As insurers tighten standards on ransomware risk, safety measures become even more important to securing coverage.
The Colonial Pipeline ransomware event illuminated the dark deeds that cyber extortionists perpetrate every hour on businesses of all sizes and types, though few of the attacks have the news value of causing massive fuel shortages.
From 2019 through 2020, ransomware payments using cryptocurrency increased more than 300%. Nearly six-in-10 (59%) of U.S.
-based companies experienced a ransomware attack in 2019, with only 25% of the organizations able to stop the attack before their data was encrypted and/or exfiltrated by the extortionists, according to a survey of IT managers by Sophos in early 2020.
Cybercriminals are learning how to go “big game hunting” within company systems as they broaden the scope of industries to attack. For instance, while healthcare and financial services companies have long been favorite targets, law firms are increasingly being attacked due to the sensitive client data they store. Last year, one New York law firm faced a $42 million ransom demand. The average payment reported by U.S. organizations in a 2020 survey by CrowdStrike was slightly below $1 million.
Cyber insurance can lessen the financial impact of ransomware incidents. But the proliferation of such attacks has driven up the cost of cyber insurance. Many insurers have tightened underwriting standards, with some exiting the cyber insurance market, according to the Institute for Security and Technology. The silver lining is that the remaining carriers tend to have the deepest experience in working with companies to help analyze and manage the risk.
To better guard against ransomware and secure the best cyber coverage on the most favorable terms, companies of all sizes need to make sure they have strong risk mitigation plans and procedures in place. Large companies typically have the resources to support these strong risk mitigation efforts, but many mid-sized and small companies have lagged. Our Mid-sized Company Risk Report survey indicates that 40 % of mid-size companies do not have a digital risk management strategy.
Best practices for thwarting ransomware attacks
The best defense against a ransomware attack is to understand the tactics of cybercriminals to better prepare for and respond to incidents (more on these best practices below).
Most ransomware attacks are designed to interrupt business flows until a ransom is paid; others are predicated on extortion — to exfiltrate sensitive or confidential data and threaten to release this information to the public or competitors. While a company can back up its data and network to minimize interruption caused by a traditional ransomware attack, this form of protection is inadequate in a cyber extortion scheme.
We’ve summarized a few of the best practices companies can follow to minimize risk and make robust insurance coverage easier to secure, drawn from the September 2020 Ransomware Guide put out by the Multi-State Information Sharing & Analysis Center:
How cyber insurers can help
Regardless of company size, working with an insurance company that offers specialized cyber insurance coverages can help all businesses assess and improve their cyber risk profile. Specialized cyber insurance policies may provide coverage for not just the ransom payment but also the costs of the business interruption and related expenses like data breach notification, forensics costs, regulatory defense and penalties, public relations and credit monitoring, among other costs.
Leading providers often support their insurance policies with resources that are designed to help companies understand their exposures, establish a response plan, and minimize the effects of a breach on the business.
For the large companies that already have strong risk mitigation practices in place, the key issue becomes understanding the complexity of their exposures and tailoring coverage accordingly and in concert with their broader insurance program. Expert cyber underwriters, working closely with their partners in claims, can walk companies through different scenarios to build a better understanding of risk, customize coverage terms and conditions, and ensure confidence in how the insurance policy will react.
At a time when the number of available cyber insurers is decreasing and the cost of cyber insurance is increasing, the best practices cited above will help thwart a ransomware attack, while improving a company’s cyber risk profile to help secure optimal cyber insurance protection.
Meredith Brown is vice president at global insurer QBE North America.
Megan Scully is a senior vice president, financial lines claims, at global insurer QBE North America.
Opinions expressed here are the authors’ own.