Cyber Insurance: Why Businesses need To Tread Cautiously When It Comes To Ransomware
At first glance, cyber insurance plans seem to provide a substantial fail safe should an organization find themselves staring down at a ransomware attack. It seemingly provides a simpler process for dealing with an attack and an opportunity for getting normal business operations up and running as soon as possible. However, a closer look reveals a double edge that could also leave a deep cut in business owners’ pockets and heighten their vulnerabilities.
The landscape:
There was a 104% increase in the average ransom payment from Q3 2019 ($41,198) to Q4 2019 ($84,116)
-Coveware, Q4 Ransomware Marketplace
This past year, we have seen a major flood in ransomware attacks victimizing organizations of all sizes. New strains and increased attack frequencies are driving fears in boardrooms as ransoms and remediation costs continue to rise without a ceiling in sight. Cyber security spending, including cyber insurance policies, is subsequently also headed for an all time high in 2020 thanks to these increased threat levels. This growing need for cyber insurance has slowly turned it into a recognized, mainstream protection tool for businesses but as the demand grows, so does the cost. Reuters is predicting that some premiums will reach an increase as high as 25%. This inflation is propelled by two main factors- the number of claims and the costs to fulfill each claim.
What this mean for (Re)Insurers:
1 in 5 SMBs report being a victim to Ransomware.
– Datto Canadian Ransomware Report
Insurance companies will surely capitalize on the soaring number of organizations looking to incorporate cyber insurance plans, however, with so many companies now being targeted and terrorized by ransomware, more claims are being filed. As mentioned, with more payouts and higher demands comes an organic influx in premium rates. Cyber insurance as an industry will continue to grow and define itself with each claim filed. This means the enticing factor of having a little reprieve from a ransomware attack, could be injected with more red tape and higher standards to qualify before a payout will be considered.
More claims = More pressure on premiums and bigger burdens to qualify
Speculation and rumours of partial coverage specific to ransomware, and policies for high-risk/previously breached clients, could be on the horizon. This would certainly make more sense and create a more cost-effective approach to meet the demands of small businesses, but it still doesn’t address the misnomer that businesses can be reliant on cyber insurance alone.
Organizational Perspective:
In the event of a ransomware attack an organization is essentially left with two options – not paying the ransom or paying the ransom.
The choice is predicated on several “IF” factors:
IF there is a disaster recovery plan in place.
IF the company encrypted the locked data before the breach.
IF the network and files are backed up regularly.
IF the business believes they will actually receive the decryption key.
IF a cyber insurance policy covers the specific scenario.
Although, an organization can achieve lower rates by properly implementing all these points, it can seem like a large task for a company to solely take on in both time and money. Therefore, many organizations are now starting to rely on cyber insurance and opting to pay the ransom foregoing the necessity of some of the other points. The fallacy that cyber insurance can replace the other points creates a false sense of security and could essentially leave the company on the hook for a lot more than they bargained for.
Where the Idea Comes From
Governing framework for cyber security in Canada is at its infant stages, stuck somewhere between discovery and alpha, which means there is a lot of wiggle room for organizations when it comes to compliance and data protection. This isn’t to say that it’s the government’s fault, only that formal laws are not yet in place, therefore, interpretation of what makes for sound cyber security is left up to the company itself. Often, this subjective approach is skewed by price and convenience, rather than investing in what experts recommend, a multi-layered approach (all the above).
Side effects of the payouts:
To bridge the gap between the increasing number of cyber insurance policy holders and lower premium rates, organizations must consider the following side effects before paying off a ransom:
The Fine Print: companies need to know exactly what is and what isn’t covered under their policies. Does the contract only cover the ransom or are remediation and recovery costs included?
No Guarantees: there is no guarantee that the attacker will provide a decryption key once the ransom is paid.
More Attacks: Once an attack is deployed and paid, additional attacks can personally target employees/customers from the data accessed by criminals. Seeing that the company is willing to pay off an attack, might inspire a second attack as the criminals threaten to leak the previously locked data onto the Dark Web or internet.
Criminal Attraction: Simply having a policy could further attract cyber criminals by thinking a company will likely lean to paying a ransom since insurance is involved.
Multiple layers: Multi-layered protection and disaster planning is still necessary. Seeing a company is under prepared could represent a desperate and easy target for criminals. More security also means, faster recovery and less downtime to incur if a decryption key is not provided. It also means less cost to premiums by way of less risk and less payout needed by the provider.
Breach Reporting Laws: Breach reporting is now mandatory in Canada; keeping penalties and reputational damages to a minimum will be hard enough even with the simplest breach.
Further Qualifiers: Organizations need to understand the parameters of what qualifies for a policy payout and what action, or lack thereof, disqualifies them from receiving reimbursement.
The Solution:
Proper training and treading carefully (mixed with multi-layered security) have been proven successful and has established a pathway for avoiding the pitfalls of gullible email users by preaching prevention through safety and preparation. For smaller businesses, proper cyber security can seem costly and complicated. Therefore, an organization might find having a cyber insurance policy quite appealing. The argument is that SMBs should not solely rely on cyber insurance plans as a replacement for proper security. Mixing in cyber insurance to a simplified multi-layered plan would be an ideal solution in the eyes of most experts. Organizations should understand that cyber insurance does not commit them to paying off a ransom. In fact, having a plan does not necessarily mean paying the ransom to activate it. One can simply use the plan to cover the investigation and recovery costs when the correct policy is chosen. Overall, cyber insurance plans can be beneficial to companies looking to mitigate their cyber risks. It is up to each company to use this tool properly and tread cautiously at the risk of increasing premiums for others and putting themselves at even more financial risk.
Tips:
1) Never rely on insurance alone – Mix in a cyber insurance policy with your additional layers of cyber security.
2) Understand your policy - Make sure you have the right policy in place and understand what is covered.
3) Use it wisely - An attack will still be costly and hard to recover from regardless of insurance. Understand the risk involved to your future premiums and the immediate impact to your vulnerabilities.
Need help reviewing the terms of your cyber insurance policy?
Talk to a cyber security expert today and find out how we can provide simplified guidance to help make sure your organization stays compliant with the terms of your current cyber insurance policy.