Cyber Insurance for Ransomware in Beyond 2021: Preparing for the Worst

We’ve seen an explosion of ransomware attacks over the last few years, with the frequency of attacks growing by more than 50 percent. Consequently, there’s been a similar growth in cyber insurance policies that cover business liability for data breaches and other damages resulting from a ransomware attack (no, you’re not covered by your general liability policy, which covers property and bodily damages).

So, given the increasing likelihood you might be a victim of a ransomware attack, you might think it’s probably a good idea to have cyber insurance. We think the answer is yes, but the reason is not because you might get monetary compensation for the damages of a ransomware attack. The reason you might want to get cyber insurance is that it helps you take steps to prevent a ransomware attack in the first place and, if you are attacked, provides you with a plan of action to best respond to the attack.

Indeed, cyber insurance is a collaborative process between your organization and your insurance carrier to evaluate your risk management as well as to quantify the potential financial impact of a ransomware attack.

This is all covered in a recent presentation by Liz Limjuco, Senior VP Marsh Cyber Practice, and Bryan Hurd, VP Aon Cyber Solutions, part of the Mimecast Beyond 2021 virtual conference. Here’s a quick overview.

The benefits of cyber insurance cover three stages:

• Pre-incident
• During a ransomware attack incident
• Post-incident

Pre-incident preparation

How cyber insurance helps protect against a ransomware attack in the first place is an organization has to qualify for a policy. Underwriters are continually looking at the root causes of all previous breaches; those identified root causes must be addressed before an organization can get cyber insurance.

This means certain cyber hygiene practices must be in place before an underwriter even considers issuing a cyber insurance policy. Base level cyber security practices may include:

• Multi-factor authentication (MFA)
• Email encryption
• System and data backups
• Test plans for backup restoration
• Network segmentation

As Hurd puts it, “You wouldn’t qualify for fire insurance if you didn’t have fire alarms and sprinklers in place. The same principle applies to cyber insurance.”

Limjuco adds that, “This is a great opportunity for organizations to consider ransomware issues they haven’t yet faced so that if they do ever have to face them, they have a plan in place. Not just how to react, but to also consider how much this could potentially cost the organization. Your cyber insurance carrier is your collaborative partner to help define all the right players that need to be in place in the event of an attack. Critical time is wasted on how to respond if you don’t have a plan already in place.”

Or as Hurd describes it, “You don’t pick team on game day.”

During a Ransomware Incident

The team you pick well before game is made up of six to twelve individuals comprising at the very least:

• Senior executives
• Company attorney (possibly outside private counsel as well)
• Public relations firm
• Notification services
• Forensic cyber incident response vendor
• Cyber insurance carrier

In the case of the last two team members, Limjuco points to another critical value of cyber insurance. “Carriers have deep relationships with cyber incident vendors. They get preferential treatment because vendors have worked with them before.”

Which is why if you are attacked, one of your first calls is to the cyber insurance carrier. Because of their experience in navigating security incidents, the insurer is familiar with certain patterns that the organization might otherwise overlook in deciding to pay the ransomware or not.

Limjuco emphasizes that the decision to pay or not is always up to the organization, not the insurer. Nor is it that of the IT or security team. The decision-maker is the CEO.

“Sometimes you don’t have a choice but to pay,” Hurd explains. “There are two things to consider. The first is whether - and you should - have backups to get your business up and running as soon as possible. Then you just need to restore and don’t need to pay the attackers to remove the encryption placed on your functions. However, that’s not the only consideration. If you’ve got a data breach, the attackers extort you to prevent publication of that data. And keep in mind even if the attackers don’t make it public, the data is going to end up sold on the dark web somewhere, so you have to expect things like passwords and network access are going to be in criminal hands outside of the organization. So that’s another conversation.”

And, again, it’s a decision that should be mapped out in the pre-incident plan.

Post-incident attack analysis 

However an organization responds to a ransomware attack, post-assessment helps prevent or at least mitigate the next attack. It’s an opportunity to determine lessons learned for what could be done better and what vulnerabilities were uncovered, as well as to capture the financial cost of the attack.

The claims adjustor determines what liabilities are covered and what isn’t. Hurd emphasizes that this is not an adversarial relationship. “The broker is on your side, before, during, and after an attack. Nobody knows the costs of an attack better. These are people who understand what has happened and are there to help you through it.”

The Bottom Line

Cyber insurance isn’t just a safety net to cover liabilities incurred if you suffer a ransomware attack. It’s a vital component of your risk management and business continuity plans. Cyber insurers are examining ransomware attacks worldwide and are a great source of information and guidance for you to assess the ROI on necessary cyber security controls and upgrades.

View the entire cyber insurance presentation here, and be sure to check out other sessions from Mimecast’s Beyond 2021 virtual conference.