By Roger Grimes. Ransomware is stealing so much money and interrupting so many businesses that it might be the beginning of their undoing. It is certainly radically changing the cybersecurity insurance industry in a bunch of different ways.
Ransomware has risen from modest background noise to the number one threat worried about by everyone in cybersecurity today. I am not hearing much about email worms, malicious insiders, or pass-the-hash attacks. Today, it is anxiety about ransomware every day, everywhere, with victims all over the place.
The number of ransomware victims has risen significantly over the years as has the percentage of those victims paying the ransom and amount of the ransom per victim paid. Just a few short years ago, the average ransom paid was under $20,000 and most victims did not pay. Today, most victims are paying the ransom, the average ransom paid is over $100,000 and we so routinely read about multi-million-dollar payouts that it rarely generates big headlines. The biggest ransom paid that I have heard about so far is $40M, but I bet it is not the biggest one paid. It is just the biggest we have heard about publicly.
All of this ransom paying has caused a serious shake up in the cybersecurity industry. Just a few years ago, insurance companies were flocking to get into the gravy train of easy cash. Cybersecurity insurance companies were keeping 60% of every dollar of paid premiums and many of them did not really care how secure the entity they were insuring really was. As one experienced cybersecurity insurance professional, Anjali Camara, cyber practice leader for Connected Risk Solutions told me, “It used to be that many insurance companies sent out a five-question survey and three of those questions were name, address and telephone number!” These are no longer those days.
Ransomware has been so successful in compromising victims and getting big payouts that it has led to a rapid, fundamental change in the cybersecurity industry. Many previous cybersecurity insurance players are getting out of the industry or refusing to insure for ransomware and other cyber crime. Those that are left are charging more, insuring for less and requiring proof of far stronger controls before a policy is issued.
Camara explained, “We are seeing some insurers refrain from writing certain industry classes due to their high exposure and susceptibility to ransomware attacks—some of those include real estate entities/title agents (due to the funds transfer fraud exposure specifically), Professional Employer Organizations (PEOs), Managed Security Providers (MSPs) and manufacturing companies.
We have a couple of insurance companies that will still write them, but the security control requirements are long and the premiums are HEFTY. The only classes of business that we have not been able to get insured at all are payment processors and gambling/gaming. I have been hearing that some carriers are starting to co-insure the crime portion of the policy, which is not what we would be looking to offer our brokers. And then there are others that are completely pulling out of the space and I am sure we will see even more of that as time goes on.
Most of the insurers that we have relationships with (we have about 30 appointments), are not carving out ransomware and crime, but they are heavily limiting the coverage. Before the market hardened, $1M was pretty standard for a crime limit. Now, most insurers are offering $100k-$250k max and many of them are only offering $50k crime limits for the real estate class.
If the insured wants a $500k limit, then the security requirements are extensive and the premium is significantly increased, and even more so for a $1M limit if the insurer is even willing to consider offering $1M in crime. In one instance, we have seen the carrier carve out the social engineering portion of the crime coverage, so I can expect that we may continue to see this trend for risks that are more highly exposed or that have experienced a breach due to a social engineering or phishing attack.”
Expect significantly higher premiums, less coverage, more outs, less options, and stronger requirements.
Part of the problem is that ransomware gangs started to directly abuse the system. Many cybersecurity experts have worried about the cybersecurity insurance industry being too easy of a conduit for money from victim to insurance company to the ransomware gang. But organizations are making a business decision, and if they can buy insurance coverage that significantly reduces their financial risk, then it often makes sense to get insurance.
On top of that, the cybersecurity insurance industry often has access to the best incident responders. Once an incident is reported, the insurance company wants to keep costs low and recovery time to a minimum. To that end, they contract with experienced companies that respond to hundreds to thousands of ransomware events a year. And that is a good thing for customers. They do not have to go shopping for a good ransomware recovery specialist in the middle of a crisis if they do not know one, the insurance company can get the victim good help quickly. It is win-win.
Cybersecurity Insurance Companies Directly Targeted
One of the major problems is that ransomware gangs started to specifically target some cybersecurity insurance firms and their customers because they could, with a little digging, find out how much ransom they could ask for before doing much work. There have been many stories published where ransomware gangs had obviously searched for and found a victim’s insurance policy after breaking into the victim’s environment.
The victim would come back with a low-ball figure early in the negotiations and the ransomware gang would respond with the maximum figure they knew the victim was insured for. So, a hint to anyone who has a cybersecurity policy, make sure that document is not online or specially protect it so that a complete environment compromise does not result in the document being read.
Insurance companies have been targeted in a few ways. First, they were broken into by the ransomware gangs and their customer lists and insured amounts learned. It essentially gave some ransomware gangs a wish list of who to attack and for how much. Additionally, when some insurance companies stated they would no longer pay any ransoms, the ransomware gangs attacked and exploited those firms, as a warning to other firms considering the same blanketed policy. All-in-all, the cybersecurity insurance industry is under pressure like never before. This has resulted in less insurance being available, higher premiums, and a change in services.
Full Vulnerability Scan
Now, when you go to get cybersecurity insurance coverage, you are much more likely to be asked a long survey of questions trying to gauge if your cybersecurity policies are sufficient or not. Many insurance firms are now actually doing external vulnerability scans to see if there are any glaring publicly-accessible holes before they issue a policy. And it used to be, when getting cybersecurity insurance, that customers with any found weaknesses would be given 30-, 60-, and even 90-day remediation grace periods after the policy was granted to fix the problems.
Now, they get at most a few weeks and most of the time, the weaknesses have to be fixed before the policy is issued. If the insurer detects a vulnerability later on, the insured organization may only have a limited time to correct it before their cybersecurity policy is invalidated.
New Insurance Offerings
Some cybersecurity insurance firms are going even further, trying to become your “risk management-as-a-service” vendor. They will not only vulnerability scan you during your policy registration and renewal process, but all the time in between! Because of their excellent incident response experiences they have been involved in, some progressive cybersecurity insurance firms are starting to offer or act like manage service security providers (MSSPs).
They will ascertain your current risk, make recommendations, and constantly monitor your status. You need someone to read your logs or patch your computers, your friendly cybersecurity insurance company may be able to do that for you. Why go to one company to insure your risk and another to manage it when it can be the same firm?
And if you do get hit by ransomware, many cybersecurity insurance firms now have their own in-house incident response teams and specialists. It used to be that all the cybersecurity insurance firms used to outsource that to the “experts”, but now because of what they have gone through, they have the experts and are the experts.
As one cybersecurity insurance firm told me, “We have more incident responders and fixers than underwriters.” That is an amazing statement. That same firm told me that if you get hit by ransomware, they will even quickly do a blockchain search and find out if it is legal for you to even consider paying the ransom.
That is where ransomware has the cybersecurity insurance industry. It is causing rates to go up and insurance options and coverage to go down. But it is turning cybersecurity insurance firms into managed service security providers. Cybersecurity defense has always been about risk management, it is just now being managed from start to finish that way.
Everyone still agrees that the best way to run an organization is not to get compromised by hackers and malware in the first place. The number one way hackers and malware break in is social engineering (followed by unpatched software). Anything you can do to prevent social engineering and phishing from being presented to your end users, you need to do. A good defense is cheaper than incident response. If you want to know everything you can do to prevent social engineering and malware, check out my free ebook.
The cybersecurity insurance industry is in the middle of radical change. If you already have a cybersecurity insurance policy call your broker to see if anything has changed because for sure the terms you had in the past will not be the terms you have going forward.
Additionally, you may want to check out if they offer any other services that they didn’t use to offer. To paraphrase an old commercial, today’s cybersecurity insurance industry was not your father’s cybersecurity industry. In fact, it isn’t even what your cybersecurity insurance industry was just a few months ago.