Cyber Insurance: What's Going On?

“Horry County, South Carolina, officials were in for a shock earlier this year, when they discovered their cyber insurance premium would be spiking from $70,000 last year to about $210,000.” – Tucson Sentinel

“The global cyber cover premium pool is set to increase 25% a year” – Insurancenews.com

“Insurer Travelers Wants Out of Contract With Insured That Allegedly Misrepresented MFA Use” – Insurancejournal.com

Premium increases of up to 200% are being observed across multiple business sectors, insurers are denying claims after cyber-attacks, and businesses are HALO jumping from C130’s with mini umbrellas for parachutes.

?So, why all the change and why all of the sudden? Simply put: There is a reason why not too many insurance companies will write policies for resistance fighters in Afghanistan. We are at cyber-war, and it is getting worse.

Economic uncertainty is economic uncertainty for businesses and cybercrime groups alike. Less money flowing through the economy pushes people to crime and raises the stakes for cyber-attackers. Ransomware is the most lucrative business model within the cybercrime world, and this is what cyber insurance payouts are going towards.

The sharp increase in claims is directly related to the number of ransomware attacks that occurred over the course of 2021. With entire countries locked down, millions of people out of work worldwide, and borders completely shut down; the criminal underground had to get tech savvy really quickly. This resulted in the biggest year for ransomware

“Ransomware hit 66% of mid-sized organizations last year, up from 37% in 2020. Average ransom payments reached $812,000 during 2021, compared with $170,000 the prior year.” – cybersecuritydive.com

If you think that you read that incorrectly, you didn’t. Ransomware payouts went up from $170,000 to $812,000 from 2020 to 2021. That is an enormous increase and most of those payouts came from nonother than, {drum roll}……..Insurance companies! This results in cyber insurance premium increases, more in-depth cyber insurance applications, denial of coverages, and refusal of payouts.

Insurance companies have taken the gloves off and are saying no more. Companies will properly fill out insurance applications, adhere to their security standards, and if they do not; the insurance companies would rather send in a team of investigators than pay out $812,000 on every ransomware attack. Can we blame them? Not really, but….

There is a devils advocate side to this as well. Any experienced CISO, IT Director, or executive knows that their customers are demanding cyber insurance coverage to even consider doing business with them. Therefore, insurance companies know that when businesses have a multimillion dollar contract on the table that is dependent on the company accepting a 200% premium increase, the policy will be written and bound no matter what. These are just the new costs of doing business. The flip side to this is the real danger zone for companies that believe they have a golden parachute.

When your company gets thumped with a ransomware attack, you can expect a full audit and review from the cyber insurance carriers during and after the incident. If they discover that your company gave false, misleading, or downright negligent information on the application; you will not be compensated and you will still have to answer to your customers.

Now, more than ever, it is absolutely critical that businesses accept the fact that standing by idly is no longer an option. Not having security leadership and the technical savvy within your organization is a recipe for double disaster. Worst case scenarios go something like this:

1.??????You inadvertently answer a question falsely on a cyber insurance application.

2.??????Your company gets hit with a ransomware attack.

3.??????You put in a claim.

4.??????Your claim is denied due to misleading application information.

5.??????Your company has to pay the cyber-attackers.

6.??????You lose your ability to ever get coverage again from any cyber insurance provider.

7.??????You begin to lose your clients.

This is a call to action for all business leaders to look closely at how you approach information security within your organizations.

• Do you have a CISO/fractional CISO or is your CFO answering detailed technical questions on a cyber insurance application?
• Does your cyber insurance coverage have hundreds of exclusions that render it null in the event of a cyber-attack?
• Are you confident that you can recover your business operations without a cyber insurance policy?
• Will your customers understand or care why you are in this situation?
• Does your company have an information security plan or strategy?
• What is your fallback plan when you are in the upside down in Stranger Things?

It’s time for the information security community to speak up and advise business leaders on the true nature of cyber risk. Let’s get down to business.

Article by Ty Ward, Founder and Managing Consultant at CSG-Cyber.

For more information on virtual CISO, Penetration Testing, and Incident Response, contact us.

Reference List

• https://www.tucsonsentinel.com/nationworld/report/072722_cyber_insurance/cyber-insurance-price-hike-hits-local-governments-hard/
• https://www.insurancenews.com.au/daily/cyber-insurance-premium-pool-to-rise-25-a-year-sp
• https://www.insurancejournal.com/news/national/2022/07/12/675516.htm#
• https://www.cybersecuritydive.com/news/ransomware-attacks-payouts-2021/622784/#:~:text=Ransomware%20hit%2066%25%20of%20mid,paid%20a%20ransom%20to%20adversaries.