In recent years, there has been a significant increase in the number of ransomware attacks carried out throughout the world. Whether it be the Kaseya assault, which affected more than 1,500 organizations, the DarkSide Colonial Pipeline attack on critical infrastructure in the United States, or the JBS attack, which paralyzed a worldwide meat manufacturer, these incidents are becoming increasingly alarming for businesses.
Previously disruptive and costly trends such as DDoS assaults and data exfiltration, ransomware attacks can bring about the worst of all worlds – loss of money, data leaking, and having to pay the attackers’ blackmail demands. This has necessitated a shift in the way cyber security and insurance companies operate.
Reading Between The Lines
According to Muttukrishnan Rajarajan, professor of Security Engineering and Director of the Institute for Cyber Security at the City University of London, the most recent task for insurers’ clientele is that insurance providers are changing their small print as a consequence of the rising ransomware attacks.
“They are changing the clauses and it’s getting impossible for small organizations to really understand what they are covered for in terms of ransomware attacks,” he explains.
In the United Kingdom, insurance firms are requiring organizations to get the government’s Cyber Security Essential Plus certification. This is a government-backed initiative that allows companies to self-assess the security of their systems in the case of a cyber assault.
Based on the findings of this vulnerability study, insurers may add restrictions to the policy as well as limit cyber liability coverage.
“This has been on the rise in the last few months and many organizations I speak [to] are really concerned, as they feel the cover they have may not be sufficient to pay for any costs involved in case of any attacks,” says Mr. Rajarajan.
Although Rajarajan feels that the UK is taking the correct steps by requiring organizations to obtain certification, he also believes that these rules have numerous limits, which raises several problems, “especially to SMBs as they don’t have the budget [to] put the controls in place”.
With the growth of ransomware, cyber security businesses such as ProLion have experienced increased interest in their solutions.
“We have seen a huge increase in companies approaching us to discuss how they can improve the way they protect their environment from the increasing ransomware threat,” says Steve Arlin, senior VP of Sales in the US and APAC at the company. “Companies now want to deploy multiple security layers throughout their environment as they have realized that endpoint protection is simply not enough.”
He’s also observed a significant spike in the cost of global cyber insurance. “Over the last 12 months there has been an average of 35% increases in costs, as insurance providers try to address the increasing risks,” he adds.
Although ProLion is not presently partnering with insurance firms to produce any type of complete cyber security package, Arlin says the company is “eager to investigate” the possibility because of the perks it would give to both insurers and clients.
Similarly, Databarracks, a backup, and disaster recovery provider have never discovered an insurance carrier willing to work with them to provide a package.
“We have tried on a number of occasions to work with insurers on this type of initiative and offer discounted cyber insurance policies to businesses that have a robust, well managed, and tested backup in place,” says Peter Groucutt, managing director of Databarracks. “This would of course significantly reduce an insurer’s exposure to potential cyber claims.”
According to Groucutt, insurers have found it impossible, or not financially appealing, to compute this inside their own business models and give this sort of incentive to clients. He considers it “sad,” but he believes it will most likely happen in the future.
Deep Instinct, a cyber security business, has adopted a new approach. It just introduced a new anti-ransomware guarantee worth £2 million, which is covered by Munich Re, a reinsurance firm. Customers who use its software and are attacked by a ransomware assault or encounter more than 0.1 percent false positive alarms will be eligible to make an insurance claim.
Brooks Wallace, VP EMEA at Deep Instinct, says the money is “putting its money where its mouth is”.
“We went out to the market and said, ‘Yes, we can do this, we can take it up a notch. We can do $2 million, more than anybody else on the market because we have that kind of confidence in our technology built off the back of deep learning,” he explains.
Digital Insurance In The Digital Age
In the insurance business, CyberAcuView was founded by a group of seven cyber insurers, including AIG, Beazley, and The Hartford, to improve cyber risk mitigation across the board.
The number and intensity of cyber assaults are increasing at an alarming rate. Over the last three years, AIG recorded a 150 percent spike in ransomware claims in the United States, while Beazley reported a 131 percent increase in claims between 2018 and 2019.
“More claims are being paid due to cyber insurance policies evolving over the last 20+ years to provide a unique blend of both first-party and third-party coverage,” says Mark Camillo, CEO of CyberAcuView and former head of cyber EMEA at AIG. “The most common element and frequently used benefit is incident response cover that can include IT specialists, legal advice, ransom negotiators, and public relations support.”
Camillo adds that, as claim activity has increased, cyber insurers had to “re-evaluate their underwriting appetite,” with many insurers taking a multi-pronged strategy.
“This can include increasing premiums and deductibles, decreasing capacity, and tightening policy terms. These changes are occurring after several years of cyber policy terms getting broader and premiums generally decreasing, so by taking action now, the goal is to ensure the long-term availability of the product line,” he explains.
Camillo feels that the insurance sector is moving in the right direction by actively underwriting good risk management techniques such as strong authentication, proactive vulnerability patching, appropriate endpoint protection as well as monitoring, and protection of privileged credentials.
“We’re seeing more transparency in the underwriting process to incentivize policyholders to improve their cyber hygiene,” he says.
According to Camillo, CyberAcuView was created as a consequence of several years of talks within the insurance sector regarding the necessity for this type of platform.
“The recent cyber insurance report by the US Government Accountability Office (GAO) and the recommendations from the Ransomware Task Force both highlight the need for the industry to work together to advance common policy definitions, collect and aggregate cyber data, and accelerate loss-control best practices – all to improve overall risk mitigation and ensure a competitive marketplace,” he says.
Camillo has seen many insurers incorporate loss-control services like threat intelligence, monitoring, and vulnerability scans as elements of their insurance policies, and IT security firms include warranties, which are frequently supported by insurers, in their products and services.
“The end goal is to help organizations put in place end-to-end risk management solutions through a combination of cyber security and insurance, and these partnerships will continue to expand to provide even greater value to end-users,” he added.
Overall, depending on how governments respond to the ransomware threat, the cyber security and insurance industries will continue to grow, maybe with slightly tighter ties than previously. It may even assist firms to enhance their cyber security capabilities if insurers require specific defenses to be installed across an organization before agreeing to underwrite them. However, if attackers know that organizations have insurance, they may become a target since they are more likely to pay a ransom, creating a particularly vicious loop in which insurance rates rise.