Cyber insurance is a hot market, depending on who you talk to, and should be something every organization, regardless of size, should consider taking some out, maybe. That soundly wishy-washy assessment is our overarching observation after a four-week investigation into the industry.
In the past 30 years, since the beginning of the commercial internet, cyber insurance has been a growth sector in the insurance industry. However, as ransomware rose 600 percent in 2020 the players in the market for cyber insurance have started to drop out, leaving organizations fewer choices and increasing premiums. There are several reasons for this trend.
Is it affordable?
For some time, cyber insurance is affordable with $1 million of insurance costing as much as $2,000 a year. When the average cost of ransomware of $200,000, that size of a premium is a bargain. Larger organizations are buying much more, just as the size of ransom demands is going larger. According to Property Claim Services (PCS®), the first two cyber insurance programs exceeding $1 billion were underwritten in 2020. Still, for a small company, a $2,000 premium can be a significant expense, especially in a pandemic lockdown. Those smaller companies may adhere to practicing “security through obscurity” believing they are too small to be of interest to cybercriminals. However, the Verizon 2020 Data Breach Investigations report said 43 percent of all cyberattacks targeted small businesses for $200,000 on average, and 60 percent of those businesses went bankrupted by the attack.
Premiums have to go up to cover the cost of ransomware attacks
Then comes the question is it affordable for the insurance industry. The rise of attacks during the pandemic has forced many insurers to drop out of the market altogether, reducing the number of potential insurers available and driving up premiums.
“From the trends that we’ve seen throughout 2020, and showing no signs of abating in 2021, ransomware is massive. Correspondingly, premiums have to go up to cover the cost of ransomware attacks,” said Maxine Holt, senior research director at Omdia. Holt said those costs reduce insurance as a mitigation strategy. “Some will just turn around and say, I’ve got to take the risk.”
A fairly new trend among insurers is negotiating with ransomware gangs to lower their demands for an assured payout.
(To hear the entire interview with Holt, click here)
“Every single time that there’s a ransomware attack on one of our customers, one of the first steps is to negotiate,” said Sidd Gavirneni, CEO of the cyber insurance startup Zeguro. “How much we can get depends on the group. If they are amateurs, then it’s, it’s fairly easy to negotiate with them. But if they have done this many times, which is what the scenarios are nowadays, then you probably can get them down by about 20 percent, but not a whole lot.”
But as the negotiated payouts mount up, insurers are being pickier about whom or whether they insure the companies, according to Holt.
“It’s very easy to run a piece of software to see how secure a particular organization might be. There are all sorts of software out there that insurers use to determine how secure an organization is.” Holt said. These evaluations can leave a company out in the cold if their security practices are so egregious to invite an attack.
This can be a positive outcome, though. After doing the evaluation they may tell the organization that they are currently uninsurable but give a list of mitigations that would make them insurable. The downside for the insurance companies is that if a potential customer follows the mitigation recommendations, which could be costly, it could also eliminate the need for insurance.
“That’s a valuable service an insurance company could provide that would encourage organizations to sign up, fix those areas where they are weak, and maybe never even have to spend any money on the insurance,” Holt surmised.
At the same time, this gives insurers additional products to sell.
Pingback: Insurance industry using weak reasons to not pay - Cyber Protection Magazine