Cyber risk insurance is a hot topic. With the increase in costly cyberattacks, especially ransomware campaigns, organizations of all sizes across all sectors are considering purchasing a policy. But what value does cyber risk insurance provide — and what gaps might it leave? What do insurers look for when deciding whether a company qualifies for a policy, and what could your organization do to not just ensure you qualify but actually reduce your premium?
More fundamentally, is purchasing cyber risk insurance truly the best use of your limited cybersecurity budget? Let’s dive in.
What is cyber risk insurance?
Cyber risk insurance is a means of transferring the risk from a successful cyberattack or other incident that damages your IT assets or infrastructure. It is similar to other types of insurance: When you purchase an automobile, homeowner’s or renter’s insurance policy, you are paying money up front to gain the peace of mind that if your car is stolen, your home burns down or your apartment is robbed, it won’t be a devastating loss — your insurer will pay some or all of the cost to replace what you’ve lost.
Similarly, cyber risk insurance helps mitigate an organization’s risk from successful cyberattacks and other disasters. Examples include ransomware encrypting some or all of your business data, a disgruntled IT pro planting a logic bomb that brings down your key business systems, and a fire or floods wiping out your server room.
The cost of such incidents can mount quickly. They can include:
- Property damage
- Data and infrastructure recovery
- Ransomware extortion costs
- Forensics
- Productivity losses
- Compliance-related costs
- Litigation costs
- Supply and distribution disruptions
- Unfulfilled customer orders
- Reduced margins
- Customer churn
- Lasting brand damage
However, as with other types of insurance, exactly which types of costs are covered depends on the details of the specific cyber risk insurance policy you have purchased. It’s critical to comb through the fine print!
What’s required to qualify for a cyber risk insurance policy?
Not long ago, cyber risk insurance was readily available to any organization that wanted to purchase a policy. Indeed, policies were often arguably underpriced because so many companies wanted to establish themselves in the market. This strategy was likely an important factor in the rapid growth of the market: In 2020, half the companies that purchased insurance had cyber coverage, up from a quarter of them just four years earlier.
But with cyberattacks increasing in both frequency and sophistication in recent years, many of those insurance companies ended up having to pay out on huge claims. As a result, insurers now often require organizations to have specific types of security controls in place in order to qualify for a cyber risk insurance policy. For example, customers might be required to certify or prove that they:
- Maintain an accurate inventory of all user, administrative and service accounts.
- Validate those accounts and their access rights regularly.
- Tightly control membership in privileged security groups.
- Audit and log the activity of privileged accounts.
- Actively monitor for indicators of compromise (IoCs).
- Have a documented incident response plan.
- Have a documented backup and recovery strategy.
Ways organizations can reduce their premiums
While some basic security may be required to qualify for any cyber risk insurance policy at all, exceeding those minimums can enable an organization to reduce its premiums, as well as qualify for better policies that provide more coverage. The principle is similar to other types of insurance: You might get a discount on your car insurance by installing a device that tracks your speed, and upgrading your locks and deploying security cameras can reduce your home insurance premium.
With cyber risk insurance, a good strategy for reducing your premiums can involve going beyond the core controls and demonstrating a more mature security posture by mitigating risk. For example, an organization might be able to reduce its premium if they:
- Validate all accounts and their access rights quarterly instead of merely annually. Insurers know that rigorously enforcing the principle of least privilege is a cornerstone of cybersecurity because it limits the reach of malware and the damage that can be wrought by an adversary with stolen credentials or a malicious insider.
- Not just be able to identify all members of privileged groups, but proactively keep the number of admin accounts to a bare minimum. While many cyberattacks begin with the compromise of regular user credentials, adversaries need elevated rights to move laterally and access sensitive systems and data.
- Proactively identify attack paths in your Active Directory that adversaries could use to escalate their rights or even seize control of the domain, and pinpoint and mitigate the choke points they share to dramatically reduce risk. Many organizations have hundreds or thousands of attack paths; insurers will be impressed when you can demonstrate that you have rooted yours out.
- Monitor all security changes across your IT environment, whether they occur on premises or in the cloud, and alert your security teams about suspicious activity so they can shut down attacks in time to minimize damage (and therefore costs). Even better, demonstrate to insurers that you can prevent critical changes from happening in the first place, so adversaries simply cannot add themselves to highly privileged groups like Domain Admins or sabotage key elements of your Group Policy.
- Implement multifactor authentication (MFA). MFA dramatically mitigates the risk from weak and stolen passwords, which is a primary way that adversaries gain a foothold in corporate networks. Moreover, when MFA is applied as part of a broader Zero Trust security model, it can block attackers already inside the IT ecosystem from inflicting damage on vital systems and sensitive data.
- Build a robust backup and recovery strategy that includes stringent recovery time objectives (RTOs). Insurers know that extended downtime drives up incident costs and therefore payouts.
- Create redundant backups and store them on a hardened server that is isolated according to IPSec rules. Moreover, regularly check those backups to confirm their integrity. Demonstrating that your organization is prepared to restore its own data even in the case of a ransomware attack reduces risk for the insurer, and therefore can reduce your insurance premiums.
- Go beyond native backups, which provide a wide range of places for malware to hide, and instead use a dedicated Active Directory backup solution that provides multiple backup options, including backups that minimize the risk of malware re-infection during the recovery process.
Are there any drawbacks to cyber risk insurance?
While transference of risk to a third party like an insurance policy might seem like a good way to mitigate this risk, there are actually multiple important drawbacks to consider in the case of cyber risk insurance.
Cyber risk insurance can increase your risk of being attacked.
Of course, it’s not possible to perform a double-blind study on the relationship between cyber risk insurance and cybersecurity attacks. But there is evidence that having a cyber risk insurance policy can increase your risk of being hit by cyberattacks. One study found that organizations with cyber insurance were more likely to be hit by ransomware than those without: 77 percent of those with cyber insurance suffered at least one successful ransomware attack, compared to 65 percent of those without cyber insurance. Moreover, insured companies were 70 percent more likely to be attacked multiple times!
One reason for these findings could be that cybercriminals prefer to target organizations with cyber insurance because they believe the insurers will pay the ransom cost in order to speed the recovery process, since reducing downtime can significantly reduce the costs of an incident and therefore the overall payout for the insurance claim. Indeed, the same study found that nearly 4 in 10 (39 percent) of the ransomware victims that had cyber insurance paid the ransom. Another report found that just 15 percent of organizations without cyber insurance paid the ransom. Hackers are undoubtedly tracking these published statistics along with their personal success rates.
Cybersecurity experts offer anecdotal evidence that provides additional context. One cybersecurity consultant has found that some hackers scour IT systems during a cyberattack in order to learn what cyber risk insurance the organization has, and then show the organization that they’ve uncovered the policy in order to use it as leverage. For instance, another cybersecurity consultant reports that some ransomware attackers determine the size of the ransom they demand based on what the victim’s policy says their insurer will cover.
Cyber risk insurance can have significant exclusions.
As noted earlier, exactly what costs are covered depends on the specific cyber risk insurance policy. As with any insurance claim, the details in the fine print matter a great deal! Moreover, it’s vital to understand that the cyber insurance industry is still evolving, and the scope of policy exceptions is being hotly debated in the courts. Here are some key exclusions to know about:
Prior acts
Insurance policies are generally not retroactive — you cannot purchase a homeowner’s policy the day after a fire or theft and expect it to cover those losses. Similarly, cyber risk insurance policies typically have a “prior acts” exclusion that absolves the insurer from paying claims for activity that occurred before the policy was issued.
However, it’s vital to recognize a key way in which the analogy between the types of policies breaks down: While homeowners almost certainly know whether they’ve recently suffered a fire or burglary, organizations are actually quite likely to be unaware that their network has already been breached by a malicious actor. In fact, according to a 2022 IBM report, the average time to detect and contain a breach was 277 days — about 9 months. But some intruders can sneak around inside a network for much longer: A high-profile breach at Starwood (now part of Marriott) went unnoticed for four years!
In other words, organizations face a significant risk of suffering an incident that can be tied back to an intruder who was already in their network when the policy took effect — and having zero coverage despite all the premiums they have paid.
Failure to maintain standards
As noted earlier, organizations are often required to certify that they have specific controls in place to protect against cyberattacks and other disasters. The policy will likely include a “failure to maintain standards” exclusion that enables the insurer to deny paying a claim if an incident is caused by a failure to ensure those controls remain in place.
For example, if a policy was issued to an organization that certified it uses an intrusion detection system (IDS), and then that company suffers a breach that began on a machine that did not have the IDS installed, the insurance company might be able to avoid paying on the claim. Similarly, your policy might require the use of multifactor authentication (MFA) or encryption in certain situations.
At a minimum, make sure that the language of such exclusions is unambiguous, so you know exactly which security controls you need to have in place in order to ensure you are not denied coverage for a cyberattack or other security incident.
Limitation on compliance penalties
In another incident, restaurant chain P.F. Chang’s China Bistro suffered a data breach in which cybercriminals stole 60,000 customer credit card numbers and posted them on the internet. Under the PCI DSS standard, Mastercard imposed over $1.7M in assessments on the company’s credit card processor, which P.F. Chang paid. But when the company submitted a claim for those costs, the insurer denied coverage based on exclusions in the policy, a decision that was ultimately upheld in court.
SEC requirements for publicly traded companies
The SEC, as of July 26, 2023, made a change for publicly-traded companies to now report “cybersecurity incidents they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant.” These incidents will now become public knowledge since they have been costly to customers, as well as for supply chain transparency. This elevates the ability of businesses to protect their value in the eye of stockholders.
Acts of war
For example, pharmaceutical leader Merck and snack giant Mondelez International were among the many companies that suffered serious damage during the 2017 global NotPetya cyberattack. However, their insurers refused to pay their claims for the incidents, saying that the “acts of war” clause in their policies applied because, according to the US government, NotPetya was deployed by a Russian-backed group against Ukrainian entities.
Both policy holders sued their insurance companies. In May of 2023, a New Jersey appellate court upheld an earlier ruling in favor of Merck granting it a $1.4B payout to help cover its losses from the cyberattack. And in November 2022, Mondelez settled a years-long battle with its insurers; details of the deal were not disclosed, but the company had sought compensation for over $100M in losses.
Exactly how these cases will affect the cyber risk insurance industry is not yet completely clear. At the time of the NotPetya cyberattack, Merck held a $1.75 billion all-risk policy, not a policy specifically designed for cyber risks. Mondelez did not have a dedicated cyber insurance policy, either; it held a property insurance policy that included coverage for “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction.”
Still, the industry is already responding. For example, effective March 31, 2023, Lloyd’s of London requires all standalone cyberattack policies to include a clause excluding liability for losses arising from a state-backed cyberattack or war (declared or not). One thing is certain: Organizations will need to be even more vigilant about examining all the details of any policy they consider purchasing.
Insurance premiums are skyrocketing.
The final drawback to cybersecurity insurance that I’ll mention is the easiest to understand and quantify: Insurance premiums are soaring. One study found that direct premiums increased by 50 percent in 2022. Another article goes further, noting that one global insurance broker said the cost of cyber coverage doubled not just in 2022 but in the two preceding years as well, and another broker pegged the 2022 increase at not 50 percent but 80 percent. Some organizations report paying as much as $1M a year for their policy!
The big question: Is cyber risk insurance the best use for limited cybersecurity budgets?
The core issue with cyber risk insurance, however, isn’t how much it costs or exactly what the insurer will pay for. It’s that cyber risk insurance is simply not a replacement for cyber resilience.
No insurance policy can restore your data.
No matter the price of your policy or the quality of the coverage, no insurer can guarantee that you can actually get your data back.
To illustrate, let’s return to the analogy of homeowner’s or renter’s insurance. These policies typically cover the cost of replacing the contents of the dwelling, such as your clothing, appliances and furniture. In most cases, this is just fine, because you can easily get a refrigerator or couch that is sufficiently similar to the one that was stolen or destroyed. Of course, there are exceptions: the heirloom cradle that your ancestor loving crafted and that has been passed down through the generations, and the old photos that you never got around to digitizing. Your policy simply can’t get those back for you.
Here’s the thing: In an IT ecosystem, those unique treasures aren’t the exception; they’re the rule. Indeed, your IT environment is stuffed to the proverbial rafters with irreplaceable business data, from details about your customers and partners to intellectual property (IP) to financial records and much more. While your policy can enable you to purchase new servers for your data center, it simply can’t restore what was on them.
Planning to pay ransom is not a solid strategy.
But what if you managed to purchase a cyber risk insurance policy that will pay the ransom in case of a ransomware attack? Isn’t that enough?
Well, in the early days of the ransomware explosion, research found that very few organizations that chose to pay the ransom got all of their data back, so this was clearly a wrong-headed strategy. More recently, it seems that ransomware operators have learned that if they want to keep getting paid, they do need to follow through on their promise to enable the organization to decrypt their data. So, if your insurer pays the ransom, you might get lucky.
But it’s still not a viable strategy. For one thing, you instantly become an even more appealing target: One study found that a staggering 80 percent of those who paid were victims of a second attack. Your insurer, which is undoubtedly keenly tracking these statistics, is unlikely to leave itself on the hook for a second payment, so you might find yourself paying out of your own coffers again and again. In addition, governments are beginning to put sanctions in place against making ransomware payments, so your legal team might reject this strategy.
More broadly, while ransomware attacks dominate the news, they are simply not the only type of cyber incident you need to plan for. Some cyberattacks are intent on destruction rather than direct monetary gain: nation-state attacks that inflict collateral damage (like the NotPetya attack described above), attacks by disgruntled employees on their way out the door, denial of service (DoS) attacks by hacktivists against organizations that oppose their ideologies, and more. In all those cases, there is no ransom demand and no decryption key to bring back your data.
Recovering your data does not mean recovering your operations.
There is a more fundamental issue to keep in mind: The irreplaceable “data” in your environment extends far beyond the structured and unstructured content in your email system and databases. It also includes the software you’ve painstakingly installed and configured to enable everything to work. In particular, it includes your precious domain controllers (DCs) — not just each one individually, but all of them working together in harmony to enable users to log in and access the IT resources they need to do their jobs.
In other words, if Active Directory isn’t up and running, no one can make use of any databases or documents, even if you’ve paid a ransom and gotten a decryption key. To return to our homeowner’s insurance analogy, it’s nice if you can get all your furniture back from thieves — but it won’t do you a lot of good if they’ve demolished or burned down your house.
The cost of downtime spirals quickly. In a Total Economic Impact Study that Quest commissioned from Forrester Consulting, each hour that AD is offline was calculated to cost $730,000 in lost revenue. Other research found that 40% of enterprises say that a single hour of downtime costs $1 million to over $5 million. In a worst-case scenario, losses can reach millions of dollars per minute. Fortunately, there’s an alternative to hoping that your cyber insurance policy will actually cover your losses if a disaster strikes.
A better approach: Investing in cyber resilience, with or without cyber risk insurance
Focus on business continuity, rather than data.
Organizations need to broaden their thinking from cybersecurity to cyber resilience. After all, incidents result not from just cyberattacks but a wide range of adversity. For instance, errors by IT admins, power outages and equipment failures can also lead to IT system disruptions or downtime that affect business processes. It’s vital to be able to mitigate the risks of those events occurring in the first place, detect and respond to them promptly if they do happen, and be able to recover as quickly as possible in the worst-case scenarios.
In particular, it’s vital to shift from thinking about disaster recovery as being primarily about data and understand that the real measure of success is how quickly you can restore business operations. The savings from such an approach can be quite dramatic. The Forrester Total Economic Impact Study cited earlier found that the Quest disaster recovery solution would yield $19.7M in potential savings over three years by enabling faster recovery from ransomware attacks.
Reduce your AD attack surface.
Investing in cyber resilience can help you qualify for cyber insurance — or obviate the need for it.
The good news is that the same cybersecurity best practices, from proactive risk reduction to threat detection to a robust disaster recovery strategy, can help you achieve multiple goals at once. You can help your organization qualify for cyber risk insurance and reduce the cost of your policy — while slashing the risk that you’ll ever need to file a claim at all. Plus, you can help ensure compliance with many requirements of the GDPR, PCI DSS, HIPAA, FISMA and a wide range of other regulations.
In fact, strengthening your cyber resilience can help you obviate the need to spend more and more of your budget dollars on cybersecurity risk insurance as premiums continue to rise across the industry. And focusing on cyber resilience is an especially valuable strategy if you are finding it hard to secure a policy, either because you have suffered incidents in the past or your organization is a highly targeted sector like healthcare or finance.
Conclusion
All organizations have constraints on their cybersecurity budgets. One option is to simply spend those precious dollars on cyber insurance. However, if you qualify at all, the bill is likely to start high and multiply each year, and the policy may not even cover the incidents you suffer.
A better choice can be to invest first in improving the processes and controls that will increase your organization’s cyber resilience. That way, you can slash your risk of experiencing breaches in the first place and recover quickly when adversity does arise, while at the same time, helping you qualify for a better policy at a lower cost— if you end up deciding you even still need one.
