By Matthew McCabe
As the cyber insurance market continues to grow, it’s only natural to discuss its role in the battle against ransomware, which has been a prevalent topic in recent months, and other cyber-attacks.
Most discussions highlight its value as a risk mitigation tool and its ability to respond to fast-evolving cyber threats, including ransomware.
But some opposing viewpoints have emerged in the media in regard to ransomware, including a recent critique arguing that cyber insurance has served as an incentive for cyber extortion attacks.
This argument does not hold up. The truth is that ransomware attacks against businesses occur for one reason only: criminals are succeeding.
Far from being part of the problem, cyber insurance can be a valuable tool in the fight against ransomware and other cyber threats. Fulfilling its traditional role, cyber insurance pools insureds that are similarly at risk and spreads their potential losses.
And those who have criticized it have gotten some important facts wrong:
- Ransomware victims are rarely “targeted.” More often, attackers target a specific but widespread vulnerability that will distribute ransomware to the maximum number of potential victims.
- Insurance hardly creates an incentive for extortionists. Ransomware demands usually top out at five figures and for many businesses, that cost is a nuisance.
- Although no one wants to support cyber criminals, organizations are forced to weigh the option of paying ransomware demands against the risk of operational disruptions that could last weeks or months and cost far more, as well as impact on customers, reputation, and business continuity.
- Insurers do not make decisions about whether to pay extortionists — the insurance buyer always makes the final call. If an insured declines to pay, the insurer supports it, paying network recovery costs and reimbursing it for income lost as a result of the attack.
Beyond its specific purpose in thwarting ransomware attacks, cyber insurance is valuable for other reasons. The insurance underwriting process raises awareness of cyber threats, identifies how companies should be responding, and educates insureds.
After an attack, cyber insurance serves as a mechanism for convening the right team of experts, including legal counsel and computer forensic analysts, to assess the incident and recommend a response in a timely fashion.
So what do the critics get right? Cyber insurance pays claims. For more than a decade, cyber insurance policies have reliably paid claims for ransomware, network interruptions, data breaches, and related liability. Leading insurers handle thousands of claims a year, and US carriers paid cyber claims totaling an estimated $394 million in 2018.
Cyber insurance is a valuable component in a larger risk management strategy, which includes technology as well as training, education, and testing. To combat ransomware, companies still need to teach employees how to recognize threats, patch regularly, limit user privileges, and establish sufficient cyber hygiene to avoid being an easy target.
Companies are fighting hackers on an unbalanced playing field, where defense is much harder than offense, and cyber insurance has proven to be a valuable partner in that fight.
Data breach is like lightning. You never know when or where it will hit, what damage it will cause. To meet this risk, a new kind of insurance is coming on the market: cyber insurance. This product is an alternative to traditional insurance that only covers physical assets and excludes the protection of digital data.
According to the Ponemon Institute, the financial impact of cyber-crime amounted to nearly 4.8 billion euros in 2016. Faced with the resurgence of cyber-attacks, the protection, and insurance of the digital heritage has become a priority for managers of large companies and SMEs. With this in mind, insurers are developing new offers to offset the losses caused by cyber-offenses (e.g. hacking, data breach, denial of service, viruses) and better support their customers in their cyber-security approach.
While for the moment, large companies are the main consumers of insurance products against cyber risks, the need for protection is growing rapidly for SMEs. As a matter of fact, the US National Cyber Security Alliance reported that up to 60% of small SMEs that suffer cyber-attack, go bankrupt within the first 6 months following the attack. Further, a 2015 study conducted by NetDiligence reported that on average, a cyber breach claim amounts to $673,767 underlying the level of risks that businesses face as a result of possible cyber breaches.
Cyber liability insurance: a booming market in light of economic conditions
According to the Allianz barometer, cyber-crime ranks among the major concerns of companies. An observation that suggests that the potential of the cyber insurance market is expanding at a great pace. Indeed, the rise of social networks, the flight of data to the cloud, the trend towards the digitization of the value chain of companies or the interconnection of information systems, are all factors that make companies vulnerable to digital risks. The EU directive requiring companies to report to victims all breaches of personal data reinforces the impact of cyber-crime on companies’ brand image and the need for insurance.
Insurers increasingly sensitive to business demand
To meet the growing demand of companies protecting against the risks of cyber-attacks, specialized insurers but also generalists do not fail to develop new ranges protection.
On the other hand, due to the absence of historical data on this type of threat, the assessment of the risk and scope of impact remains a complex activity for actuaries. To date, the tariff for this type of protection is calculated on the basis of the size criteria of the enterprises, the nature and quantity of information held, and the degree of dependence of the institutions on their system of protection. For some companies, premiums can reach several hundred thousand dollars per year.
Protection that must be integrated into a real risk management process
While some of the risks can be outsourced to insurers through insurance contracts, companies are not exempt from developing real risk management policies, consistent with their objectives and strategic orientations.
Because of the number of premiums, considered too high for subscribers, large companies are now the main signatories of cyber insurance contracts. Nevertheless, the need for SME coverage is well established. Small businesses are increasingly subject to these types of risks. Being still insufficiently protected, they become easy prey for the aggressors, and all the more so when they maintain close ties – commercial among others – with larger structures. The insurance agents at Densmore Insurance Strategies, Inc understand potential risks you can face in the event of a cyber attack.
In line with the high level of risks resulting from cyber-breach, both large and small businesses must invest heavily in securing their systems against possible breaches. However, this is in itself insufficient, businesses must invest in cyber-insurance as a way of covering any losses that may result from breaches.