While there is anecdotal evidence that cyber insurers – and their known clients – are being targeted, as criminals know ransomware demands are likely to be met, the market is playing catch up. Recent Talion research shows that 70% of UK cybersecurity professionals believe insurance payments to companies that have paid a ransomware demand exacerbate the problem and cause more attacks. At this pivotal moment, there needs to be more openness, collaboration and uniformity, according to our expert panel.
Kirsten Bay, CEO, Cysurance
Roger Grimes, Data-Driven Defense Evangelist, KnowBe4
Jason Nurse, Associate Professor in Cyber Security, University of Kent
To what extent is cyber insurance driving ransomware attacks?
RG: It’s complex to answer. I see many people say: “Yes, there is no doubt that cyber insurance is driving ransomware.” And then lots of other people say: “There’s no way, and there is no evidence.” So I don’t know for sure. But there is at least some anecdotal evidence suggesting that cyber insurance has driven attacks. There was a recent interview with someone from REvil who said going for organisations with cyber insurance was “one of the tastiest morsels”. There have been many cases where criminals have broken in and demanded, say, $1 million, and the counteroffer has been $50,000 because “that’s all we have”. Then the criminals might come back and say: “But I see your cyber insurance covers you for $200,000, so we will take that.” Plus cyber insurance companies are targets themselves; some gangs are looking for cybersecurity insurance policies on the network so that they can steal the database.
JN: I don’t think that the cyber insurance industry is driving ransomware. While there is anecdotal evidence, the more difficult question is: is this a big issue in the grand scheme, or is this one of the many factors motivating criminals to target particular organisations? Other factors driving the rise of ransomware might include geopolitics, nation-state support, and the difficulty of tracking cryptocurrencies. Insurance does have a part to play, though.
KB: At Cysurance, we distribute solutions through managed-service providers. Given there are over 3,000 cybersecurity product companies, and it’s a multi-billion-dollar industry, our philosophy is that products need to help solve this challenge. Unfortunately, efficacy is relatively poor, and we have not reached the top of the maturity curve. With all of these attacks, we see that insurance premiums are skyrocketing, and the ability to get cyber insurance is becoming more challenging. It was an incredibly soft market for a long time, and because ransomware attacks were rare, it was very profitable. But almost overnight, things changed. This transformation is typical, and what we see in this consistently evolving risk component is very different from anything else seen in insurance compared to hurricanes, wildfires, or car crashes. I admit that sometimes I lie awake at night wondering about loss ratios.
How can cyber insurers help to reduce the threats?
KB: We provide subscribers with a mini sensor that essentially acts like a smoke detector, monitoring network traffic for warning signs, but reaching zero risk is not realistic. Collectively we have to limit the impact to help recovery and limit the cost of a ransomware attack. There needs to be what I call a “cyber seatbelt” – this includes multi-factor authentication, backups, and so on. Consider that a seatbelt reduces something like 80% of the impact of a car crash. As insurers, we can help people recognize where they are in terms of cyber risk. Companies often don’t recognize they are “spray” targets and get caught in the net. Undoubtedly, many small businesses have not engaged with cybersecurity and perhaps don’t understand the threat, making them easy targets.
JN: I’ve seen cyber insurers go in and engage with organisations and discuss risk and crisis management. This is a crucial nudge in the right direction for smaller businesses especially. Insurers are perfectly placed to say: “We can give you cyber insurance to cover ransomware, for example, or a couple of parts of privacy where some of that forms of attack, but as part of it you need to work with us and implement controls X, Y and Z.” The critical point is that cyber insurance is not a replacement for good cybersecurity. There does need to be more understanding and awareness. It’s tough because there might be 100 controls to limit cyber risk. Which controls are essential to one entity or another? Also, there is a lack of uniformity of policies.
RG: It’s kind of cool to see cyber insurance providers pushing security. Often smaller organisations want to get insurance for the first time, and they’re being told: “You have to have MFA”. As Jason said, there are so many controls, and it is worth companies of all sizes doing a risk alignment on those controls. Without doubt, the best that you can do is mitigate social engineering, better patch your software, and have either a good password policy or MFA.
What does the future hold for the cyber insurance market?
KB: If you think seatbelts became mandatory when the data showed that it greatly limited risk, perhaps the same will happen with the “cyber seatbelt”? Another thing we are doing, aside from the mini-sensor threat monitoring, is enabling businesses to push audit information to the insurance carriers to understand what’s in place.
RG: I do think mandating is going to play an increased role in keeping cybercrime down. I see attacks in front of my eyes like never before. I really believe that cyber insurance will probably be one of the key ways that we’re able to defeat it, finally. Policies haven’t worked so far. But I think if cyber insurance people talk to the c-level at businesses, it will help drive more change quickly. Whether cyber insurance becomes mandated or not, I applaud what’s happening today with insurance and the proactive approach.
JN: Speaking about cybersecurity at the board level feels like this is a big breakthrough moment. Business leaders understand insurance, so perhaps that’s the best way to raise awareness about cybersecurity and build collaboration. Cyber insurance has a role in combating ransomware, but you should always remember that cyber insurance should complement good cyber security, and they should be used together. Cyber insurance helps with the residual risk, ultimately.
Watch the full webinar recording here.
Call us directly and we’ll put you in touch with the most relevant cyber expert.
Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.