Organizations face a complex decision on whether to pay extortionist demands. Insurance can cushion the impact of these attacks but cannot cover lost income, reputational damage, and costs to re-establish networks.
With ransomware claims accounting for 75% of cyber insurance losses, carefully examining policy definitions, limits, and conditions is essential.
While many companies view cyber insurance as useful for mitigating ransomware settlements, it needs to be clarified whether the market can sustain an equilibrium that supports profitable insurers while meaningfully addressing organizational risk. In particular, the insurance industry may have to shift its focus to addressing the root causes of cyber attacks rather than merely responding to them after they occur. Cybersecurity experts like Fortinet suggest a ransomware settlement should be avoided when possible for many reasons including putting a target on your back for repeat attacks.
This is complicated by polarised stakeholder positions on the role of insurance, with some participants arguing that it exacerbated the problem via its support for ransom payments. Moreover, many insurance policies restrict acquiescing to criminal demands that may limit an insured’s options – particularly in larger organizations that cannot afford to pay extortionists.
As more firms adopt cyber insurance, they are likely to be subject to new exclusions and coverage clarifications related to acquiescing to ransomware gangs. As such, it is essential that potential buyers carefully review their policies and consult an experienced cyber broker who can help them make informed decisions when purchasing this increasingly valuable product. This process may also prompt them to use valuable pre-breach services that reduce their cyber risk exposure. It is worth noting that cyber insurance is an expensive product, and some insureds may be forced to choose between it and other critical cybersecurity mitigation measures.
A cyber insurance policy pays a ransom demand, but not all of an organization’s losses from ransomware attacks are covered. For example, the company’s reputation may suffer due to public data leaks, sales may drop when customers are told their data was compromised, and there are expenses associated with the incident support network needed to manage a breach.
Participants in this research noted that insurers are typically agnostic regarding whether their insureds will choose to pay demanded or negotiated ransoms. The decision to pay or not is ultimately a business call by the insured, who will take into account advice from their incident support networks.
In addition, this research indicated that cyber insurers require prospective insureds to meet higher cyber security standards to be eligible for coverage. This directly relates to our question about whether insurance could mitigate the ransomware threat because it raises the bar for those organizations that wish to be insured and could lead to a higher level of protection against this specific type of attack.
Other forms of coverage that address the impact of ransomware include extortion and regulatory defense, which cover attorney’s fees and costs for defending against formal regulatory investigations or penalties arising from a cyber incident (including a ransomware event). The research also highlighted that some business interruption policies are designed to address these losses, as well as some data privacy/compliance policies.
The frequency of ransomware attacks is rising, as are the size and nature of extortion demands. This growing trend has contributed to the recent deterioration in cyber insurers’ underwriting performance, and ransomware will likely be the costliest loss event.
While interviewees agreed that the decision to pay a ransom is always a matter for the insured, insurance can support such incidents by covering broader costs such as network recovery and lost income. In many cases, such losses are multiple times greater than the amount of any extortion payment.
Insurers are also taking steps to clarify their coverage for the ransomware threat, with new language in policies and increased exclusions to ensure that they do not cover cyberattacks linked to nation-state hackers. However, the need for a clear link between attribution and insurance coverage creates uncertainty for insureds.
Despite these challenges, there is scope for insurance to help reduce the risk of ransomware by encouraging organizations to hasten or deepen their good cyber security standing and adopt best practices in a fast-changing landscape. The Association’s report explores how insurers and reinsurers can play a vital part alongside governments in boosting society’s resilience to this significant and growing menace.
Cyber insurance can help firms cope with the costs of ransomware, but it does not cover everything. The impact of disruption can extend beyond the loss of data and financial extortion demands to lost productivity, the cost of hiring third-party consultants, the prices of upgrading technology to prevent future attacks, and even the damage to a firm’s reputation.
Moreover, the effectiveness of cyber insurance is being tested as more and more firms rely on it to offset the risks of running a business. This shift from traditional approaches to risk management is partly a result of the sustained rise in ransomware threats and the growing complexity of such attacks.
For example, many policies require insureds to make every reasonable effort to determine if a ransom demand is legitimate before making any payments. This requirement can be especially difficult for companies that rely on third-party cloud providers to manage their data storage. As a result, ensuring that policies are broad enough to include those vendors is essential.
Insurers may also exclude certain types of losses they deem to be the insured’s fault, such as those caused by poor security practices. This type of exclusion can limit a policy’s benefits and deter some firms from purchasing it in the first place. Some analysts also argue that insurers indirectly encourage firms to pay ransom demands.