Ransomware extortion is sharply on the rise, and it’s causing cyber insurance to cost more and cover less.
The cybersecurity world has run into a massive problem in the last few years with cyber insurance, which is designed to reimburse the cost of cyber attacks and system interruptions caused by covered triggers.
What happens when the landscape changes and cyber insurance minimums like MFA aren’t enough to get a policy for coverage or claims payouts?
During COVID-19, the landscape changed drastically. Ransomware attacks unexpectedly increased by 72%, shaking up the cyber insurance industry. With cybersecurity attacks on the rise, the cyber insurance industry is poised to quickly evolve to mitigate risk. Between denied claims once covered to increased minimums for new policy coverage, businesses need to update and extend their protection or risk of qualifying for cyber insurance.
Without cyber insurance protection, can any business afford to cover the $14+billion in losses in the last year on their own?
Let’s take a deeper look at the state of the cyber insurance industry and the impact recent, continued cyber attacks are having on claim denials and innovation in the space.
The state of cyber insurance claims
One study revealed that cyber attacks have increased by 100% in the last three years. Plus, claims that were paid out to policyholders increased by 200%. As you can imagine, this has sharply decreased margins for cyber insurance companies, despite direct written premiums growing 74% in 2021 to over $4.8 billion.
Ransomware is a type of malware hackers use to block access to critical information or obtain sensitive data, threatening to release it unless paid. It’s used to extort companies that fork over cash to protect their stolen information.
As these attacks dramatically increased, so did the price of extortion payouts. In the first half of 2021, the average ransomware payout increased 82% to a whopping $570,000. Unsurprisingly, cyber insurers have more than doubled the cost of premiums while simultaneously decreasing coverage. And premiums are poised to increase even more in 2023.
Cyber attacks squeeze insurance providers
Because of the explosion of cyber attacks and increasing payout costs, policyholders and the providers themselves are getting hit. Even if a company is reimbursed for the cost of an attack, its insurance options are dwindling.
Hackers are squeezing too much money out of people for the status quo to remain as it has been. This means that policy changes are coming almost as fast as cyber attacks. And companies are getting the short end of the stick on both sides.
Another concern cropping up for cyber insurance providers is centralization risk. Because so many companies rely on a few large providers for cloud services or mobile operating systems, if one were to experience a severe breach, the damage to its thousands of customers would be incalculable.
All of these factors are prompting insurers to make policy changes such as:
Acts of war cannot be covered
Insured companies must use MFA
Certain employee training requirements must be met
System monitoring standards must be met
Proof of security controls must be provided
Attacks must be disclosed to providers
Not only are more rigorous requirements placed on companies that want insurance, the types of claims that can be filed are more specific than they used to be. Ransomware, for example, is now its own trigger category. And different levels of coverage are needed for IT system interruption, partner system interruption, and total business interruption.
Insurance isn’t cybersecurity
In the past, it was possible to fall into the trap of believing that if there was a gap in your company’s security, insurance would make up for it. That was never the most prudent attitude to have, but today it’s downright dangerous to have any form of cybersecurity theater. Assuming cyber insurance will be a failsafe against cyber attacks is asking for trouble.
Firstly, it’s an increasingly expensive way to strategize. With premiums skyrocketing, you only want the policies that your company needs. Don’t think you’ll have blanket coverage for any attack you couldn’t prevent yourself.
Another reason it’s dangerous to think of insurance as a stopgap is that it can end in costly litigation. If your policy doesn’t cover what you hope it will, or if the language requires interpretation, your company could spend more money in court than it would have on preventative cybersecurity measures.
Even if you believe your systems are secure, there’s the possibility of supply chain attacks through third-party vulnerabilities. Assuming insurance will cover these instead of doing due diligence on vendors is a mistake that can cost money, sensitive information, and brand reputation.
Ways to avoid claim denial
Since cyber insurance is getting more expensive and more specific in its policy coverage, there’s an increasing danger of having a claim rejected. That means you’ll get hit twice by losing both the cost of the attack and getting a denial for your insurance claim.
If your company is breached, here are some ways to avoid having your claim denied:
- Perform and document regular system updates and security checks
Make sure employees are educated on social engineering risks
Thoroughly document existing prevention measures
Understand and review the terms of your cyber insurance policy
Consider the language used in the policy that might need interpretation
Review all limits, sublimits, deductibles, and time deductibles on the policy
With more financial stress on cyber insurance providers and claims increasing alongside cyber attacks, Insurers are not inclined to pay for anything they don’t have to. It’s your responsibility to make sure you identify what coverage you need and understand the policy details.
Cybersecurity is becoming more important, not less
Protecting against cyber attacks is a round-the-clock task. Technological advancement is happening so fast that even those in the trenches have difficulty keeping up. That’s why cybersecurity for companies of all sizes is becoming more critical by the day.
The cyber insurance industry is running as fast as it can to keep up with threat actors, but right now, none of us are certain it’s going to be enough. Is your company prepared?