Gone are the days of a fool proof insurance policy that pays out on ransomware attacks – so what should businesses do to protect themselves as the threat landscape evolves?
According to researchers at Statista, the global cyber insurance market is set to be worth US$20bn (£16.8bn) in 2025 – up from just under $8bn (£6.7bn) in 2020. However, in an uncertain world, can cyber insurance be relied upon to pay out should your organisation sustain an attack that threatens business continuity, your brand and its very future?
The market has grown enormously, but there are a number of factors that have contributed to the jump in demand for cyber insurance, not least the growth in remote working which has seen organisations commit to the need for cyber security measures in the face of a growing threat landscape. More widely however, there has been a sharp increase in ransomware attacks – the number reported to the UK Information Commissioner’s Office increased 100% from 326 in 2020 to 654 in 2021. As organisations have woken up to the potential threat, a cyber insurance policy has become a basic business must-have.
The increase in ransomware attacks has resulted in corresponding huge insurance pay outs, awakening insurers to their own risk of not being able to make increasing compensation payments, which in turn has increased difficulty in obtaining a cyber insurance policy without increased hoops to jump through.
If an organisation wants to buy cyber insurance in today’s climate, it must show it has proactively prepared for an attack. Wind the clock back three or four years, and it was simple to buy a basic policy for a few hundred pounds. Nowadays insurers are fearful that the cost of limitless pay outs could bankrupt the industry – and with only twenty years of historic data for cyber security insurance to call upon when pricing risk, there’s simply not enough data to accurately do so whilst ensuring appropriate coverage.
As a result, policy limits are being enforced to ensure that the insurers can afford to provide the cover. Certainly, in the last twelve months there has been a reduction in the limit of indemnity from most insurers – the maximum an insurer will pay out on the policy. Cyber insurers are adapting quickly by introducing new requirements for coverage, increasing prices and narrowing the parameters for coverage by not including certain factors in their coverage – acts of war are a prime example. Similarly, there is a widening variation related to loss of money through business email compromise, cover for loss of customer data, or compensation claims too.
What should businesses do?
The clear advice is that insurers’ new exclusions and parameters mean businesses can no longer rely on the promise of an insurance pay-out should the worst occur, or at least not enough to pay for the level of chaos such an attack may reap in terms of business interruption, or worse, reputational damage to their brand. This puts the onus firmly back on the business to take control of ransomware situations themselves, and to ensure they have a solution in place to mitigate such events and to recover from attacks.
It’s no longer the case that businesses can rely on getting their data back from a ransomware attack or can be fully compensated for their financial losses being covered by insurance policies. So, in a such a ransomware attack, where the choice is to recover data or pay the ransom, the former is preferable, and is where strategic plans should focus. The UK’s National Cyber Security Centre (NCSC) suggest that the onus is on the business to ensure security details are up to date, that insurers know when circumstances change so a policy isn’t null and void, and organisations have security measures firmly in place so that data is protected.