With each passing week, the list of high-profile ransomware attacks grows longer and more concerning, affecting everything from gas pipelines and meat supplies to ferries. Companies and government agencies that are hacked must scramble to protect their systems and make a difficult decision about whether to pay hackers to restore service.
Affected companies may rush to contact their IT teams, police, crisis PR, lawyers, and law enforcement in the face of such a situation. However, one of the first calls they make is usually to their insurance provider.
Companies frequently purchase cyber insurance to help protect their systems and cover any losses incurred as a result of a cyberattack. And ransomware, which allows hackers to take control of computer systems (or even physical infrastructure) and demand millions of dollars in exchange for their unblocking, has only increased demand for that insurance.
However, because of rising costs, more stringent insurer requirements, and increased government scrutiny when foreign hackers are involved, companies may find it more difficult to access this lifeline.
Between 2018 and 2020, AIG, one of the world’s largest insurers, reports a 150 percent increase in ransom and extortion claims. According to the company, ransom demands now account for one out of every five cyber insurance claims.
“Data-intensive companies were the first … but over the last number of years all types of industries have started purchasing cyber insurance,” Tracie Grella, AIG’s global head of cyber insurance, told CNN Business. “I think at this point it’s certainly clear that all industries are impacted, all have to manage cyber risk.”
Depending on the size of the company and what needs to be covered — from security teams and lawyers to potential lawsuits and reimbursement for business losses, or even ransom payments — plans can range from “a couple hundred dollars” to “multimillion-dollar programs,” according to Grella, who added that roughly half of AIG’s clients make ransom payments.
Ransom payments, according to the FBI and cyber security experts, encourage cyber criminals to increase their targeting of businesses and infrastructure.
According to Mark Friedlander of the Insurance Information Institute in New York, the average cost of a cyber insurance policy in 2019 was $1,500 per year for $1 million in coverage with a $10,000 deductible.
As the number and variety of targets for ransomware attacks grows, so does the cost. According to a report released in April by Fitch Ratings, total premiums for cyber insurance coverage reached $2.7 billion in 2020, up 22% from the previous year, and are expected to rise even more in 2021.
Before being approved for a plan, companies seeking cyber insurance must now undergo a much more thorough examination of their existing cyber security measures.
AIG asks potential clients a series of 25 questions about their ransomware protections, including how often they test employees for email phishing attacks and how long it takes to deploy critical security patches (ranging from “within 24 hours” to “more than 7 days”).
“Right now ransomware is more prevalent, so we do have a deeper dive, more specific underwriting strategy around ransomware ,” Grella said. “If certain controls are not met, we will likely still provide coverage … but it will be reduced cover.”
Some cyber security experts also caution against using insurance as a one-size-fits-all solution, especially when demand is high.
“In some cases organizations are a little too ready to transfer this kind of risk through insurance. They think that that’s a real healthy backstop and they can avoid doing some of the other, more painful investments in security,” said Mike Hamilton, the chief information security officer at cyber security firm Critical Insight.
With the US government announcing this week that it will use similar protocols to deal with ransomware attacks as it does with terrorism, particularly those linked to nation-states, Hamilton believes insurance companies may be able to avoid paying out cyber insurance claims. Terrorism insurance is frequently sold as a stand-alone policy to businesses, and it rarely covers acts of war.
“If insurance companies can call anything a nation-state act or an act of terrorism, they don’t have to make good on their policies, and that’s going to be a problem,” he added.