The growing number of ransomware attacks has burdened many oganizations, but it has also greatly impacted the cyber insurance industry, which found itself having to cover large ransomware demands. This called for a chenge in policies but also the need to enhance cyber insurance with cybersecurity knowlege.
In this interview with Help Net Security, Odin Olson, VP of Alliances for Arctic Wolf, talks about the impact of ransomware on cyber insurance and the connection between security operations and the insurance industry.
Ransomware attacks have reached unprecedented levels lately. How has this impacted the cyber insurance industry?
Not only have ransomware attacks spiked, the amount of ransom demanded has grown exponentially—to somewhere between $50 and $70 million dollars. Cyber-insurers can’t cover “whatever amount the hacker demands”—so major policies lost money. Insurers have responded by raising premiums, restricting coverage, or even getting out of the cyber-insurance game altogether in vulnerable markets.
Prior to 2017, most insurers covered ransomware under traditional property and casualty policies. Beginning in 2020, several prominent cyber insurers reported massive direct loss ratios for standalone cyber insurance policies and began sub-limiting cyber extortion and ransomware policies and/or applying co-insurance provisions, forcing the insured to share more of the risk.
Between the rising costs and the evolving consequences of ransomware attacks, the cyber insurance industry has been operating at a loss, which is forcing a market overhaul.
Why do you think businesses are not aware of the value of cyber insurance and what can be done to change that?
There are several reasons that organizations are not taking action. Even those that are aware of the value are often not purchasing cyber insurance. Some of this is related to price, some is the “won’t happen to us” mentality, and increasingly, the coverage and carve outs are dramatically limiting the value to customers.
According to a Hanover study, 40% of U.S. businesses have no cyber insurance or a limit of $1 million or less in an insurance policy. With ransomware attacks targeting a wide range of industries, from technology to critical infrastructure, cyber insurance is an integral part of a broader security strategy and must be incorporated into the larger investment in security operations.
What do businesses need to be aware of and what do they have to ensure to get insurance coverage?
Coverage, pricing and requirements. Businesses should be prepared for major changes in each; some may be shocking. We’ve seen many examples of premiums tripling.
Investigate alternative carriers, deductibles, and coverage levels early. Some of the policies are likely to include new or modified requirements for both security tooling and operational maturity. It’s very common to have multi-factor authentication as a hard requirement. That can’t be implemented overnight.
Another common requirement is 24/7 security monitoring with logging. Complete security operations platforms meet many of these requirements and can be onboarded quickly.
How are security operations and the insurance industry connected?
Effective security operations are critical to minimizing both the likelihood and the impact of a cyberattack. Disparate tools will not fix the effectiveness problem facing organizations across the globe, nor will they stand up to risk assessments and external insurer requirements. An effective security operations strategy provides risk management leaders the foundation to confidently negotiate with insurance providers and set a long-term cybersecurity agenda that protects the entire business.
For insurance providers, there is an opportunity to partner with security operations experts to expand their cybersecurity expertise, to allow for more precise, accurate calculations for policyholders. Cyber insurers and security operations professionals must break down silos and recognize that together, they have a unique opportunity to coordinate effectively to better protect businesses.
What does the future look like for the insurance industry? How important is it for insurance providers to expand their knowledge on cybersecurity?
It’s paramount that insurance providers expand their knowledge on cybersecurity. The providers that do will be able to take full control over their policies. A deeper understanding of the cyber threat landscape will allow them to calculate risk for policy holders more precisely and set a standard for businesses when it comes to risk assessment.
One of the largest challenges facing insurance providers is the fear that they might be subsidizing cyber crime. As insurers learn the landscape and partner with the justice system and regulators, they can define the market that protects businesses, without subsidizing cyber extortionists.
Drastic changes are coming, otherwise, the cyber insurance industry will continue to operate at a loss. It’s critical that insurance providers partner with security organizations to protect businesses – cyber insurance is no longer a ‘nice-to-have,’ it’s an important part of a broader security strategy.