There is a change in the way organizations outside of the traditional cybersecurity sector are thinking about cyber risk.Governments are now getting more interested in the problem, and cyber insurance underwriters are becoming more stringent with the requirements they want to see before they will offer cyber insurance at all. When they do offer it, the prices are much higher than previously available, and the coverage and deductibles are not as favorable as before.
The rise inransomware attacksis the main driver behind the change in attitude we are seeing. This year, many ransomware attacks have made the news:
•The Colonial Pipeline attack disrupted gas supplies to the eastern United States.
•The Scripps ransomware attack disrupted hospitals during the pandemic.
•The Kaseya VSA supply chain ransomware attack impacted MSPs using the Kaseya IT management software.
These attacks that broke through into the public consciousness are just the tip of the ransomware problem.The Sophos State of Ransomware Report 2021 shows that a third of organizations surveyed across 30 countries reported that they had experienced a ransomware attack in the past 12 months.
The costs of dealing with a ransomware attack are high and growing each year. The Sophos report estimates that the average cost to deal with an attack in 2021 is $1.85 million. From that figure, the average payment of a ransom to cybercriminals was only$170,404. The vast majority of the costs from a ransomware attack are dealing with the operational fallout to get the organization back to a functional state. Beyond these costs for some sectors, like healthcare, the fallout includes risks to patient health, as was the case in the Scripps Healthcare attack and the Hive ransomware attack in Ohio and Wisconsin. Some hospitals had to stop admitting patients, who then had to go to other hospitals further away.
Cybersecurity Insurance Providers are Feeling the Pain
Many organizations report that theircybersecurity insurance premiumsare going up by a hefty amount this year when they come due for renewal. This is a function of the number of attacks and the fact that insurance providers previously provided pricing without the actuarial data to price correctly. The ransomware surge has left many insurance providers in the red due to payouts. As a result, cyber insurance providers are being much more stringent on who they will insure. They are looking for evidence that organizations have adequate cybersecurity protections and that they follow industry best practices. Anyone looking to renew their cyber insurance from 2021 and onwards should expect a more rigorous process. Be prepared to show your papers on how your cybersecurity is robust and expect to be interviewed by cybersecurity experts working on behalf of the insurance company.
What are the Cyber Insurance Providers Seeking?
The cybersecurity procedures that the insurance companies are looking for are things that all organizations should already be doing, but that many are not. They are looking for evidence that multi-factor authentication is in use, 24/7 monitoring for threat activity, staff cybersecurity awareness training, and more.
The requirements that organizations can expect and what they should do are topics in the recent Critical Insight webinar titled Cyber Insurance Is Changing: How to Handle Your Policy. This webinar is well worth an hour of your time and is embedded below for easy viewing. The information will help you ensure that your organization can get cybersecurity insurance this year and next. It will also allow you to reduce your premiums (or keep them flat) and increase your coverage. We will publish a follow-up article to the webinar called The Top 10 Things to do to Lower Your Cyber Insurance Premiums in the next few days. Keep a watch on the website and our social media for that article.
Jake Milstein(LinkedIn),the head of Marketing for Critical Insight, hosts the talk and is joined by:
Mike Hamilton (LinkedIn) -One of Critical Insight’s Founders, Mike Hamilton has worked in InfoSec for 30 years in every sector and imaginable role. Mike was formerly Policy Advisor to Washington State, Chief Information Security Officer for the City of Seattle, and Managing Consultant for VeriSign Global Security Consulting. Former Vice-Chair of the DHS State, Local, Tribal, and Territorial Government Coordinating Council.
Bryan Hurd (LinkedIn) -Chief of Office, Aon Cyber. Bryan is also the former chief of cybercrime at Microsoft and founded the US Navy NCIS Cyber CI Program.