How ransomware is destabilising cyber insurance – and what to do about it

How ransomware is destabilising cyber insurance – and what to do about it

With the rise of Ransomware-as-a-Service (RaaS) techniques, double extortion attacks and the low cost of ransomware kits, unsustainable loss ratios have convulsed the insurance market. Thom Langford, Global Security Advocate at SentinelOne, discusses why in order for businesses to protect themselves from ransomware, they need to stop choosing between investing in a better security stack or getting insurance cover – they must do both.

It used to be relatively easy for companies to secure cyber insurance. Indeed, many insurers leveraged cash-flow underwriting on cyber policies in order to pad out their books with premiums and, as a result, brokers were generally able to secure blanket cyber coverage for their clients at a good price.

However, with arguments over whether this insurance model was ever going to be sustainable in the long-term aside, evolving cyberthreats are testing organisations’ resiliency. In response, cyber insurance providers are becoming more versed in and responsive to specific cybersecurity threats, triggering shifts in insurance trends. In particular, the current ransomware threat landscape means not only is the cyber insurance bubble set to burst, the whole system is at risk of destabilising entirely.

The threat of ransomware attacks is escalating in terms of both volume and monetary value. When REvil operators exploited a bug in the Kaseya VSA software back in July, the criminals requested US$50 million for the universal decryption key. To put this into context, one estimation of all the ransomware extortion payments for 2020 was totalled at US$350 million. One contributing trend here is that the pandemic has forced many organisations to move to the cloud sooner than anticipated to enable their rapidly growing remote workforce, dramatically increasing the vulnerability of many of them to cybercrime.

Cyber insurance bubble about to burst?

While the need for cyber insurance has never been clearer, faced with the increased demands of ransomware victims, insurers aren’t as ready to provide it. Cyber insurance is a relatively new facet of the insurance industry and it seems it was only intended by insurers as being for unforeseen, unlikely and novel catastrophic events. But as the industry’s loss ratio rose for the third straight year in 2020, climbing more than 25 percentage points year over year to 72.8%, and ransomware events jumped 93% in the first half of 2021, something clearly has to change. Ransomware is neither unlikely or novel any longer, but rather has become a commoditised threat.

An intensified underwriting process is making life difficult

Unsustainable loss ratios have inevitably led carriers to intensify the underwriting process for cyber insurance. On the face of it, they are increasing premiums for less coverage and higher deductibles.

Looking at the process in more detail, carriers are also becoming much more vigilant about the controls that need to be in place in order to sell cover, while brokers are also reporting that all insurance markets are asking for higher security standards. Insurers are asking more questions about organisations’ cyber-risk posture and adding more exclusions. While there are no signs of insured companies wanting to drop coverage, if carriers don’t like anything they find during the underwriting process, apart from increasing premiums or cutting limits, they are becoming increasingly likely to simply walk away.

To make things even harder for organisations seeking coverage, insurance companies have realised they also need to diversify. Companies exist in a cyber ecosystem and attacks on one company can have a huge knock-on effect. For example, a single ransomware attack on a third-party provider could be catastrophic; carriers who insured many companies using the SolarWinds software would have faced huge losses as a result of the 2020 attack. In turn, as insurers attempt to spread their own risk through reinsurance, reinsurers are also tightening their own guidelines and reducing coverage.

Organisations seeking coverage will have to ensure their security posture is up to scratch

The upshot is, in order to both secure coverage and help prevent the complete destabilisation of the cyber insurance system, organisations will have to tighten up their security posture. During the underwriting process, insurers will be selective with risks and, as already stated, will be ready to walk away if anything is amiss. Therefore, organisations seeking coverage will not only need to know the key controls for ransomware attacks from back to front, they will also need to be prepared to be fully transparent about their security stack and be able to justify the extent to which it mitigates risk. This level of cyber maturity and leadership isn’t always readily available in many organisations.

As well as altering terms of coverage such as price and limits, insurance providers are also instituting demands on policies that require compliance with key security measures. For instance, some carriers are including security controls such as Endpoint Detection and Response (EDR) systems and patching schedules and other requirements in order to satisfy themselves that their insurance model is sustainable.

Furthermore, research suggests that organisations that see a decline in ransomware attacks and payment claims through the prioritisation of prevention and recovery procedures will go a long way with cyber insurers towards securing coverage. In turn, these companies can implement cyber insurance as another valid component of a robust security risk strategy, helping it become far more valuable to their business than a simple transfer of risk.

Security and insurance can’t be an either/or proposition

In the modern ransomware threat environment, two things are certain. Firstly, to qualify for cyber insurance or renewal, organisations’ technology stacks have got to meet certain high standards. Secondly, organisations have got to transfer some of the risk of a ransomware attack and obtain insurance as a key part of their cyber risk and recovery strategy. The problem is, many organisations are still viewing this as an either/or proposition, driving losses and – in a vicious cycle – contributing even further to the dramatic changes in how insurers are pricing risk at the moment.

As with any type of insurance, uncertainty leads inevitably to higher costs and fewer options. In order to protect themselves from the ever-evolving threat of ransomware, companies need to stop choosing between investing in a better security stack or getting insurance cover – they now need to do both.

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive