May 19 2023

When Combating Ransomware, What Are Your Cyber Insurance Options?

After a ransomware attack, organizations incur an array of costs. One way to mitigate them is through a cyber insurance policy, but is that the only answer for your organization?

In recent years, the frequency and sophistication of ransomware attacks have continued to escalate. In many cases, those attacks have piled up significant costs for their victims, and not just from the ransom payment. Extended downtime after an attack, expensive recovery efforts and reputational damage all hurt an organization’s profits after a breach.

According to an October 2022 blog post from NetApp, “The actual cost of a ransomware attack extends far beyond the ransom payment — it can add up to be 7 times the ransom demand.” 

“As far as overall costs go, experts estimate that the ransom payment adds up to only about 15% of the total cost of the ransomware attack,” the NetApp post continues. “And the real stinger in all of it is that only one in seven organizations who pay a ransom actually get their data back.”

Click the banner below to unlock exclusive security content when you become an Insider.

Cyber Insurance Companies Are Tightening Their Payout Policies

According to Heidi Shey, principal analyst at Forrester, “Cyber insurance is only one component of a bigger enterprise cybersecurity risk management program. However, the cyber insurance market has been on a roller coaster, with skyrocketing premiums, changes in coverage, and a demand for policies that outweighs available supply. After years of affordable and readily available policies, the ubiquity of cyber insurance combined with the rise in cyberattacks has changed the power dynamic in favor of the insurers.”

Jason Cray, technical owner of the data protection and information management practice at CDW, has picked up on similar shifts in the cyber insurance market. Cray and Tony Roberts, senior solutions engineer at CDW, have both noticed new limitations on cyber insurance policies during their work with CDW customers.

“The insurance premiums are just going through the roof, if you can even get them,” Roberts says. Plus, “insurance companies now are defining in their contracts that they’re not going to cover an attack if it comes from a specific nation-state.”

DIVE DEEPER: Find out what small businesses need to know about cyber insurance.

Cray agrees, citing insurance companies’ use of overly complicated paperwork. Insurance applications used to pose 20 to 30 questions, Cray says, but those forms now routinely include more than 400 questions worded in conflicting or confusing ways that make them nearly impossible for applicants to answer.

Regarding questions about an organization’s immutable storage, Cray says applicants might wonder, “Do I answer yes? My answer is yes. And then the insurer comes in and says, ‘Well, no, you didn’t have it across your entire environment, so we’re not going to pay.’” Of course, if applicants answer no to the question, their rates will certainly go up — if the insurance company doesn’t completely refuse to insure them. “And that’s the reality of what clients are facing today.”

“It’s getting super difficult to get it, to maintain it and then to adhere to it,” Roberts says of cyber insurance. Even when trying diligently to comply with the terms of a policy, organizations run the risk of an insurance company picking apart a policy and ultimately saying, “‘Well, you weren’t doing this one thing, so we’re not going to pay out.’ And I think companies have to take a look at that from a risk perspective.”

Heidi Shey
Cyber insurance is only one component of a bigger enterprise cybersecurity risk management program.”

Heidi Shey Principal Analyst, Forrester

Larger Organizations Could Self-Insure Against Ransomware

Cyber insurance has become a growing trend and, in many cases, an operational requirement. While it can help to defray the costs of a ransomware attack, it could also be a beacon to cybercriminals, indicating a willingness to pay the ransom they intend to demand. In some cases, organizations might want to consider self-insuring to protect themselves in the event of a ransomware attack.

“Self-insurance basically becomes a line item in the budget,” Cray explains. “They budget and say, we already pay X amount on premiums to an insurance company to have insurance. Instead of doing that, we’re going to take that money, budget it and essentially put it into a savings account that is overseen by a third party.”

Yet, some organizations don’t have the resources to self-insure. For smaller organizations, there are still ways to reduce the cost of cyber insurance premiums. Roberts notes that some third-party security providers, such as Rubrik, offer warranties that insurance companies recognize as extra assurance of an organization’s data protection strategy.

“The key to it is that you have to qualify for their ransomware warranty,” Cray says. “When you sign up for their premium support, that means they have somebody who’s actively monitoring your environment to make certain you’re following all the best practices, even when they are updated.” The warranty gives an insurance company greater confidence, and it may be willing to offer a cyber insurance policy at a lower rate.

UP NEXT: How AI will reshape the insurance industry.

Brought to you by:

smartboy10/Getty Images

Be Ransomware Ready

Is your organization prepared for a cyberattack? Learn how to step up your ransomware protection.