How the increase in ransomware has impacted the cyber insurance market
Panaseer shares data on actions enterprises are willing to take to solve the escalating cyber insurance crisis.
In recent years the cyber landscape has been dominated by a sharp increase in ransomware attacks. According to SonicWall, ransomware attacks increased 105% in 2021 and Sophos’ report, the “State of Ransomware 2021,” revealed the average ransom paid is now $170,404 but remediation costs $1.85 million, ten times the size of the ransom payment, on average.
The increase in frequency and cost of ransomware attacks has made ransomware a board-level risk and put the cyber insurance industry under extreme pressure. This is evidenced by a recent survey Panaseer conducted with over 1,200 global enterprise security leaders – 84% of respondents said their Board now wants to understand their ransomware protection levels. As such, 91% of security leaders are reporting their ransomware protection levels to the Board. For 86% of security leaders, ransomware protection is a budgeted 2022 priority.
The proliferation of ransomware has led to an increase in the frequency and value of cyber insurance claims. As such, many insurance providers have increased their premium prices and turned away prospects without sufficient cybersecurity precautions. According to Marsh, the price of cover in the US grew by 130% in the fourth quarter of 2021 alone, while in the UK it grew by 92%.
These changes in cyber insurance practices are putting businesses in a difficult position, as cyber insurance is fast becoming a condition for doing business in certain sectors. According to Forrester, cyber insurance has even become the price of admission for the partner ecosystem. To resolve the issue, many insurers will want some form of verification that businesses are taking the correct cyber hygiene measures, so they can more effectively price and allocate cover, akin to the shift that took place in the automobile market with black box car insurance.
Reducing the cyber insurance premium
The research shows that businesses are willing to make this shift, but they aren’t ready yet. According to the research, all the security leaders would be willing to demonstrate the strength of their cyber programme to cyber insurers, with data-driven metrics, if it meant they could reduce their cyber insurance premium. However, none of them are ready to do this immediately.
29% of security leaders believe they will be ready in the next 12 months, 57% hope to be ready in the next 13-24 months, with 14% not sure when they will be able to share the data. The most prepared industry is financial services (46.5% of respondents would be ready in the next 12 months), followed by healthcare (46%), utilities (27%), life sciences (21%), energy (20%) and lastly retail (13%).
Nik Whitfield, Chairman, Panaseer: “In recent years, ransomware has been the most high-profile risk in cybersecurity, which is why many Boards are concerned about its potential for disruption and damage. Thanks in part to the proliferation of ransomware claims during the Coronavirus pandemic, cyber insurers have also been forced to pay out on underpriced policies, pushing their portfolios towards being loss-making. The result is that the market has hardened, insurers have withdrawn and it’s much tougher for customers to get insurance at all, let alone good value on a policy.
“The current, distressing situation in the Ukraine may well increase the cyber risk to companies, making it harder for underwriters to effectively price policies and even harder for companies to buy any cyber insurance cover.
“However, a positive by-product of insurers pushing back, is that it will become another driver for businesses to enhance their cybersecurity measurement. As insurers look to find a way to make cyber protection workable for both parties, organizations will need to improve the way they communicate their security posture. We’re moving towards the era of evidence over opinion, hard data rather than subjective questionnaires.”