policy limit. this. The question becomes, if you have a higher policy limit, will that increase the likelihood of someone taking advantage of you? This question underscores the absolute necessity of cybersecurity best practices, even with an insurance policy in place.
The severity of ransomware attacks is also pushing carriers to increase premiums and devise stricter underwriting guidelines. Price increases and restricted coverage may only be a short-term solution. However, designing stricter underwriting guidelines can be extremely effective as a long-term solution because it addresses one of the root causes that insurance is trying to help address: an unprepared organization.
By simply filling out a subscription application, an organization can learn a little more about best practices and risks. These apps have evolved to look more like an assessment. Certainly, with stricter underwriting guidelines, insurers, brokers, and even cybersecurity firms can take on the role of advisor or assessor. Indeed, insurers are now in a unique position and can play a leading role in helping to defuse ransomware claims.
In the future, new applications will have to meet much stricter requirements to obtain coverage via an insurance policy. These requirements may include implementing multi-factor authentication, managed detection and response tools, and 24/7 SOC capabilities, existence of backups, or proof that there are dedicated experts. such as CISOs or established relationships with external IR teams. Cybersecurity training and regular penetration testing may also be required. Some carriers add sub-limits, and some may even insert exclusions for damages or costs arising from certain known events, such as SolarWinds. Some may even require certain vulnerabilities such as Log4j to be mitigated before purchasing the policy.
Evolution of industry standards
Recently, Lloyd’s of London announced the latest development in the cyber insurance market, marking another unintended consequence of ransomware. As Lloyd’s has been a longtime leader in the insurance market and is known for creating innovative cyber policies covering complex risks, it would not be surprising to see other insurers follow suit, therefore this mandate is extremely impactful. The war risk exclusion announced on August 16 mandates specific exemption from coverage for losses “arising out of war”, as well as state-sponsored cyberattacks that “significantly affect a state’s ability to function” or which have an impact on the functioning of a State. security capabilities. Further require unions to have a clear system on how to attribute an attack to a state-based actor.
The decision to make the exclusion clear and unambiguous is an important step for the industry. However, since the onus is on the carriers to defend the exclusion, one must ask whether they have thought about the implications of this defence. The challenges are in making a confident award call and bringing together the most appropriate parties to assist in that call, as well as the competitive position each operator might take in crafting the process.
Government advice may be untenable for businesses
Governments around the world are consistent in advising victims not to pay ransoms, as this encourages future cybercrime. This position may become untenable over time as attacks are increasingly frequent with victims, often publicly, held hostage.
Most ransomware attacks are carried out by teams of experts and despite the protection that basic cybersecurity processes can offer, it is ultimately a substantial IT investment by the Council that will prepare organizations. Ransom demands, insurance premiums, forensic investigations and class action lawsuits are all increasing in frequency and cost. The expense has become unsustainable, especially for small and medium-sized businesses, where reputational damage can also be devastating.
Cyber insurance should not just be a reactive policy
Organizations should champion cyber insurance as a core business program rather than a reactive policy. Cyber threats are only on the rise and it is incumbent on private companies to seek methods that mitigate and prevent attacks. Strengthening the organization’s security posture becomes a critical way to access insurance premiums, working to maximize the cyber health of the business.
About the Author
Jennifer Mulvihill is Head of Business Development, Cyber Insurance and Legal at BlueVoyant. BlueVoyant converges internal and external cyber defense capabilities into a results-based, cloud-native and single unified platform: BlueVoyant Elements.