The Right Way to Do Cybersecurity Insurance
March 16, 2020 By Jack Vines
Corporation’s cyber risk is growing larger every day. While more and more companies are allocating additional resources and capital to mitigating cyber threats, they’re discovering along the way that they don’t know the size of their own risk. Sizing your exposure to cyber risk, independent of any single threat, can be a daunting task. It is an ever changing landscape that can change materially week to week as attackers shift focus and new vulnerabilities are found and exploited.
General insurance policies, with low-limits and narrow coverage, have provided a backstop, but many companies are right to be worried about having their claim denials justified by nontransparent policy language loopholes.
And among this sea of threats, the one most insurance policies typically fall short on is ransomware.
Ransomware attacks cost businesses more than $75 billion per year in lost revenue, legal expenses, fines, and payments to organized criminal networks. In 2019, an organization fell victim to ransomware every 14 seconds and that number is predicted to grow to every 11 seconds by 2021. New phishing sites are created all the time--1.5 million sites per month. And attacks have increased over 97% in the last two years.
The world has seen everything from $10 million virtual ransoms to attacks on hospitals and healthcare companies, putting human lives at risk. Recently, a business in Australia was hit with a $30 million ransom.
What’s happening with mobile attacks? In 2018 alone, more than 18 million mobile malware instances were reported. That number is expected to double and triple with the proliferation of mobile devices
It’s clear ransomware protection is necessary. The problem isn’t going away. And we have to do something about it.
But the real question remains--does your cyber insurance properly cover ransomware?
Cyber insurance doesn’t work in the same ways as auto or home insurance. There are dynamic factors and debilitating risks that need to be considered on a customer-specific level. No one-size-fits-all policy will work, even if it’s broken down by company size or revenue.
Here’s what most cyber insurance providers do today: ask you a few questions, likely about your revenue and industry, see what they have available, and assign you a policy based purely on your revenue and company size. There’s usually not a lot of details and you are rarely, if ever, rewarded for all the money and effort that you’ve put in to protect yourself. Feels like something’s missing, right?
The problem with cyber insurance lies in the difficulty of predicting, quantifying, and responding to the threat of ransomware.
With proper insurance risk modeling, you should break your risk into two parts, especially for ransomware coverage: frequency and severity. And the best way to learn about these two factors is by diving into specific data on your security posture and marrying that up against the current threat landscape.
Sounds complicated doesn’t it? It is, especially as the landscape changes on a daily basis. But that doesn’t mean that it shouldn’t be done.
Typical cyber insurance products provide coverage for a multitude of risks that involve malware, computer viruses, spyware, cookies, worms, trojans, and other malicious entities. However, the emergence of ransomware has changed for the entire cyber security industry. The more that people learn about ransomware attack risk, the more they learn about the inadequacy of insurance carriers and their ability to address this growing problem.
In just 2019 alone, more than $7.5 billion in damages were attributed to ransomware disruption in the United States alone. And for every organization that suffers an attack? The cost to recover has doubled to $84,116.
The risk for small to midsize businesses is the highest. With the most to lose, it’s important to know who will be affected in the case of a breach. The most likely outcome for a SME after a cyber attack is bankruptcy.
With cyber insurance, specifically ransomware insurance, we need to get results back to the board, executive team, and customers.
Corporate Boards of Directors have heard it all when it comes to cybersecurity matters in recent years. In fact, it’s becoming common practice to appoint at least one person with deep cyber risk management expertise into these boards. Many believe this new role will be a translation layer between the board and large cybersecurity decision making. An important part to play in a world with increasing attacks.
It’s time to get familiar with the cyber risk your company likely faces.
If your business suffers a ransomware attack, you’ll likely need to recover in seven main areas:
- Customers: What would be the cost to notify your customers of the breach?
- Regulatory: How much would your business be fined?
- Ransom: Do you have insurance to pay for a ransom? If you do, how do you do it?
- Financial: What is the cost of the financial disruption to your business if you are unable to do business for one day? A week? A month? A year? Can you even get the data back?
- Legal: What will the legal ramifications be if your business is attacked?
- I.T. Infrastructure: How much will you need to rebuild if your data is lost or held hostage?
- Brand: What are the costs of rebuilding trust with your prospects and customers in the event of an attack?
When it comes to cybersecurity risk, there’s not much time to waste.
Get the right ransomware coverage with Measured.
With Measured, you can expect:
- Real-time system analysis and identification of ransomware attack damages and implications
- Expert advisory on damage assessment and incident response recommendations
- Teams that incorporate an ecosystem of global experts in ransomware assessments, ransom negotiations and payment, cyber legal counsel, forensic accounting, public relations and brand restoration, regulatory implications, and negotiations
- Expert advice regarding post-event restoration of impaired services and directives to thwart future exposure
Cybersecurity insurance doesn’t have to be daunting or overwhelming. It just has to be Measured.
Assess your cyber risk and weaknesses with our three-question quiz.
If you’re just getting familiar with cybersecurity and you want to protect your remote workers, because so many millions are working from home right now, find tips and tricks to keep your workforce safe from ransomware here.