Tribune: The Evolution of Cyber ​​Insurance: The Unintended Consequences of Ransomware


By Robert Hannigan, Head of International Business, EMEA, Blue Voyanyou

The increase in ransomware over the past two years has been widely reported and has crippled organizations around the world. The resurgence of ransomware has led victim organizations to seek the cheapest and most legally compliant solution in the event of an attack. This is why many organizations have prioritized the adoption of cyber insurance programs. While cyber insurance has grown alongside cyber risks, it has proven difficult to stay ahead of those risks and be able to predict outcomes, posing a unique challenge for underwriters and brokers.

Insurance market growth

As a result, the cyber insurance market has been valued at $3 billion and is expected to reach $25 billion by 2026. The industry is measured by gross premiums written and, given the ever-increasing reliance on With regard to an interconnected technological world, it is easy to understand how cyber insurance was once considered a profitable business. However, ransomware has steadily grown, and so have the payouts that come with these attacks, with the average ransomware payout reaching almost $250,000 in 2021.

What all of these attacks have in common is that ransomware gangs are “suddenly everywhere, seemingly unstoppable – and highly effective.” In the jargon of insurers, these attacks would be described as “frequent and serious”. It is a measure that puts underwriters on high alert, as the company’s profits may be in jeopardy if the loss ratio starts to climb.

Cyber ​​insurance underwriters do not have the same decades of actuarial claims data as other lines of business, such as environmental or property. This is a significant disadvantage when the severity of ransomware incidents reached a noticeable level in 2020 and has since increased. If and when there is not enough capacity in the market, and if claim payments exhaust the limits of the insurance policy, it becomes a more difficult task for underwriters to adjust pricing matrices, encapsulating market uncertainty.

Cyber ​​insurance on security technologies and processes

The best way to secure any organization and put in place the most relevant insurance policy possible is to ensure that the best cybersecurity practices are in place. While many basic cybersecurity processes can go a long way in protecting organizations, the biggest hacks require substantial cybersecurity investments. However, disparities in this ideology appear when companies operate in a market that encourages the purchase of cyber insurance policies rather than massive IT spending.

Cyber ​​insurance policies shouldn’t mean a business becomes complacent with its cybersecurity. Hackers have become aware of the increase in the number of cyber insurances and in some cases are using them against the victim. DarkSide, a successful ransomware band, recommended Guess9, a recently targeted organization, “to use their insurance, which covers just this case.” The group went on to suggest “they don’t need more than the cyber insurance amount.” An example of this happened even more recently when ransomware group Hive demanded £500,000 after an attack on Wootton Upper School in Bedfordshire, knowing that this was the same amount covered by their cyber insurance premium. These cyberattackers are now able to identify which companies will give in and which insurers are willing to fund those payments, adding a layer of complexity to double extortion methods.

The company no longer needs to have the means to pay, as long as hackers can access the data room, find the insurance policy, and demand a ransom that matches or is less than the insurance cap . The question is, if you have a higher insurance limit, will that increase the likelihood of someone taking advantage of you? This question underscores the absolute necessity of applying cybersecurity best practices, even with an insurance policy in place.

Unintended consequences

The severity of ransomware attacks is also pushing insurers to increase premiums and devise stricter underwriting guidelines. Raising prices and restricting coverage may only be a short-term solution. However, developing stricter underwriting guidelines can be extremely effective as a long-term solution because it addresses one of the root causes that insurance is trying to correct: an unprepared organization.

By simply filling out a subscription application, an organization can learn a little more about best practices and risks. These requests have evolved to be more like assessments. With stricter underwriting guidelines, insurers, brokers, and even cybersecurity companies can act as advisors or assessors. Indeed, insurers are now in a unique position and can play a leading role in helping to defuse ransomware claims.

In the future, new applications will have to meet much stricter requirements to be covered by an insurance policy. These requirements may include having multi-factor authentication, managed detection and response tools and 24/7 SOC features in place, existence of backups, or proof that there are dedicated experts such as CISOs or have established relationships with external IR teams. Cybersecurity training and regular penetration testing may also be required. Some insurers will add sub-limits, and others may even insert exclusions for damages or costs arising from certain known events, such as SolarWinds. Some may even require certain vulnerabilities, such as Log4j, to be mitigated before underwriting the policy.

Evolving industry standards

Recently, Lloyd’s of London announced the latest development in the cyber insurance market, marking yet another unintended consequence of ransomware. As Lloyd’s has long been a leader in the insurance market and is known for creating innovative cyber insurance policies covering complex risks, it would not be surprising to see other insurers follow suit. , this mandate therefore has a considerable impact. The war risk exclusion announced on August 16 mandates the specific exemption of coverage for losses “resulting from war,” as well as state-sponsored cyberattacks that “significantly impair a state’s ability to function” or that have an impact on a State’s security capabilities. The requirement for unions to have a clear system for attributing an attack to a state actor.

The decision to make the exclusion clear and unambiguous is an important step for the industry. However, since the onus is on the carriers to defend the exclusion, it is questionable whether they have thought through the implications of this defence. The challenges are determining with certainty the award and bringing together the most appropriate parties to achieve it, as well as the competitive position each carrier could take in shaping the process.

Government advice may be untenable for businesses

Governments around the world are consistent in advising victims not to pay ransoms, as this encourages future cybercrime. This position could become untenable over time, as attacks become more frequent and the victims, often public, are taken hostage. Most ransomware attacks are perpetrated by teams of experts, and despite the protection that basic cybersecurity processes can offer, it is ultimately a substantial IT investment by the board that will prepare organizations. The frequency and cost of ransom demands, insurance premiums, forensic investigations and class action lawsuits are increasing. These expenses have become unsustainable, especially for small and medium-sized businesses, where reputational damage can also be devastating.

Cyber ​​insurance shouldn’t just be a reactive policy

Organizations should promote cyber insurance as a core program rather than a reactive policy. Cyber ​​threats are only on the rise, and it is incumbent on private companies to research methods to mitigate and prevent attacks. Strengthening the organization’s security posture becomes a critical means of accessing insurance premiums and maximizing the cyber health of the business.

Leave a Comment