Will the Cyber Insurance Market Have to Change in 2022?

Matthew Middleton-Leal, Vice President EMEA at Qualys, looks at how the market is being severely afflicted by the number of ransomware attacks and the ransom fees that hackers are demanding.

Cyber insurance is a growing market – according to GlobalData, it will grow to more than $20 billion (£15 billion) worldwide in premiums by 2025, from around $7 billion (£5.3 billion) in 2020.

These policies help companies know that they can get help in the event of a security incident that affects their operations. However, this market is being severely afflicted by the number of ransomware attacks that are taking place and the ransom fees that hackers are demanding.

Cyber Insurance and Ransomware Responses Evolve Together

In the last year, ransom figures of $40 million (£30.2 million) to $50 million (£37.8 million) went from being ridiculously high to being paid on a consistent basis. Cyber insurance policies were then used to cover those costs.

The upshot of this is that the average value of ransomware payouts has grown, which has attracted more entrants that carry out attacks. This led to more money being demanded, which drove up the amount getting paid out still further. This cycle is unsustainable for several reasons.

The first is that governments are putting together more regulation around security and ransomware payments. In the US, Elizabeth Warren and Deborah Ross have tabled the Ransom Disclosure Act to force all US companies that pay ransoms to announce their payments within 24 hours. These payments may also be illegal, based on the US Treasury’s Office of Foreign Access Control guidance that ransoms should not be paid to criminal gangs in countries on the prohibited list. In the UK, changes to the Computer Misuse Act should help law enforcement go after criminals.

The second is that all the increases in ransomware payouts are having an impact on premiums. According to Risk Placement Services, costs for premiums on cyber insurance policies have gone up massively, including some up to 300% higher than they were previously. Alongside this, policy limits have come down significantly – where a policy might have provided more than $5 million (£3.8 million) in coverage in the past, now it will only provide $1 million (£750,000) to $3 million (£2.2 million).

Guidance on policies is also evolving. New guidance for Lloyds of London members published in November 2021 covered cyber insurance policy design for cyber war and operations by nation state attackers or by teams associated with nation states. Many bad actors have relationships with their local governments, from local law enforcement having a blind eye approach through to arm’s length management and tacit approval for their activities, so they would potentially be covered by these new model clauses.

The Impact for Security Teams

The impact here is that companies will have to spend more on their policies in order to get less coverage. Ransomware has become like a pre-existing condition in other industries – while it might be possible to retain coverage for the impact of an attack, it will be based on carrying out a lot more proactive planning and management around the condition first.

This will filter down to how companies think about security overall. Rather than using insurance as the lead approach to risk management and mitigation, companies will have to focus more on their IT security strategy first and how they prove that best practices are being followed. Insurers will want to see evidence that companies have put the right processes in place if they are going to provide high levels of coverage like they did in the past.

Evidence of successful prevention approaches such as vulnerability management and endpoint protection should help keep premiums down, but these have to be continuously updated and monitored in order to be useful. Similarly, taking a proactive approach to patches and updates can help protect employees against potential risks. For larger enterprises, prioritising the most serious issues will help to make this easier. These basics are still challenges to get right for many companies, so the change in emphasis can help around getting more support and budget to make those processes work in practice in the future.

Cyber insurance is necessary for businesses, and it can help them get back to normal operations after an incident. However, these policies can’t be used as a substitute for security best practices and getting the basics right. The change in the market around ransomware, and the increase in premiums, will put the emphasis on how companies manage risk overall. The days of being able to rely on cyber insurance alone to achieve this were always numbered, but the spate of ransomware attacks this year has made that all too clear.

By Matthew Middleton-Leal, Vice President EMEA, Qualys.

Check out his previous article ‘Should We Move Away From GDPR?’ here.

Guest Contributor
Guest Contributor
Follow on Twitter @eWeekUK

Popular Articles