The recent rash of ransomware attacks has resulted in widespread interest in cyber insurance – specialty insurance products that cover a business' liability for data breaches involving sensitive customer information, loss of revenue from down time and ransom payments to attackers. Over the past five-plus years, companies have recognized the need for greater protection from the risk of the evolving security threat landscape – and the cyber insurance market has been evolving to meet demand.
Enterprises see the need for additional coverage for two reasons: 1) the potential magnitude of the financial losses from a cyberattack, and 2) the exclusion of coverage for cyberattacks from general liability policies. Cyber insurance is typically a policy rider or a separate policy that covers multiple types of attacks, from basic nuisance hacking to attacks that cause significant disruption to business. It is triggered when the security incident is confirmed as originating from an outside force.
Cyber insurance originated in the financial services sector and was initially intended to cover loss of personally identifiable information and associated fraud. As new types of attacks have emerged, other industries began acquiring cyber insurance to mitigate losses due to theft of customer data and proprietary information.
Protecting Against the Risks of Ransomware Attacks
Ransomware has become a game changer; a ransomware attack has the potential to disrupt a company’s ability to continue operations for an extended period of time. A ransomware attack on a healthcare provider, for example, can create the potential for a loss-of-life scenario. Manufacturing and energy companies have similar concerns due to the potential impacts on complex supervisory control and data acquisition (SCADA) systems that control industrial processes. Municipalities and local government agencies face critical decisions if their ability to provide emergency services such as 911 are compromised, not to mention the significant revenue loss that is possible if tax systems are put in jeopardy. And industries that rely on sophisticated supply chain systems have very low thresholds for outages before significant losses begin to occur.
Companies and public sector organization that are attacked are left with the decision to either pay the ransom or potentially go out of business. Cyber insurance that includes coverage for ransomware attacks – by reducing financial exposure and ensuring the ability to pay quickly and re-gain access to critical systems – is generally viewed as an effective way of mitigating these risks.
How to Get the Right Cyber Insurance Coverage
Because of the growing number of attacks and the size of the payouts, the cost of cyber insurance is increasing. This makes it especially difficult for small- and medium-size businesses to afford the proper amount of coverage. On top of that, insurance providers are forcing strict standards on policyholders, requiring periodic system audits and validation of technical security controls to maintain a policy, further impacting smaller organizations that lack the funding and expertise to implement the required level of security.
The fact that advanced persistent threat (APT) groups recently indicated they are actively targeting companies known to have cyber insurance is also impacting the price and availability of coverage. In early May of this year, AXA became the first insurance company to publicly acknowledge it was excluding coverage for ransomware payments. Although this exclusion was limited to France, we expect this trend to continue globally as losses grow.
It is important that companies shopping for cyber insurance closely examine policies to ensure inclusion of coverage for ransomware, emerging threats and reputational damage. We also recommend that policy seekers closely evaluate exclusions for repetitive attacks, incidents that would be considered “acts of war” and activities by nation states that may result in denied coverage for a ransomware attack.
ISG helps companies navigate the cyber insurance market and determine coverage that is right for them. Contact us to discuss how we can help you.
About the author
Doug currently leads the ISG Cybersecurity unit and offers expertise in cybersecurity strategy, large scale transformation projects, infrastructure, Digital enablement, relationship management, and service delivery. Clients benefit from Doug's expertise from years of working with global clients within the life sciences, automotive manufacturing, aerospace, banking, insurance, financial services, healthcare, utilities and retail industries, as well as his deep and current knowledge of the service provider market. Doug routinely performs Strategy and Assessment engagements to assist clients in understanding how to select the optimal organizational and operational models to meet their business needs while minimizing security exposure and risk of loss.