Cybercriminals have launched a jarring wave of ransomware assaults on U.S. businesses and infrastructures in recent months. They’ve shut down meatpacking plants, gas pipelines, schools, and healthcare facilities. In each case, they’ve locked down their victim’s computer systems and demanded money to return access. Known payments to these cyber-extortionists rose 344% from 2019 to 2020, totaling $416 million in cryptocurrency, according to a July 2021 report by blockchain data platform Chainalysis. This year, the figure has already reached $210 million.
In many ransomware cases, the victims are not the ones writing the checks (or, rather, handing over the bitcoin). Their cyber insurance companies are. In fact, 70% of cyber insurance premiums wound up being paid out to hackers in 2020,according to Fitch Ratings.
With this jump in ransomware demands and payments, it’s not surprising the cyber insurance industry is now jacking up its premiums and rethinking what it covers and how it does business. At the end of 2020, more than half the buyers of cyber insurance saw the price of their coverage rise between 10% and 30%, according to the U.S. Government Accountability Office (GAO). Underwriters are also being more selective about what exactly they’ll cover and who they’ll take on as clients. In some instances, they are setting new rules, lowering coverage limits, or increasing deductibles.
They are also poking more deeply into their clients’ IT and security departments, and probing their tech stacks and their processes. For example, some insurers refuse to provide coverage if a client doesn’t use basic multifactor authentication for access to its network. Some are hiring independent cybersecurity firms to evaluate a client’s cyber-risk and determine its risk score.
In fact, risk scoring has become a powerful tool on both sides of the table. For insurers, it can help them understand the security profile of a client’s networks, servers, and endpoints, which in turn allows them to set terms for policies or deny them altogether. For enterprises of all sizes, risk scoring has become valuable in determining the scale of risk and setting priorities. It also gives CIOs and CISOs clear and specific data points for supporting increased budgets in certain areas.
What’s in your insurance?
When cyber insurance policies first appeared in the 1990s, insurers limited coverage to mistakes in digital processing. As the policies—and cybercrime activity—evolved, insurers began covering unauthorized access, network breaches, data loss, and virus-related damage. Insurers also expanded coverage to business interruption and extortion.
Some of this coverage was actually bundled into existing property or liability insurance, which often led to ambiguous policy language, allowing insurers to sidestep hefty payouts. Today, most cyber insurance clearly covers network security, so that businesses are protected when there is a data breach, malware infection, cyber-extortion, or a ransomware attack.
Costs related to things like legal expenses, IT forensics, notifications to customers, regulatory investigations, and, yes, negotiations and payouts of ransomware demands, are covered. Some cybersecurity insurers even offer so-called third-party coverage—underwriting the losses and claims from both a policyholder and the policyholder customers affected by a cyber event.
But cyber insurance is polarizing. Critics say it encourages ransomware victims to comply with criminal demands when they should, instead, proactively invest in bolstering their security and enterprise technologies. Others see it as a necessary precaution to combat increasingly sophisticated and destructive cybercriminals. In the current business environment, some even say cyber insurance should be a requirement, much like auto insurance for drivers.
Playing better D
Of course, the best insurance against a cyberbreach is a strong foundation. That often starts with the basics of good cyber hygiene. Having a clear understanding of the number, type, and operational status of endpoints connected to your network will help assess your risk. Software management solutions, configuration platforms, and automated patch management are all fundamentals of strengthening a company’s internal defenses, while data privacy management enables organizations to secure sensitive information and remediate privacy breaches.
Once these cyber tools are in place, risk scoring provides a way to identify the areas that need shoring up. This is crucial in today’s enterprise IT and security environments, where inconsistent and ad hoc data from a tool sprawl, and from many different business units, make it near impossible to set priorities. The data also needs to be timely. “Vulnerabilities and attack vectors are constantly being discovered.” says Shawn Marriott, director of product management at Tanium and a longtime information security professional. “Knowing that three months ago you fixed everything doesn’t mean you’re OK today. You need to identify vulnerabilities and act quickly.”
Knowing that three months ago you fixed everything doesn’t mean you’re OK today. You need to identify vulnerabilities and act quickly.
Risk scoring from a single endpoint management and security platform like Tanium’s helps. It works by assessing all potential areas for attack vectors. These include system vulnerabilities, system compliance, administrative rights, password identification, antivirus software, firewalls, and encryption protocols. These tools can generate recommendations to improve security in every nook and cranny or deal with the most glaring vulnerabilities.
“In any organization, there’s always more to do than time to do it or resources to do it,” says Marriott. “Scoring helps bubble up what are the most important things to do. It gives you that prioritized list: Do these things first because they’ll have the largest overall impact on reducing your score. It’s just understanding what’s important and being able to answer the question: How are we doing?”
Risk scoring also helps businesses embrace cybersecurity in their core missions. Companies are good at prioritizing risk management, and a low mark for cybersecurity is a big incentive to the C-suite to plug security holes and mitigate the chance of a breach and the consequent damage to reputation and operations—not to mention financial penalties from regulators.
Some analysts suggest that threats from ransomware criminals will push insurers to drop cyber coverage altogether. In its May report, the GAO expressed concern about the ability of insurers to provide cyber insurance, saying, “The extent to which cyber insurance will continue to be generally available and affordable remains uncertain.”
In what’s being cited as an industry first, insurance giant AXA decided to stop reimbursing for ransom attacks in France after that country’s top cybercrime prosecutor warned that companies should not pay cyber-extortionists. Insurers themselves aren’t insulated from attacks. In March, CNA Financial paid $40 million to hackers to regain control of its network after thieves infiltrated its systems and stole data.
The extent to which cyber insurance will continue to be generally available and affordable remains uncertain.
Despite the apparent policy risks, cyber insurance is projected to have a healthy future. The market was valued at $7.36 billion in 2020 and is estimated to reach $27.83 billion by 2026, according to Mordor Intelligence. Some observers say underwriters will include additional provisions in their policies rather than end cyber coverage altogether. After all, it’s a lucrative market. Says Stewart Baker, an attorney at Steptoe & Johnson and a former NSA general counsel: “Insurers will raise rates and write bigger exclusions before they leave the market.”
And, remember, insurers are in the risk-management business. Just as with any other venture, they need to minimize payouts to stay viable. That means there will always be get-out clauses in a policy. And, at the end of the day, many policies will simply not cover the full cost of a breach.
Cyber insurance can serve a purpose, but only if it is supported by good internal cyber hygiene. And only if you use risk scoring to locate your top vulnerabilities and prioritize fixing them before a cybercriminal beats you to it and you’re forced to call in the insurance adjusters.