What You Need to Know About Ransomware Insurance
May 19, 2020 By Jack Vines
Quickly now---how much cyber insurance does your company need?
It's a question that many organizations struggle to answer. Sizing up the inherent exposure to loss (or risk) a business faces is a non-trivial task. It is, however, an important one--and without a reliable methodology for sizing risk, and comparing it against other opportunities, businesses cannot hope to make measured investment decisions.
And beyond the initial question about cyber insurance floods a list of others: How much ransomware insurance does your company need? What’s the difference? How much does cyber insurance or ransomware insurance cost?
In this post we’ll cover everything you need to know about ransomware insurance.
If you’re just catching up on our ransomware series, be sure to check out our previous posts:
- The Definitive Guide to Ransomware
- What is Ransomware?
- How Does Ransomware Spread?
- How to Report Ransomware
Let’s get back to our initial question--how much cyber insurance does your company need?
The information security world has been grappling with this thorny question for years. Businesses generally lack a general methodology for measuring risk in a manner that allows risk to be quantified and thus compared to other risks in order to make informed business decisions.
Homegrown solutions have historically taken the form of the risk matrix, whereby a list of threats to a business are assembled and each given a rating on how likely they are and their level of impact to the organization. The results form a matrix and typically show low, medium, and high risk.
While providing a simple framework for discussion, the risk matrix approach does not provide an outcome that allows a rank order of:
- risks we can mitigate through direct investment
- risks we can mitigate through utilizing other services
- risks we can transfer
Your Ransomware Risk
To identify your true risk to ransomware, there are a few options. Some frameworks, like NIST are more concerned with procedural controls and lack a formal method for quantifying and prioritizing gaps. Alternative thought structures like FAIR take a methodological approach to quantifying risk.
But at a high level, we can break the costs of ransomware into different categories (or in the context of insurance, coverages). Understanding how much risk you have in each area can help you dial in the coverages and amounts of insurance you need.
The most apparent cost, if you get hit by ransomware, is the ransom amount. Of course, you may or may not elect to pay the ransom depending on the specifics of the scenario, but even if you opt not to pay, you will likely be paying as much in other areas to find an alternate remediation strategy.
In Q4 of 2019, the average ransom payment increased by 104% to $84,116, up from $41,198 in Q3 of 2019. In general, ransomware actors will ask what they think you can pay, meaning the bigger the business, the larger the ransom.
But it's not just the ransom payment. Other costs may include:
Business interruption Ransomware can lock you out of your critical systems and keep you from processing business until you resolve the problem or find temporary workarounds. And the average downtime for many organizations is reported to be as long as 7.5 days. During your downtime you may experience substantial loss of revenue and profit. Assess your risk in this area by understanding how much you could potentially lose if you’re locked out of your system--and document the costs associated with every business day you may be down.
Regulatory costs Recently, ransomware actors have increasingly begun to not only lock up your data and systems, but actually steal your information. In a world of increasing regulatory scrutiny and new laws such as GDPR and CCPA, you may be subject to substantial fines and penalties. These penalties likely depend on the number of records that are compromised, as well as the size of your company. Assess your risk in this area by clearly understanding what fines you may be liable for if data (specifically customer data) is not only compromised, but stolen.
Customer costs Along with regulatory penalties, if your customer data becomes compromised you may be legally obligated to notify customers or offer services such as credit monitoring. Like regulatory costs, these will grow with the number of breached records. The more records you store, the bigger your potential risk. Assess your risk in this area by understanding the cost of potential services you may need to deliver to customers.
Brand costs A ransomware disruption can have substantial negative impact to your brand and loss of customer trust. You may need to increase brand spending to rectify any reputation damage. Assess your risk in this area by understanding the potential costs of increased brand spending in the case of a ransomware attack.
Legal costs After a data breach or a ransomware attack, the cost of navigating the legal ins and outs can involve substantial legal fees. From legal advice during the incident to defense against third party lawsuits, assess your risk by understanding how much you may need to pay for legal help.
I.T. costs Resolving a ransomware incident is not a simple matter. You may need to bring in experts to perform a forensic analysis to identify the extent of the damage and a path to remediation. Ensuring you are secure from future attacks may involve substantial and costly changes to your I.T. infrastructure. Assess your risk by first understanding if your internal team can rebuild any damage that may possibly occur and then next, documenting potential costs if you need help from a third party in the case of a ransomware attack.
Is Ransomware Included in Your Cybersecurity Insurance?
Cybersecurity insurance shouldn’t be treated like home or auto policies. There is no policy that will work for multiple businesses. Every organization has unique risks and considerations, so it’s highly likely that your current cybersecurity insurance policy doesn’t offer the right amount of coverage in the case of a ransomware attack. One-size-fits-all policies don’t work.
Oftentimes, cybersecurity insurance will attempt to cover the minimum for a ransomware attack. You might find language in your policy like “cyber-extortion coverage” which might include some small coverage on a ransom demand, negotiation experts, and forensic experts who will assess how the hackers gained access to your system. But the costs associated with an attack range far above these three areas. If you have cybersecurity insurance today, make sure you have proper coverage in all areas of risk. You will likely need a new policy that covers ransomware specifically.
Ransomware Insurance vs. Cyber Insurance
If your cyber insurance policy doesn’t offer enough coverage in the case of a ransomware event, you need to consider ransomware insurance. The difference between the two will lie in the coverage outside of a ransom demand and a few experts that may help with negotiation and forensics after the event. Full, measured coverage for a ransomware event will include payment for all areas of risk: legal costs, IT costs, brand disruption costs, regulatory costs, customer costs, and any business disruption costs.
Ransomware Insurance Cost
Because no one-size-fits-all policy exists for ransomware insurance, taking into account all areas of risk that are highly customized to each business, the cost of ransomware insurance varies for every organization. Your first step toward understanding the cost would be to assess your risk in the seven areas of disruption. The same goes for small businesses--the cost of ransomware insurance for a small business will be determined by the size of the business and the potential disruption costs in each affected area.
Ransomware is a complex and potentially expensive event. Insurance can help you be prepared for the financial consequences, but you have to know how much you need. Use the Measured risk calculator to learn about your risk.