Cybercriminals are taking no prisoners: In 2020, a survey found that 28% of businesses that suffered an attack were forced to defend themselves on at least five more occasions from other attacks. What’s inspiring the brash confidence? The ransoms criminals are able to score are, in large part, to blame.
For instance, fitness and navigational product giant Garmin reportedly handed over millions of dollars to ransomware attackers that shut down the company’s devices and services for several days. Customers saw messages such as, “We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centers, and we are currently unable to receive any calls.”
The attackers demanded $10 million to allow Garmin to regain control of its systems. To negotiate the deal, Garmin enlisted the help of Arete IR, a company that specializes in navigating these kinds of tricky exchanges.
The culprit appears to have been WastedLocker, a form of ransomware developed by the Russian hacker group Evil Corp. The US government had placed Evil Corp under sanctions, making it illegal to engage in any kind of business with them, but Arete claimed their actions were legal. They argued there was no definitive link between WastedLocker and Evil Corp.
Regardless of the source of the attack, Garmin got back online to serve its customers. Big insurance player CNA Financial Corp. also paid out—to the tune of $40 million—ransomware hackers to regain stolen data in May 2021. They regained control of their systems shortly thereafter.
But is all well that ends well? Recent trends in cyber insurance reveal that attackers may be taking advantage of companies with policies, and the insurance industry is responding.
Top 5 Cyber Insurance Trends This 2022
Some of the trends in cyber insurance that are turning heads include increasing demand, tighter terms and exclusions, lower coverage limits, rising premiums, and what seems to be an invitation to cybercriminals.
1. Increasing Demand
Many large ransomware attack settlements have made the headlines, but many more don’t garner the same attention. To safeguard their organizations financially and reputationally, companies are running to cyber insurance for protection. For them, bolstering their coverage makes sense—according to IBM, the average cost of a data breach in 2021 was $4.24 million. Cyber insurance insulates organizations from financial losses that can easily run in the millions and the reputational damage that can have even farther-reaching consequences, financial or otherwise.
The increase in demand for cyber insurance is also likely due to attacks becoming more and more frequent. According to a study by cybersecurity provider Check Point, between 2020 and 2021, there was a 50% jump in the number of attacks each week. The most attacked sectors included education, healthcare, and government. While companies can’t prevent attacks, they can use insurance to cushion the financial impact of cybercriminal activity, which likely could have been prevented if the company used zero trust identity as a security model.
The effects of these attacks are felt on a worldwide scale. In the UK, for example, firms have taken steps to bolster the cyber insurance industry in response to the expanding threat landscape. UK insurance company ABI has specifically noted that they are taking action in connection with Pillar 2 of the UK National Cyber Strategy 2022-2030. This emphasizes the need for the UK government to intensify its efforts against cyberattacks. Insurers appear to be following the government’s lead.
2. Tighter Terms and Exclusions
Insurance companies have been responding to the fallout by tightening their terms and exclusions. In this way, they can limit the amount they have to pay out—based on a predetermined ceiling and the details of the attack.
This is in response to some surprising numbers, particularly what’s known as the direct loss ratio. In the insurance industry, the direct loss ratio refers to the proportion companies pay out on claims in relation to the amount they earn in premiums. From 2019 to 2020, the direct loss ratio associated with cyberattacks jumped from 47.1% to 72.5%. Although the industry has pared it back to 65.4% in 2021, according to a Wall Street Journal report, this still means that for every $1 collected in premiums, insurance companies have to pay out $0.65.
Considering that this amount may not take many daily operational expenses into account, the impact on the bottom lines of insurance companies can be devastating. Tightening their terms helps soften the blow while still providing coverage to the companies they serve.
3. Lower Coverage Limits
Dropping coverage limits is a logical step for insurers, especially considering the costs of ransomware settlements. In addition to the multi-million dollar payments, companies funnel to ransomware hackers to get their systems back, a cyber insurance policy may also have to cover the following:
- Letting customers know about a breach
- Restoring the personal identities of customers that have been impacted
- Recovering data that’s been compromised
- Repairing the damage to computer systems
This means in the event of a breach, the insurance company may have to cover both the losses incurred by the business and those by the customer. So if a business has to replace a server for $3,000, for example, and 3,000 customers lost an average of $5,000 from their financial accounts, the cost of the attack suddenly jumps up to $15 million. Insurance companies, recognizing the increased risk these situations expose them to, have understandably dropped coverage limits.
4. Rising Premiums
On the other side of the insurance equation are premiums, which refer to how much customers have to pay for their coverage. The increases have been substantial: In September 2021, the premium increase was 174%. This makes sense and follows car insurance pricing logic. If someone has a poor driving record, one riddled with accidents and other high-risk events, they often have to pay more than someone with a lower risk profile. In this way, the insurance company uses the probability of a payout to reduce its risk.
The rise in cyberattacks has, in effect, made all companies “bad drivers”—entities very likely to file a claim. By increasing premiums, insurance companies reduce their exposure and make it easier to remain solvent in an unpredictable cyber landscape.
5. An Open Invitation to Cybercriminals
Cybercriminals, especially ransomware attackers, usually target companies with cyber insurance policies. To understand why, consider a simple illustration:
Suppose you’re a criminal that wants to make a quick $10,000 by kidnapping someone. You’ve scoped out two potential targets using bank account statements you had a hacker retrieve for you. Both are married men. One potential victim’s wife has $300,000 in her bank account. The other target’s wife has $250 in her account. Which man would you want to kidnap?
Companies with large cyber insurance policies are like the wife with $300,000 in her account. If a cybercriminal knows an organization has a robust insurance policy, they’re more likely to launch a ransomware attack on it. Paying up is simply a matter of making a phone call and filling out paperwork. No need to shift assets around, borrow cash, or find other ways to dig up the money.
It’s becoming increasingly easy for cybercriminals to identify ransomware settlement targets, says cybersecurity solutions expert Fortinet. And as Cisco points out, “Cybersecurity insurance offers the ability to [transfer risk] to an insurance company.” In a turbulent business environment, anything that enables you to defer risk is worth considering.
Best Practices for Insurers and Businesses
When looking for an insurance policy, it’s best to take the time to sit down with an insurer with extensive experience in the cyber insurance sector. Also important is the responsibility of an organization to systematically evaluate the different kinds of risks they face. As Palo Alto Networks explains, cyber coverage “is not an ‘all-risk’ type of policy that covers anything and everything resulting from a cyber event,” so you will also want to know how each company’s coverage compares to your specific needs.
For insurers, cyber threats can’t be taken lightly, not just because of how they can impact your clients’ systems but also how they can affect your bottom line. Clearly communicate with clients your premium amounts, what they cover and don’t, and why you may have to set them so high.
Strategically Using Cyber Insurance to Your Advantage
Cyber insurance is a great way to protect your business from significant loss. It’s important, however, to properly assess the risks you face, as well as understand the factors that are changing the cyber insurance landscape. In this way, you can safeguard your assets in a constantly shifting attack ecosystem.
