With the rise of Ransomware-as-a-Service (RaaS) techniques, double extortion attacks and the low cost of ransomware kits, unsustainable loss ratios have convulsed the insurance market. Thom Langford, Global Security Advocate at SentinelOne, discusses why in order for businesses to protect themselves from ransomware, they need to stop choosing between investing in a better security stack or getting insurance cover.
It used to be relatively easy for companies to secure cyber insurance. Indeed, many insurers leveraged cash-flow underwriting on cyber policies in order to pad out their books with premiums and, as a result, brokers were generally able to secure blanket cyber coverage for their clients at a good price.
However, with arguments over whether this insurance model was ever going to be sustainable in the long-term aside, evolving cyberthreats are testing organizations’ resiliency. In response, cyber insurance providers are becoming more versed in and responsive to specific cybersecurity threats, triggering shifts in insurance trends. In particular, the current ransomware threat landscape means not only is the cyber insurance bubble set to burst, the whole system is at risk of destabilising entirely.
The threat of ransomware attacks is escalating in terms of both volume and monetary value. When REvil operators exploited a bug in the Kaseya VSA software back in July, the criminals requested US$50 million for the universal decryption key. To put this into context, one estimation of all the ransomware extortion payments for 2020 was totalled at US$350 million.
One contributing trend here is that the pandemic has forced many organizations to move to the cloud sooner than anticipated to enable their rapidly growing remote workforce, dramatically increasing the vulnerability of many of them to cybercrime.
Cyber insurance bubble about to burst?
While the need for cyber insurance has never been clearer, faced with the increased demands of ransomware victims, insurers aren’t as ready to provide it. Cyber insurance is a relatively new facet of the insurance industry and it seems it was only intended by insurers as being for unforeseen, unlikely and novel catastrophic events.
But as the industry’s loss ratio rose for the third straight year in 2020, climbing more than 25 percentage points year over year to 72.8%, and ransomware events jumped 93% in the first half of 2021, something clearly has to change. Ransomware is neither unlikely or novel any longer, but rather has become a commoditized threat.
An intensified underwriting process is making life difficult
Unsustainable loss ratios have inevitably led carriers to intensify the underwriting process for cyber insurance. On the face of it, they are increasing premiums for less coverage and higher deductibles.
Looking at the process in more detail, carriers are also becoming much more vigilant about the controls that need to be in place in order to sell cover, while brokers are also reporting that all insurance markets are asking for higher security standards. Insurers are asking more questions about organizations’ cyber-risk posture and adding more exclusions.
While there are no signs of insured companies wanting to drop coverage, if carriers don’t like anything they find during the underwriting process, apart from increasing premiums or cutting limits, they are becoming increasingly likely to simply walk away.
To make things even harder for organizations seeking coverage, insurance companies have realized they also need to diversify. Companies exist in a cyber ecosystem and attacks on one company can have a huge knock-on effect.
For example, a single ransomware attack on a third-party provider could be catastrophic; carriers who insured many companies using the SolarWinds software would have faced huge losses as a result of the 2020 attack. In turn, as insurers attempt to spread their own risk through reinsurance, reinsurers are also tightening their own guidelines and reducing coverage.
Organizations seeking coverage will have to ensure their security posture is up to scratch
The upshot is, in order to both secure coverage and help prevent the complete destabilization of the cyber insurance system, organizations will have to tighten up their security posture. During the underwriting process, insurers will be selective with risks and, as already stated, will be ready to walk away if anything is amiss.
Therefore, organizations seeking coverage will not only need to know the key controls for ransomware attacks from back to front, they will also need to be prepared to be fully transparent about their security stack and be able to justify the extent to which it mitigates risk. This level of cyber maturity and leadership isn’t always readily available in many organizations.
As well as altering terms of coverage such as price and limits, insurance providers are also instituting demands on policies that require compliance with key security measures. For instance, some carriers are including security controls such as Endpoint Detection and Response (EDR) systems and patching schedules and other requirements in order to satisfy themselves that their insurance model is sustainable.
Furthermore, research suggests that organizations that see a decline in ransomware attacks and payment claims through the prioritization of prevention and recovery procedures will go a long way with cyber insurers towards securing coverage. In turn, these companies can implement cyber insurance as another valid component of a robust security risk strategy, helping it become far more valuable to their business than a simple transfer of risk.
Security and insurance can’t be an either/or proposition
In the modern ransomware threat environment, two things are certain. Firstly, to qualify for cyber insurance or renewal, organizations’ technology stacks have got to meet certain high standards.
Secondly, organizations have got to transfer some of the risk of a ransomware attack and obtain insurance as a key part of their cyber-risk and recovery strategy. The problem is, many organizations are still viewing this as an either/or proposition, driving losses and – in a vicious cycle – contributing even further to the dramatic changes in how insurers are pricing risk at the moment.
As with any type of insurance, uncertainty leads inevitably to higher costs and fewer options. In order to protect themselves from the ever-evolving threat of ransomware, companies need to stop choosing between investing in a better security stack or getting insurance cover – they now need to do both.