Navigating the Evolving Cyber Insurance Landscape

Joseph Tarraf


January 13, 2022

A glowing lock in the foreground against a background of people huddled and talking in shadow in the background in front of an office building window.

In the past year, increased ransomware attacks have led to a boom in the cyber insurance market. While paying ransoms is still discouraged, multiple major organizations suffered costly ransomware attacks in the past twelve months alone. For example, one of the world’s largest meat suppliers, JBS USA, paid an $11 million ransom after suffering a ransomware attack in May. The Colonial Pipeline attack also resulted in a $4.4 million ransom payment to cybercrime group DarkSide.

A number of insurance providers have responded to these attacks by increasing the cost of premiums. According to the Marsh Global Insurance Market Index, average cyber insurance prices increased by 35% in the United States and 29% in the United Kingdom in the first quarter of 2020, while international insurance broker Howdens reported a 32% rise in premiums between June 2020 and June 2021. Now, the market is in the hardest place it has ever been, and businesses are facing increased premiums, regulatory changes and new difficulties in the renewal process. 

The Rise in Premiums

In the last 18 months, we have gone from seeing cyber incidents mostly related to business email compromise and data breaches to more sophisticated ransomware attacks. The increased attacks have also impacted critical infrastructure across the globe and highlight the escalating risk that all businesses now face from organized criminals and state-sponsored hackers.

To prevent major financial fallout from these attacks, businesses around the world have turned to cyber insurance. As premiums continue to rise, it puts a bigger onus on businesses that use and rely on cyber insurance to improve their cyber resilience.

Underwriting Concerns for Cyber Insurance Renewals

Businesses that are unable to meet strict underwriting requirements can be subject to significant rate increases, and in some cases may not even be able to obtain cyber insurance. In the current market, multi-factor authentication (MFA) is a key requirement when applying for cyber insurance renewals. MFA requires a second factor (like one-time use code) in addition to a password. Underwriters are going to expect MFA to be in place for all remote access, as this tends to be a valuable first line of defense to prevent account compromises.

Insecure IT protocols are also a key factor to consider during the renewals process. Old protocols like remote desktop protocol (RDP) are inherently insecure and have been one of the most common entry points for ransomware attacks. Underwriters use cyber rating tools extensively during the renewals process, and if these tools detect insecure protocols, companies are likely to be denied cyber insurance coverage or heavily sublimited.

Effective and timely patch management helps prevent exploitation (or hacking) attempts. Best practice is to patch infrastructure in a timely manner, especially for critical vulnerabilities. During the renewals process, underwriters expect businesses to have strong plans in place for an emergency as well as critical patches.

In most cases, cybercriminals also target backups to hinder restoration and further extort victims. To prevent this, businesses should store data offline to make it inaccessible to hackers. In the current market, underwriters are keen to understand if a company’s backup strategy meets their backup needs.

Endpoint detection and response (EDR) is often viewed as the next generation of endpoint protection software. It detects suspicious activities on computers and servers and may provide an opportunity for rapid containment in case of a malicious event. Having properly configured and monitored EDR in place is another thing businesses can do to effectively navigate the underwriting process.

Also, an effective incident response plan is a key requirement during the renewals process. In the event of any incident, speed matters—a slow response plan would likely increase business interruption costs. Businesses are expected to document their incident response plan, and in most cases, include a ransomware playbook describing how a ransomware incident will be handled.

The Importance of Employee Training

The shift to remote work during the pandemic has highlighted the importance of employee training in effectively managing cyberrisk. According to a report from Code42, over the past year, 78% of IT security leaders say their organization has experienced a data breach resulting in the loss of sensitive information, and 38% of the time, these breaches were due to inadvertent employee negligence.

Often, breaches result from employees inadvertently clicking on a malicious link or otherwise sharing sensitive data with threat actors, allowing them access to a company’s network. Cybercriminals are aware that in some cases, employees could be the weakest link. Therefore, effective training helps to raise awareness about cyber threats and reduce the risk of a cyberattack. Employee training should be informative and engaging to ensure that the entire team understands their importance as the first line of defense, and businesses should implement annual cyber awareness training, as well quarterly phishing tests. Employees who are not successful during the cyber awareness training should be encouraged to receive further training. There should also be incentives for good behavior, such as reporting phishing attempts.

Navigating New Regulatory Changes

Some critics argue that lawmakers should make payments to cybercriminals illegal, as some believe the payments encourage further attacks by making ransomware more profitable.

The U.S. government and various law enforcement agencies have also become more active in combatting ransomware gangs. For example, in October 2020, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory that any payment made to a sanctioned entity—even under the duress of a ransomware attack—would violate federal sanctions regulations. In September 2021, OFAC restated the U.S. government’s opposition to ransomware victims making payments to cyber threat actors.

The OFAC advisory aims to deter victims of cyberattacks from paying ransoms and ensure businesses undertake comprehensive pre-transactional due diligence before making any ransomware payments. This pushes businesses to more proactively defend against attacks.

Insurance payouts for ransomware payments have been criticised for years for potentially making victims more likely to pay ransoms, thereby encouraging more attacks. In the past year, some major insurance providers have backed away from covering ransomware attacks. For example, earlier this year, global insurance company AXA announced that it will stop writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.

Clarity in Cyber Insurance Policies

As cyber insurance continues to become a more sophisticated purchase for both large and small companies, it is important to thoroughly evaluate potential risks as they secure cyber coverage.

Cyber insurance policies might offer coverage for some of the impacts from cyber incidents such as business interruption, financial loss, loss of data, ransomware attacks and expenses associated with an attack. However, business leaders should review their policies for any potential exclusions.

Insurers are seeking to distinguish silent cyber exposures from within property and all-risks policies that were designed without cyber risks in mind. Before purchasing a cyber insurance policy, business leaders should have an open dialogue with their insurance brokers to ensure that their cyber risks are adequately covered by the insurance policies without ambiguity.

Ransomware attacks also continue to be a profitable business model for cybercriminals. As business leaders continue to look for new ways to protect themselves from the various forms of cyberrisk, especially ransomware attacks, they need to adopt the right strategies to help their business effectively navigate the constantly evolving cyber insurance landscape.

Joseph Tarraf is managing director, cyber security for S-RM.