New challenges have emerged that make it difficult to transfer risk.
Ransomware has changed the game
An overlooked yet the increasingly important challenge in information risk management is finding the right balance between cybersecurity and cyber insurance. We continue to see organizations hit with ransomware from a variety of vectors, including spam emails, drive-by downloads, lateral movement from other systems, and web-based messaging applications. The plethora of successful ransomware attacks and payments are netting these hacking organizations millions of dollars, which in turn costs business and insurance companies millions of dollars. For example, cyber insurance provider Coalition Inc. says the average ransom demand made to their policyholders “nearly tripled [emphasis added] from the first half of 2020 to 2021, from $444,489 to $1,193,159.”
Historical data is just not that helpful
Insurance companies are seeing a much different landscape today than just a few years ago. Even though there are several decades of history for cyber insurance and much more data for pricing premiums than ever before, long-term actuarial tables are just not useful. If ransomware’s history is singled out, the payments are exponentially higher than just three (3) years ago. According to Fitchratings, the direct loss ratio for standalone cyber insurance has increased from 34% in 2018 to 73% in 2020. This unpredictability of claims further increases the risk for the insurers and can cause significant shifts in how underwriting is viewed.
Insurers are taking action…sometimes against the insured
The consequences of rapid change and higher losses are pushing providers to fight back. While there isn’t much recourse once a company is taken down (as the hacking groups hold all the cards), providers are trying to negotiate lower ransoms on behalf of the claimants. However, they are also taking more dramatic steps with their policies and with the insured customers (read: you).
An insurer’s first recourse against an organization is to deny claims. Cyber insurers often refuse to pay policyholders who don’t demonstrate ‘reasonable care’ for their security program. Providers have specific exclusions for ‘failure to maintain’ or ‘failure to follow’ and use this reasoning as grounds to reject a claim. For instance, security reviews often recite patching systems as a critical process to maintain a network’s security posture. Most reviews will logically target externally facing systems first based on resource constraints, but the failure to patch even non-Internet-facing systems may result in the denial of the claim. This is especially true if the attacker uses an unpatched vulnerability for lateral movement inside the network.
Additionally, insurance companies can point to human error as a reason to deny a claim. Incidents regarding outsourced service providers are also not covered. According to CPO magazine, “evidence is building that many cybersecurity policies might be close to worthless [emphasis added] due to exclusionary clauses.” All of this proves to be a double whammy of not only shouldering the extended costs like reputation and recovery costs but also being denied a claim. Risk leaders can not underestimate the hassle of recouping their losses.
You’ll not only pay more, but you might not be eligible for insurance at all
Potentially more problematic, insurance companies are not just denying claims, they are now denying coverage altogether. As noted, the current rash of ransomware caused insurers to tighten their underwriting guidelines, either making it more difficult to get insurance or charging additional premiums to grant coverage. ‘Shrinkflation’ (the term that describes when producers reduce the amount of product you get for the same price) is also happening as providers add in sub-limits or lower limits for certain aspects of the policies. We have seen a significant increase in providers modifying policy language to exclude specific coverages as well. Some clients even report being dropped from coverage as their providers are getting out of the cyber market entirely. These reduced options create even greater price increases from insurance companies that will provide coverage.
Hope is not a strategy
It was never a sound strategy to hope that transferring risk to an insurance company, as many corporate risk managers and CFOs have sought to do in the past, would work. It’s important to remember that understanding the risks of attack are not just for the Fortune 100. According to Beazley Group, while the large attacks generate the buzz because of their impact on society, 62% of attacks were on small- and medium-sized businesses. Hackers know that these segments of the market are most likely to have lax security processes and procedures. In addition, small budgets and the rapidly changing security marketplace have made it increasingly difficult for small- and medium-sized organizations to have enough personnel and up-to-date technology to deter, detect, or deflect an attack.
Ransomware is changing the game with respect to the costs of companies’ immature security programs. Organizations can combat the shortcomings of cyber insurance through a thorough review of the controls that contribute to the ability to withstand and overcome a ransomware attack. It is critical to do the basics and become more efficient at detection and recovery. The direct consequence of ransomware attack—i.e., the ransom payment itself—can usually be eliminated by having reliable backup and disaster recovery processes in place. Since the risk mitigation strategies can involve difficult choices, all costs of a breach should be understood (along with insurance costs), especially as risk, security, and finance teams continue to become more closely aligned.