Rising Premiums and Ransomware: The Cyber Insurance Balancing Act
Threat actors are developing more sophisticated and strategic ways to target sensitive information. Digital footprints and tech usage will only keep expanding, which adds to vulnerability and presents more opportunities for compromises to occur. Recently, ransomware has taken the stage as the malware of choice with the average estimated cost of a ransomware breach coming in at $4.62 million, according to IBM’s 2021 Cost of a Data Breach Report. Demands previously in the thousands are now in the millions. With ransomware attacks now trending, cyber risk elevates dramatically as organizations across industries of all sizes can fall victim.
With greater potential for data compromises comes a greater need to explore cyber insurance. The dilemma that ensues is that when attack prevalence rises, it heightens risk for both organizations and insurers. Organizations need coverage to add an extra layer of protection and insurers need to drive up costs to match the cyber landscape. These increased costs are steep – according to an S&P Global Market Intelligence analysis in 2021, premiums for stand-alone cyber policies increased 28.6% in 2020 alone. Some even refuse to extend coverage to ransomware incidents. Add in that cyber threats are dynamic, and it makes rate predictability and risk evaluation a difficult feat.
Before deciding to issue a policy and when calculating rates, insurers are using cyber risk tools to look closer at an organization’s security posture. Claims investigations are also more thorough and insurers are tapping into cyber experts when determining to extend coverage. Below are some strategic moves that improve security posture while also making an organization more attractive to underwriters. While the process remains variable, taking these steps increases the potential that an underwriter will offer lower premiums and cover events in a time of higher risk and rising costs.
Remain cyber aware
The cyber threat landscape is always changing, so it is crucial to keep informed on current threats and trends. While ransomware is causing the most challenges currently, it is inevitable that this will change as organizations are better prepared to avoid these threats or limit exposure risk. Even so, threat actors will unfortunately continue to evolve their capabilities and find more ways to penetrate systems – whether it be a completely new attack method or variations of current ones. Keeping on top of the changing landscape will help organizations improve policies and procedures related to tracking and managing threats and risks. Addressing cyber risks in your supply chain of professional services, maintenance contracts, software, and finished goods plays a role in staying cyber aware. All of this sets the stage for a robust and effective program.
Ensure cyber controls are mature
While it is impossible to achieve perfection and fend off all attacks, organizations can take steps to mitigate risk. Underwriters are looking closely at the controls in place that would prevent an attack or foster rapid remediation and recovery. To bolster cyber and risk management programs, organizations can implement extra security controls:
Implement multi-factor authentication to provide effective defense against stolen credentials. Using more than a password to authenticate users is important as it adds another layer to protecting user credentials.
Encrypt sensitive information such as data containing personal identifiers or trade secrets. Restricting access to sensitive folders or servers is also helpful.
Perform robust backup and recovery with immutable backups and implement policies around data backup, retention, and recovery.
Conduct regular security testing to evaluate your systems for vulnerabilities requiring mitigation.
Monitor security ratings through scoring services like BitSight.
Ensure employees are cyber aware through regular education and training on trending attack methods and what their role and responsibilities are in keeping the organization safe.
Use automated security scanning software to detect new vulnerabilities, unauthorized changes, and violations of standards to maintain a security baseline.
Create internal roles or partner with a provider that can evaluate dynamic risk and provide ongoing strategy and guidance on cybersecurity decisions.
Tools and processes like these will lower an organization’s risk profile and make it more likely to avoid compromises and implement swift recovery efforts. This lessens the risk that an organization would need to pay a ransom in the event of an attack. Implementing extra controls prior to applying for new coverage or undergoing renewal can lead to better negotiating power for rates.
Bolster incident response preparedness
Having a strong incident response plan that includes a retainer with a data discovery and forensics firm beyond what your security teams have will assist with recovery in the event of data compromise. Limit exposure by proactively designating response team members, outlining communication protocols, determining which technologies would be best to leverage, and conducting mock exercises. This demonstrates to insurers that the organization has taken an active role in anticipating and minimizing threats.
Explore alternate insurance models
As cyber preparedness rises in priority for organizations across industries and the cyber insurance market matures, new ways to evaluate risk and manage policies will emerge. Bi-annually, quarterly, or even monthly premiums are in the realm of possibilities. Insurers may require more frequent audits that can result in discounts for sound security demonstrations. Failure to maintain proper controls or act in accordance with the policy could result in denied coverage or dropped policies.
When choosing an insurer, it is important to know about emerging models and coverage options to determine if risk appetite meets an organization’s needs. For example, if an insurer does not extend ransomware coverage or offers lower rates even when an organization illustrates healthy security habits, it may be time to explore alternate coverage. .
Also consider the additional added value many cyber insurance policies can include – incident response assistance, crisis management services, and more – that may be an asset beyond the direct financial benefits. This may make the insurance policy worth keeping despite pricing increases and coverage limitations.
If you enjoyed this blog, consider listening to our CyberSide Chats podcast on the same topic.