• James Blake, Global Head of Cyber Resiliency Strategy at Cohesity


• 16.07.2024 01:45 pm
#insurtech #cyberinsurance #security

After all the record numbers of ransomware attacks, there is some good news - increased competition in the cyber insurance market is causing premiums to fall, as much as 15 percent compared to last year. However, companies must meet a number of conditions in order to receive a payout in the event of a cyber attack. 

The number and impact of cyber attacks have continued to be taken into account over the past two years. Nevertheless, insurers in both Europe and the USA are lowering their cyber insurance rates. According to a report by insurer Howden, premiums fell by 15 percent in 2023 compared to last year and the price decline will continue this year. In the USA, premiums fell by 17 percent in 2023 compared to last year. 

This is surprising because the number of claims and amounts have increased. In 2023, 13% more cases were reported and the severity of the damage increased by 10 percent. The average loss is around $100,000. 

Insurance isn’t a panacea

Cyber insurance can provide important funds to help compensate for an attack, and in some cases even provide support in response efforts, but having the cybersecurity hygiene measures to avoid attacks and effective cyber resilience to mitigate their consequences is the only winning hand.   

Companies, including financial organisations, should also understand that even if your insurer pays your ransom, you are often still faced with a series of logistical problems. Even after paying, it may take several days to obtain the decryption keys from the attacker.  Then some types of ransomware utilise specific decryption keys for each system.  Here your IT teams need to identify which systems keys relate to while Configuration Management Databases that hold that information are encrypted; they need to distribute those keys when contact lists, email, and even telephone systems that use Voice-over-IP may be impacted; then they have to rely on the accurate entry.

Encryption mechanisms used in ransomware are designed for speed, not integrity,  where only 4% of organisations who pay ransomware are able to recover all their data with an average of 14% being unrecoverable, and you have no control over what data is lost.  Then the growing threat of wiper attacks destroys entire data sets outright.  Cyber insurance can never compensate for these types of losses. 

Ransomware operators are increasingly being sanctioned by governments around the world. I hope you're not thinking about going to Disneyland anytime soon if you're paying an OFAC-sanctioned company because your stay could end up being 30 years longer than expected. Lastly, you need to have good internal documentation that you've put in place all the measures and processes that the insurance company requires in the contract text. Otherwise, you risk a very unpleasant dispute that could emerge at the end, so that the victim company would qualify for a withdrawal of insurance. Such issues can quickly end in a court case, at a highly sensitive time for the victim company, which has to survive the consequences of a serious cyber incident. It should be the personal responsibility of company leadership to avoid this hopeless situation. 

The key is to prepare for this crisis and develop anticipated contingency plans and environments to establish a culture and capability for cyber resilience. Together with their IT teams, leadership teams must develop an emergency toolset and playbook for emergency operations of their entire IT system, combined with the tools and procedures for response and recovery, and get data back at no cost.