Ransomware Rewrites Cyber Insurance Policies

The current ransomware crime wave is rattling the cyber insurance market, and that’s bad news for organizations that are buying or renewing policies. Rates are up, availability is tight and terms and conditions are tighter. If there is a silver lining, it’s that insurers could be raising the standards of practice in cybersecurity as they have done in areas as diverse as fire safety and payment cards.

Shifting Cyber Insurance Market

Several trends are impacting whether and how organizations can insure their data and business operations amid mounting ransomware risks. Among them:

• More victims: Ransomware claims rose 35% in 2020,[1] with the surge continuing in 2021.
• Bigger ransoms: One insurance company said the average ransom its policyholders were asked to pay nearly tripled to about $1.2 million in the first half of 2021, from $450,000 a year earlier.[2] At the same time, many smaller companies are being hit with five-figure demands.
• More buyers: In the UK, for example, the government’s Cyber Security Breaches Survey 2021 reported that 43% of businesses had cyber insurance, up from 32% in the previous report.[3]
• Fewer sellers: Some insurers have exited the cyber insurance market, leaving about 20 large companies writing most of the policies, according to the Ransomware Task Force.[4] Many of those have less capacity to write policies than they did before.
• Higher rates: Cyber reinsurance rates – how much reinsurers charge insurers for their own insurance – were up by as much as 40% by the mid-2021 renewal season.[5] Since these costs get passed on, policyholders were expected to see 15% to 50% increases this year, depending on their business sector and other risk factors.[6]
• Tighter terms: Policyholders must meet increasingly stringent cybersecurity standards or pay more. Certain types of risk are being excluded from coverage.

What Does Ransomware Insurance Cover?

Ransomware coverage varies but may include immediate costs for forensics, negotiations, ransom, business interruption, recovery efforts, related regulatory compliance and remediation. The list of what is not typically covered may include damages to intellectual property, reputation and business potential.

Even if covered, there may be caps on how much an insurer will pay for ransom. In addition, much like a healthcare insurance deductible, policyholders often agree in advance to pay a share of ransom in return for lower rates.

Insurance companies are also asking for more detailed information about their clients’ security controls and procedures, audits, penetration testing, backups, business continuity plans, third-party risk management and more. The better these are, the lower your rates could be and the greater the chance of collecting on your claim. Insurers also follow threat intelligence feeds and perform their own scans of vulnerabilities on the internet.

Regulatory Risk Further Impacts Cyber Insurance

One big insurer announced in May that it was dropping ransomware payment coverage for new policyholders in France, due in part to the debate there over the legality of ransomware payments.[7] Legislators in at least three U.S. states have also proposed banning ransomware payments. But many political and industry leaders have weighed in against such a measure, saying it poses an existential threat to ransomware victims.

Six in 10 organizations say they’d pay ransom.[8] From the perspective of victims and insurers, paying ransom can cost less than the costs of business interruption and other damages. But security and enforcement agencies point out that the money often goes to fund future ransomware attacks.

Additionally, government agencies such as the U.S. Treasury Department’s Office of Foreign Assets Control have warned that paying ransom could violate its rules if the money goes to sanctioned individuals. One analysis calculated that 15% of last year’s ransomware payments carried sanctions risk.[9]

In recent months, major ransomware attacks have also prompted calls to make it mandatory to report incidents to authorities. And the U.S. Department of Homeland Security (DHS) issued two directives requiring owners and operators of critical infrastructure to implement specific measures to mitigate against ransomware attacks.

Some see these developments as a sign that minimum security standards could proliferate. “Unfortunately, with organizations often reluctant to invest in cybersecurity unless necessary by law, regulation must be considered as likely inevitable,” said Carl Wearn, Head of Risk & Resilience, E-Crime & Cyber Investigation at Mimecast.

The uncertainty created by these discussions increases insurers’ regulatory risks, which were already multiplying before ransomware flared up. The rise of privacy regulations in recent years is one example that also applies to ransomware, since so much personal information is encrypted and/or stolen in a ransomware attack. Organizations that don’t do enough to protect that data are subject to penalties under rules such as California’s Consumer Privacy Act.

Insurers Bolster Security Management

Insurance companies have been expanding their services to cyber policyholders to decrease their own exposure to risk by helping clients improve their security defenses. Free or discounted cyber risk prevention and mitigation services might include:

• Self-assessment tools
• Employee training
• Incident response planning
• Tabletop exercises
• Compliance assistance
• Technology company partnerships
• Security alerts
• Regulatory alerts

Recently, seven cyber insurance companies formed a joint venture to compile and analyze threats and best practices, work with authorities on ransomware and improve cyber risk mitigation across the market.[10] “The cyber insurance market is coalescing around certain baseline controls as a prerequisite to insurability,” according to the Ransomware Task Force.

The industry’s history of such demands and incentives has proved successful in setting the bar for fire safety and other risks. “In each instance, the insurance sector has identified and supported risk management practices and technologies that have bent the curve and ameliorated a significant risk, to the mutual benefit of the insured and the insurer,” the Task Force wrote.

The Bottom Line

Ransomware is making cyber insurance harder to get and driving up rates, with no clear end in sight. But insurers are also responding with strategies to help clients fight off attackers.

[1] “Insurers Must Totally Reassess Approach to ‘Grim’ Cyber Insurance Market,” Insurance Journal

[2] “Coalition Releases Cyber Insurance Claims Report Detailing Increased Ransomware Demands in 2021,” Coalition

[3] “Cyber Security Breaches Survey 2021,” UK Department for Digital, Culture, Media & Sport

[4] “RTF Report: Combatting Ransomware,” Institute for Security + Technology

[5] “Global Cyber Reinsurance Rates Soar by as Much as 40% During July Renewals,” Insurance Journal

[6] “2021 Cyber Insurance Market Conditions Report,” Gallagher

[7] “France’s Largest Insurer Will No Longer Cover Ransomware Payments,” CPO Magazine

[8] “Ransomware: Too Many Firms Are Still Willing to Pay Up If Attacked,” ZDNet

[9] “15% of All Ransomware Payments Made in 2020 Carried a Risk of Sanctions Violations,” Chainalysis

[10] “Consortium of Leading Cyber Insurers Announce the Launch of CyberAcuView,” CyberAcuView