This guide outlines what the expert digital brands advise about ransomware attack settlements and cyber insurance. Is insurance a tool to protect you, or a trap that simply costs you money?
Cyber insurance for ransomware attacks
Fortinet: Cyber Insurance Is a Double-Edged Sword
Cyber insurance is a convenient risk mitigation tool in the battle against ransomware attack. Right? According to a tweet by Fortinet, maybe not. The cybersecurity company took to Twitter to issue the following warning: “When dealing with a rapidly moving threat like #ransomware, cyber insurance can be a double-edged sword.” The post goes on to explain, “In other words, identifying the insured can be a simple way for criminals to isolate targets to get ransomware settlements.”
What does this mean for organizations covered by cyber insurance? If ransomware attack criminals know which companies have cyber insurance, they can easily make a list of targets with the financial backing to pay up during an attack.
How Attackers Identify Companies with Cyber Insurance
Cyber insurance can insulate organizations from the financial costs of a ransomware attack, and one way cybercriminals find out which companies have it is by checking their websites. An organization may purposefully let investors and customers know they have this kind of protection. This is to boost stakeholder confidence in their ability to compensate aggrieved parties in case of a breach and return to business as usual.
Attackers can also hack into an insurance company’s file system, grab their list of organizations with ransomware coverage, and then use that to figure out who to go after. In this context, the insurance company increases the risk of their clients getting attacked instead of reducing it.
Organizations Are Unprepared for Ransomware Attacks
Fortinet recently surveyed organizations to measure their readiness to deal with cyberattacks and ransomware settlement demands, and the findings were surprising. Instead of using cybersecurity tools to safeguard their systems against ransomware attack, many companies are turning to offline backups (58%) and cybersecurity/ransomware insurance (57%).
In effect, organizations are doing less to bolster proactive defenses. Instead, they’re shifting their focus on the aftermath of an attack, with cyber insurance for ransomware settlements one of their go-to tools.
Palo Alto: The Role of Cyber Insurance Is Growing
As the demand for cyber insurance increases, Palo Alto poses the question: Could the insurance industry inadvertently evolve into a kind of regulator? Businesses will be eager to demonstrate they’re using the most recent cybersecurity protections, which insurers now require before granting or renewing coverage, to lower their premiums. At the same time, insurers will be digging to confirm if a business can be insured and at what premium levels—depending on how well they’re protecting their digital infrastructure.
So if a company applying for coverage fails to adequately protect its network, the insurer may be justified to deny them coverage. After all, without basic protections, organizations are exposed to a far greater number of ransomware attack threats. With the threat landscape evolving rapidly, the list of prerequisites for coverage is starting to look like the kind of cybersecurity checklist any responsible IT team would use to protect their organization.
Response Plans Are Lacking While Ransomware Attack Remains a Top Threat
A recent survey by Palo Alto confirms what cybersecurity leaders have been saying in recent years. Ransomware tops the list of threats, while only 47% of organizations have a solid ransomware incident response plan.
The survey also showed that despite increasing cybersecurity budgets, many IT leaders still lack confidence in their ability to successfully respond to and prevent ransomware incidents. With ransomware attacks becoming more frequent and sophisticated—and the average ransom demand rising—it is crucial more than ever to have adequate defenses in place. In the absence of a response plan, companies may have no choice but to rely on insurance to insulate them from the effects of an attack—that is, if they manage to get coverage in the first place.
Barracuda: Cyber Insurance Can’t Save Organizations from Ransomware
Barracuda, in a recent post, cautions companies to never let their guards down despite having ransomware coverage. That’s because a cyber insurance policy may not be enough to cover the cost of an attack, which include:
- Downtime or business interruption
- Fees for negotiating with attackers
- Infrastructure repairs
- Professional advice from a consultant on how to best handle the incident
Just like Palo Alto, Barracuda also found that, as a condition of ransomware coverage, insurance companies are increasingly demanding security precautions like network or email protection against phishing. Failure to install basic protections will make obtaining coverage extremely difficult.
Also, a ransomware incident stemming from an act of war, which is a very real possibility in 2022, won’t likely be covered by cyber insurance. Due to recent cyberwar-related attacks, some insurance firms have been including language in contracts that specifically limits coverage for cyber warfare.
Ransomware Attack Patterns Are Evolving
Between August 2020 and July 2021, Barracuda researchers discovered and studied 121 ransomware events and found that attacks increased by 64% year over year. Municipalities, healthcare, and educational institutions continued to be extensively targeted by cybercriminals, while attacks on other businesses were also on the rise.
Barracuda’s chief technical officer, Fleming Shi, also offered a chilling revelation: “Attackers often start with small organizations that are connected to the larger targets and then work their way up.” This means that companies at all levels can be targets. What’s more, it’s no longer enough that organizations secure their own infrastructure, but they also have to make sure that the companies they do business with are adequately protected against attacks.
U.S. Government: Cyber Insurance Is in High Demand But the Cyber Insurance Landscape Has Changed
The U.S. Government Accountability Office (GAO) observed a significant shift in the cyber insurance space in recent years:
- The cost of cyberattacks to American insurers nearly quadrupled between 2016 and 2019.
- The number of cyber policies increased by nearly 60% throughout this same time period.
- Between 2016 and 2019, the number of insurers offering cyber insurance increased by around 35%.
GAO also pointed out that as attacks increased, insurers tightened their terms and conditions to reduce losses stemming from cyber security incidents. In the past, they were likely to offer limited cyber coverage as part of business property and liability policies—now, they tend to offer it separately. As a result, there are fewer coverage alternatives, more stringent policy requirements, and more exclusions for policyholders. This means less risk exposure for insurers and a less likely chance they’ll end up having to pay claims.
Cyber Insurance Guidance from the FTC
The Federal Trade Commission (FTC) has also stepped up to provide guidance on what a cyber insurance policy should include. Specifically, the FTC recommends coverage for:
- Data breaches, such as incidents involving the theft of personal information
- Data kept by vendors and other third parties that could be subject to cyberattacks
- Cyberattacks involving any kind of network breach
- Global cyberattacks that can happen anywhere, not just in the U.S.
- Acts of terrorism
Cyber Insurance for Ransomware Attack: A Tool or a Trap ?
Whether a cyber insurance policy will do more harm than good may depend less on the policy itself and more on the protections your organization has in place to prevent and deal with a ransomware attack. If you publish the fact that you have cyber insurance, an up-to-date ransomware mitigation plan is critical, and so is regularly educating your workforce on how to avoid ransomware.
Photo by Tima Miroshnichenko