Why is underwriting ransomware risk so difficult?
Here's why ransomware presents unique challenges for cyber insurance providers.
Typically, ransomware events trigger cyber policy coverages for investigations, data restoration and extortion costs.
The average ransomware claim rose more than 50% to $74,354 in 2020 from $48,709 in 2019, according to one U.S. cyber market study, and the FBI reported ransomware complaints increased by 20% in 2020 from 2019.
Ransomware attacks have quickly separated themselves from the average malware attack most insurers have addressed. A ransomware attack is distinct from a single system malware attack in several ways:
- Scale: A ransomware attack can impact far more systems, significantly increasing the costs of forensics and restoration of services. Scale is a component of how an attacker creates business interruption at an organization. The more assets impacted, the more leverage the bad actors have on the victim.
- Business impact: Ransomware can degrade a business’ ability to serve customers due to the encryption of data on computer systems. Even operational technology may be impacted in manufacturing environments. This can impact both internal and externally facing services.
- Unpredictable nature: Extortion demands can vary and evolve, which makes underwriting a potential ransomware attack and its severity difficult for insurers, especially in the event of a correlated attack impacting multiple organizations.
Along with the increase in attacks and the size of claims, ransomware presents unique challenges for cyber insurance providers including inadequate claims data, confusion about adequate coverage levels and educating policyholders on cyber hygiene.
Inadequate historical claims data
Relative to the traditional property and casualty lines of business, which have decades of claims data to inform underwriting, cyber insurance is only in its adolescence. Ransomware is also a new hazard in terms of “insurable events,” meaning underwriters have little historical information to help them develop premiums.
External cybersecurity posture indicators are attributes of a company’s digital footprint that provide insight into the security of an organization. Identifying these external indicators, such as domain name system security, patch cadence and malicious network traffic can aid the underwriting process. These indicators can help assess the security posture of an organization across general cybersecurity through ransomware-specific defenses.
The severity of a potential ransomware attack on a business is challenging to measure and is often determined by response time. Many attacks began long before they were detected by a security team since the vulnerability facilitating the attack had not been previously identified. But there’s a direct correlation between the severity of an attack and the length of time it takes to recognize and respond to a ransomware attack or data breach. The longer it takes to recognize and respond to an attack, the ransom cost will potentially increase as more data can be exfiltrated and used for extortion purposes.
Confusion about adequate coverage levels
With the frequency and severity of ransomware constantly increasing, it’s difficult to know the right level of cyber insurance coverage that businesses need.
Policyholders must understand the value of their data, or they risk not having enough insurance to protect themselves. Insurers track the price of records, whether they are medical, financial or personally identifiable information. These prices can help estimate the cost of customer notifications, credit protection and other policy elements that could impact a cyber insurance claim.
In addition, new risks are continually emerging, making it hard to stay up-to-speed and to underwrite risks confidently. Ransomware itself is one example of this, as is adding data exfiltration and extortion to ransomware attacks. Mapping a new risk to existing policy terms or rating plans is possible with some considerate thought to the origin of the peril.
Educating policyholders on cyber hygiene
Just as businesses are committed to financial record accuracy, all companies must be steadfast in their commitment to monitoring for cyber threats. Both can negatively impact overall performance. Proactive security measures at the policyholder’s organization can reduce the likelihood of a ransomware event and potentially mitigate the severity of a successful attack.
Cyberthreats evolve on an increasingly frequent basis, and reviewing an organization’s capabilities to meet those threats can provide insight into deficiencies that should be addressed. Addressing deficiencies in cyber or financial records in a proactive manner increases the likelihood of avoiding unwanted outcomes.
Part of the issue stems from the fact that cybercriminals don’t necessarily need to be successful in every malicious attack. Still, those defending their network must constantly be vigilant to protect themselves.
Usually, an attack happens in stages. First, a cybercriminal manages to access a computer, then seeks an opportunity to access a server and then gets their hands on data. The attack becomes more technically complex as it unfolds and also becomes more valuable for the attacker — once they have access to data, they then have the leverage to extort their victims.
It’s the difference between a break-in thwarted in a lobby versus the file room. If you catch a bad actor before they’ve accessed your files, you minimize the risk of confidential information reaching the wrong hands. But if the bad actor is able to access your files, or somehow export them to the wrong hands, you’re now vulnerable to extortion — the criminal now has leverage against the victim. The sooner an attack is thwarted, there’s less potential for problems down the road.
Cyber risk is constantly evolving, and new risks emerge every day. Awareness of new risks is one potential opportunity to promote good cyber hygiene and make organizations less vulnerable to potential ransomware attacks. The insurance industry must be agile to address these new challenges.
Robert Behny is senior director, cyber data & partnerships at Verisk Cyber Solutions. He can be reached at robert.behny@verisk.com.
See also: