Cyber Insurance for Ransomware in Beyond 2021: Preparing for the Worst
Cyber Insurers Position Themselves As Collaborative Partners For Organizations To Evaluate Potential Risk Of Ransomware Attack And Response.
- Organizations view cyber insurance is more than just an option to cover liabilities in the event of a ransomware attack. It helps organizations evaluate and manage their risk of attack and quantify potential financial impact.
- The cyber insurance carrier is a collaborative partner before, during, and after an attack to help control and mitigate damages, as well as learn how to prevent vulnerabilities from exploitation.
- It is essential to have a response plan with a team in place before an attack occurs to ensure timely action to restore business operations.
We’ve seen an explosion of ransomware attacks over the last few years, with the frequency of attacks growing by more than 50 percent. Consequently, there’s been a similar growth in cyber insurance policies that cover business liability for data breaches and other damages resulting from a ransomware attack (no, you’re not covered by your general liability policy, which covers property and bodily damages).
So, given the increasing likelihood you might be a victim of a ransomware attack, you might think it’s probably a good idea to have cyber insurance. We think the answer is yes, but the reason is not because you might get monetary compensation for the damages of a ransomware attack. The reason you might want to get cyber insurance is that it helps you take steps to prevent a ransomware attack in the first place and, if you are attacked, provides you with a plan of action to best respond to the attack.
Indeed, cyber insurance is a collaborative process between your organization and your insurance carrier to evaluate your risk management as well as to quantify the potential financial impact of a ransomware attack.
This is all covered in a recent presentation by Liz Limjuco, Senior VP Marsh Cyber Practice, and Bryan Hurd, VP Aon Cyber Solutions, part of the Mimecast Beyond 2021 virtual conference. Here’s a quick overview.
The benefits of cyber insurance cover three stages:
- During a ransomware attack incident
How cyber insurance helps protect against a ransomware attack in the first place is an organization has to qualify for a policy. Underwriters are continually looking at the root causes of all previous breaches; those identified root causes must be addressed before an organization can get cyber insurance.
This means certain cyber hygiene practices must be in place before an underwriter even considers issuing a cyber insurance policy. Base level cyber security practices may include:
- Multi-factor authentication (MFA)
- Email encryption
- System and data backups
- Test plans for backup restoration
- Network segmentation
As Hurd puts it, “You wouldn’t qualify for fire insurance if you didn’t have fire alarms and sprinklers in place. The same principle applies to cyber insurance.”
Limjuco adds that, “This is a great opportunity for organizations to consider ransomware issues they haven’t yet faced so that if they do ever have to face them, they have a plan in place. Not just how to react, but to also consider how much this could potentially cost the organization. Your cyber insurance carrier is your collaborative partner to help define all the right players that need to be in place in the event of an attack. Critical time is wasted on how to respond if you don’t have a plan already in place.”
Or as Hurd describes it, “You don’t pick team on game day.”
During a Ransomware Incident
The team you pick well before game is made up of six to twelve individuals comprising at the very least:
- Senior executives
- Company attorney (possibly outside private counsel as well)
- Public relations firm
- Notification services
- Forensic cyber incident response vendor
- Cyber insurance carrier
In the case of the last two team members, Limjuco points to another critical value of cyber insurance. “Carriers have deep relationships with cyber incident vendors. They get preferential treatment because vendors have worked with them before.”
Which is why if you are attacked, one of your first calls is to the cyber insurance carrier. Because of their experience in navigating security incidents, the insurer is familiar with certain patterns that the organization might otherwise overlook in deciding to pay the ransomware or not.
Limjuco emphasizes that the decision to pay or not is always up to the organization, not the insurer. Nor is it that of the IT or security team. The decision-maker is the CEO.
“Sometimes you don’t have a choice but to pay,” Hurd explains. “There are two things to consider. The first is whether - and you should - have backups to get your business up and running as soon as possible. Then you just need to restore and don’t need to pay the attackers to remove the encryption placed on your functions. However, that’s not the only consideration. If you’ve got a data breach, the attackers extort you to prevent publication of that data. And keep in mind even if the attackers don’t make it public, the data is going to end up sold on the dark web somewhere, so you have to expect things like passwords and network access are going to be in criminal hands outside of the organization. So that’s another conversation.”
And, again, it’s a decision that should be mapped out in the pre-incident plan.
Post-incident attack analysis
However an organization responds to a ransomware attack, post-assessment helps prevent or at least mitigate the next attack. It’s an opportunity to determine lessons learned for what could be done better and what vulnerabilities were uncovered, as well as to capture the financial cost of the attack.
The claims adjustor determines what liabilities are covered and what isn’t. Hurd emphasizes that this is not an adversarial relationship. “The broker is on your side, before, during, and after an attack. Nobody knows the costs of an attack better. These are people who understand what has happened and are there to help you through it.”
The Bottom Line
Cyber insurance isn’t just a safety net to cover liabilities incurred if you suffer a ransomware attack. It’s a vital component of your risk management and business continuity plans. Cyber insurers are examining ransomware attacks worldwide and are a great source of information and guidance for you to assess the ROI on necessary cyber security controls and upgrades.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!