Ransomware attacks against corporate data is a crime barely more than 15 years old. Yet in that time, a majority of large and small businesses surveyed said they have been victimized by data breaches, and dealing with these cybercriminals has become a unfortunate cost of doing.
This widespread crime – more than 80% of companies in a recent survey admitted they’ve been victimized in the last five years – has spawned a new form of insurance. A new report from Delinea, an access management and security company, found that nearly 8 out of 10 companies it surveyed have had to use their cyber insurance and more than half of those have used it multiple times.
“Executives and boards use cyber insurance to lower the costs associated with potential breaches. As a result, most organizations are scrambling to buy or renew a policy, even as the insurers pull back on what they will cover and simultaneously raise the price of coverage,” said Art Gilliland, CEO of Delinea. “Our report shows that insurers are increasingly requiring organizations to implement a broader set of security controls to try to reduce the number of customers leveraging their policies. With 80% of companies leveraging their insurance policies, it is expected that more advanced solutions are needed.”
“...Insurers are increasingly requiring organizations to implement a broader set of security controls ... With 80% of companies leveraging their insurance policies, it is expected that more advanced solutions are needed.”Art Gilliland, CEO, Delinea
The survey, conducted among 300 US-based IT decision makers, found that nearly 70% of organizations have applied for cyber insurance, with 93% being approved when they applied, and 65% claiming the process took less than three months. While risk reduction is the main reason for applying, the report found, one-third of respondents claimed that it was also due to requirements from executive management and boards of directors. About 25% cited recent ransomware incidents as a primary decision driver.
Despite policy requirements to increase security, such measures are not preventing attacks, the report said.
Mandating 'core security tools'
“To contain risk, insurers are mandating that policy holders have core security tools and practices in place. So why are nearly 80% of companies still experiencing cyber events that require insurance? Clearly, checking the policy requirements isn’t enough to keep organizations safe,” the report said.
Early insurance policies only protected against physical asset damage such as hardware and network infrastructure, not the data and monetary loss from downtime. Determining the value of data is more complicated than assessing physical assets.
Many insurance companies today now cover a variety of risks associated with cyberattacks, ransomware, data theft, business downtime and more.
And yet, the frequency of claims is causing some insurers to pull back on covering what is most needed, with only about 30% of organizations saying their policy covers critical risks including ransomware, ransom negotiation, and decision on ransom payment, according to the Delinea report.
“Our customers, and with our guidance, understand what they might be able to do to best reduce the chances that they become a victim,” said Tim Francis, vice president and enterprise cyber lead for Travelers. “And then sometimes the threat actors change their methodology, so we see ebbs and flows. But what within those ebbs and flows, there’s still a steady increase in the number of events that take place, and maybe more importantly, the types of customers to get affected. Rather, there's really no limit to the size of company or industry, or geography of company that would necessarily put one customer at ease.”
Measures to thwart attacks
Francis says there are a variety of measures companies can take to thwart attacks such as multifactor authentication so companies know who is using the network.
“That's fairly low hanging fruit, and a really, really good deterrent,” Francis said. “It’s not foolproof, but a good deterrent from most of the common ransomware variants.”
Other recommendations, he said, is to keep systems up to date and not run software that’s “end of life” or no longer supported by the manufacturer.
“Another is to use what we'd call endpoint detection and response or EDR software, kind of think of that as DNA virus, software 2.0, really a next iteration of antivirus,” he said. “Then probably, I would say, we make sure our customers backup their data. That doesn't always prevent the incident from taking place but if you can keep your backup data isolated, even if you suffer an attack, you might be able to be brought back online sooner and might avoid having to pay a ransom and the costs are quite a bit lower.”
A report this year found at 11% of businesses paid ransoms of $1 million or more, up from 4% in 2020. Yet the cost associated with ransomware isn’t only financial. It can impact a firm’s reputation as well as its bottom line.
“Unfortunately, there's still customers who think these things either won't happen to them or can't happen to them, or maybe they don't fully appreciate the significance of an event were it to happen to them,” Francis said. “And some of these events can put a company out of business for good, depending on the scale of it. Smaller customers are more apt to be running on thinner margins in the first place and maybe not be able to make it following an event. So, there's still too many that don't fully have that sense of awareness.”
Doug Bailey is a journalist and freelance writer who lives outside of Boston. He can be reached at [email protected].