There’s been a sharp increase in the number of ransomware attacks carried out across the world in recent years. Whether it’s the Kaseya attack that affected up to 1,500 organisations, the DarkSide Colonial Pipeline attack on major infrastructure in the US, or the JBS attack that paralysed a global meat producer, these events are becoming more concerning for businesses.
Whereas past trends like DDoS attacks and data exfiltration were disruptive and costly, ransomware attacks can bring about the worst of all worlds – loss of income, data leakage, and having to pay the attackers’ blackmail demands. For cyber security and insurance organisations, this has forced a change in the way they work.
The devil’s in the details
The biggest recent challenge for insurers’ clients is that insurance companies are changing their small prints due to the rise in ransomware attacks, says Muttukrishnan Rajarajan, professor of Security Engineering and Director of the Institute for Cyber Security at City University of London.
“They are changing the clauses and it's getting impossible for small organisations to really understand what they are covered for in terms of ransomware attacks,” he explains.
He adds that in the UK, insurance companies are asking organisations to carry out the government’s Cyber Security Essential Plus certification. This is a government backed scheme that allows businesses to carry out a self-assessment of how secure their systems are in the event of a cyber attack.
What is ransomware?
Based on the results of this vulnerability report, insurers may then put specific conditions on the policy and limit the cyber liability insurance.
“This has been on the rise in the last few months and many organisations I speak [to] are really concerned, as they feel the cover they have may not be sufficient to pay for any costs involved in case of any attacks,” says Rajarajan.
Although he believes the UK is taking the right steps by asking for organisations to take the certification, Rajarajan believes that there are many limitations on these policies which is giving rise to many concerns, “especially to SMBs as they don’t have the budget [to] put the controls in place”.
Double the protection
Cyber security firms like ProLion have seen more interest in their products with the rise in ransomware.
How to reduce the risk of phishing and ransomware
Top security concerns and tips for mitigation
“We have seen a huge increase in companies approaching us to discuss how they can improve the way they protect their environment from the increasing ransomware threat,” says Steve Arlin, senior VP of Sales in the US and APAC at the company. “Companies now want to deploy multiple security layers throughout their environment as they have realised that endpoint protection is simply not enough.”
He’s also noted that there’s been a sharp increase in the cost of global cyber insurance. “Over the last 12 months there has been an average of 35% increases in costs, as insurance providers try to address the increasing risks,” he says.
Although ProLion is not currently collaborating with insurance companies to provide some kind of comprehensive cyber protection package, it’s something Arlin says the business is “keen to explore” due to the benefits it would offer both insurers and customers.
Similarly, Databarracks, a backup and disaster recovery company, has never found an insurance company who has been open to providing a package with them.
“We have tried on a number of occasions to work with insurers on this type of initiative and offer discounted cyber insurance policies to businesses that have a robust, well managed and tested backup in place,” says Peter Groucutt, managing director of Databarracks. “This would of course significantly reduce an insurer's exposure to potential cyber claims.”
Groucutt underlines that insurers have found it difficult, or not commercially attractive enough, to calculate this within their own business models and offer this type of incentive to customers. He calls this a “shame”, but believes it will almost certainly happen at some point in the future.
Cyber security firm Deep Instinct has taken a different approach, however. It recently launched a new anti-ransomware warranty worth £2 million that is underwritten by reinsurance company Munich Re. Customers using its software that get hit by a ransomware attack, or experience over 0.1% of false positive alerts, will be able to claim against the warranty.
Brooks Wallace, VP EMEA at Deep Instinct, says the money is “putting its money where its mouth is”.
“We went out to the market and said, ‘Yes, we can do this’, we can take it up a notch. We can do $2 million, more than anybody else on the market, because we have that kind of confidence in our technology built off the back of deep learning,” he explains.
Digital age, digital insurance
When it comes to the insurance industry, a group of seven cyber insurers, including AIG, Beazley, and the Hartford, have formed CyberAcuView to enhance cyber risk mitigation across the industry.
Both the frequency and severity of cyber attacks are growing at an alarming rate. AIG reported a 150% rise in ransomware claims in the US over the course of the past three years, while Beazley reported a 131% increase in claims between 2018 and 2019.
“More claims are being paid due to cyber insurance policies evolving over the last 20+ years to provide a unique blend of both first-party and third-party coverage,” says Mark Camillo, CEO of CyberAcuView and former head of cyber EMEA at AIG. “The most common element and frequently used benefit is incident response cover that can include IT specialists, legal advice, ransom negotiators, and public relations support.”
Camillo adds that with the increasing claim activity, cyber insurers have had to “re-evaluate their underwriting appetite”, with many insurers deploying a multi-faceted approach.
“This can include increasing premiums and deductibles, decreasing capacity and tightening policy terms. These changes are occurring after several years of cyber policy terms getting broader and premiums generally decreasing, so by taking action now, the goal is to ensure the long-term availability of the product line,” he explains.
Camillo believes that the insurance industry is taking the right steps by actively underwriting effective risk management practices such as strong authentication, proactive patching of vulnerabilities, suitable endpoint protection and monitoring, and secure privileged credentials.
“We’re seeing more transparency in the underwriting process to incentivise policyholders to improve their cyber hygiene,” he says.
Camillo says CyberAcuView was formed as a result of discussions within the insurance industry about the need for this kind of platform that had been taking place for several years.
“The recent cyber insurance report by the US Government Accountability Office (GAO) and the recommendations from the Ransomware Task Force both highlight the need for the industry to work together to advance common policy definitions, collect and aggregate cyber data, and accelerate loss-control best practices – all to improve overall risk mitigation and ensure a competitive marketplace,” he says.
Camillo has also seen insurers include loss-control services such as vulnerability scans, monitoring, and threat intelligence as part of their insurance policies, and IT security companies including warranties, often backed by insurers, in their product and service offerings.
“The end goal is to help organisations put in place end-to-end risk management solutions through a combination of cyber security and insurance, and these partnerships will continue to expand to provide even greater value to end users,” he says.
Overall, depending on how nations decide to tackle the threat of ransomware, the cyber security and insurance industries will continue to evolve, perhaps on slightly closer relations than before. It may even help strengthen the cyber security capabilities of businesses if insurers stipulate that certain defences must be implemented across an organisation before agreeing to underwrite them. However, if attackers know organisations have insurance, it could make them a potential target as they may be more likely to pay out a ransom, leading to a particularly vicious circle which sees insurance premiums increasing.
