Plaintext: Turbulence in Cyber Insurance

Welcome to Dark Reading in Plaintext, where each day we bring you insights around one topic important to cybersecurity professionals. Today, we talk about cyber insurance. There was a time when the cyber insurance market was competitive, so premiums were low and policies were comprehensive. Those days may be going away.

Rising Prices and Sinking Coverage

Organizations often find they cannot obtain cyber insurance, are not being renewed for coverage they already have, or are faced with soaring prices and shrinking coverage. Many organizations are required to carry cyber insurance to comply with regulations, but obtaining a policy is increasingly getting more difficult.

Insurance companies are increasingly mandating minimum security controls prior to extending coverage, according to Jess Burn , senior analyst at Forrester. The list includes security activities and controls such as implementing network segmentation; securing remote desktop protocol and other remote access configurations; restricting macros in documents downloaded from the Internet; implementing multifactor authentication; setting up an offsite backup solution; and establishing an incident response plan.

Insurance by the Numbers: In 2016, just 26% of insurance clients had cyber coverage. That number rose to 47% in 2020, according to the US Government Accountability Office. During the past year, premiums grew 18% in the first quarter of 2021 and were up 34% in the fourth quarter of 2021, according to Forrester’s Burn.

Higher premiums and more stringent criteria for getting coverage could make companies wonder if it is ?worth getting insurance , wrote Chris Butler , lead principal consultant at Sungard Availability Services (Sungard AS).

If the rates continue to rise, companies might decide it's not worth the cost. That is, if insurers continue to cover their industry.

“Already, we're seeing discussions about Log4j-related issues being excluded from reinsurance policies in 2022, as many policies came up for renewal on Dec. 31, 2021,” wrote Matt Middleton-Leal , managing director at Qualys. Cyber insurance policies will still be available, but the policies will cover less ground . The changes in insurance will make it harder for organizations to manage business risk.

War Exclusion: Cyber-insurance policies typically have "war exclusion" or "hostile act exclusion " clauses stating that insurers cannot defend against acts of war, Beth Burgin Waller , chair of the cybersecurity and data privacy practice at Woods Rogers PLC, wrote earlier this year. If the company becomes a victim of a malware attack and that malware can be attributed to a government campaign, the insurer could deny coverage based on that clause. When filing a claim, organizations should not speculate who the threat actor is if they don’t know. “What you guess, report, or speculate could be used as a basis for denial of coverage,” Beth Burgin Waller wrote.

In light of Russia's invasion of Ukraine — and the anticipated cyber fallout — security professionals should review their cyber-insurance coverage with an eye toward determining coverage gaps.

Headlines on Tap

• A pair of phishing campaigns are targeting users of WhatsApp and Telegram’s Telegraph.
• What Connecticut becoming the fifth state to pass a consumer data privacy law means for organizations.
• Conti threat actors are actively targeting Intel chipset firmware , Eclypsium says.

Subscribe to get the latest headlines delivered to you each morning with Dark Reading Daily .

On That Note

We talk a lot about how the ransomware landscape has change dramatically in recent months. Well, the State of Ransomware 2022 report from Sophos found that ransomware has also changed the insurance landscape:

• 94% of companies found it harder in the past year to qualify for cyber insurance.
• 97% had to make changes to their defenses to improve their ability to get coverage.
• 98% of companies affected by ransomware received a payout under their policies, but only 77% collected for clean up costs. Only 40% of the policies paid the ransoms.