Girls take shelter with umbrellas from strong wind and rain showing cyber insurance coverage for ransomware payment

“Cyber Insurance Gap” Growing as 80% Of Business Coverage Below Median Ransomware Payment Demand

Cyber insurance cost and terms has been an issue for businesses of all types since 2021, when the soaring cost of ransomware payments and remediation caused insurance firms to re-evaluate their options. A new study from BlackBerry and Corvus Insurance finds that this new landscape is causing a chronic shortage of cyber coverage for businesses.

Cyber insurance shortfall: 80% of businesses would not have enough coverage for current median ransomware demand

The survey included 450 IT and cybersecurity decision makers at firms located in the US and Canada. Organizations in this part of the world now face an average ransomware payment in the millions of dollars, and the median cost of investigation and recovery is $2.4 million.

However, only 55% of the organizations surveyed are carrying any cyber insurance at all. And of those that are insured, just under 20% have more than $600,000 in coverage; not enough to meet the usual ransomware payment, let alone the potential cleanup costs.

Small- and medium-sized businesses are having particular difficulties. They often simply do not have enough funds to cover premiums, and are facing potential ruin if hit by a cyber attack. Only 14% of small businesses with under 1,500 employees are carrying $600,000 or more in cyber insurance coverage. Additionally, 37% of those that are insured have no coverage for ransomware payments, and 43% are not carrying coverage for auxiliary remediation costs such as downtime and legal fees.

Even though the majority of businesses are lacking proper coverage, they nevertheless say that they are looking for their partners to carry adequate cyber insurance. 60% of respondents said they would re-evaluate business partnerships if the partner was not carrying “comprehensive” cyber insurance coverage, and 68% of IT professionals said they would re-evaluate these relationships if partner cybersecurity practices (such as technology implementation) were lacking.

The study notes that, in addition to a general increase in cost and a tightening of terms and covered events, cyber insurance firms are also increasingly asking customers to demonstrate key security benchmarks when they come on board or renew policies. This is another area that can trip up small businesses due to lack of budget or lack of readiness. Some businesses do not realize that what insurers primarily want to see is well-implemented endpoint detection and response (EDR) software, something that they may not learn until it is in a letter explaining why a request for coverage was denied. 34% of the survey respondents were denied for just this reason.

Shawn Surber, VP of Solutions Architecture and Strategy with Tanium, questions how useful the implementation of EDR software really is in making this sort of cyber insurance determination: “Costs vary significantly and are difficult to project not because of the maturity of a cybersecurity program, but instead hinge upon how mature their operational disaster recovery and business continuity plans are. Solutions like EDR can lead to a false sense of security because once a threat is detected, it might already be too late. What this means is that organizations need to focus on visibility and control over their environment before a ransomware attack, rather than after. This requires close integration between operations and security teams as well as consolidation of their tools so they’re operating from the same source of truth, the actual state of the endpoints and devices on their network.

“Ultimately cyber insurance might require a business to undergo a “physical” much like someone would do for a life insurance policy, to verify the current state of their cybersecurity posture and the corresponding insurance needed to protect their interest. The ideal scenario would be for cyber insurers to be able to actively poll their customer networks to determine vulnerabilities as new threats are discovered to help ensure their environments are continuously protected.”

Organizations hoping for government help with ransomware payments may be in for rude awakening

All of this unfolds amidst a ransomware industry that has grown like a wildfire in recent years and is broadly projected to continue growing into the near future. When one major ransomware gang is taken down, one or more pops up to replace it (and often adds new “features” to boot).

If organizations cannot or will not carry cyber insurance coverage that meets realistic anticipated costs, how do they plan to deal with an unexpected ransomware payment? The majority (59%) say that they are expecting the government to bail them out, at least if the attack can be linked to a nation-state. In August the government rolled out the “StopRansomware.gov” website to centralize recovery resources and more quickly provide crisis assistance to organizations, but recovery assistance funds are limited and depend on qualifying criteria.

The survey results happen to come as Lloyd’s of London recently announced that their network of insurers would no longer be covering damages caused by nation-state hacking incidents; while they are far from the only option on the market, this is a trend that could spread to other insurers (particularly if it holds up to inevitable court challenges).

This leaves underinsured organizations to simply hope that the government increases its aid to victims of ransomware, a shaky position at best given economic and budget realities and the likelihood of a larger amount of victims needing an ever-increasing amount of assistance. Gary Davis, senior director of cybersecurity at BlackBerry, expressed serious concern at the amount of organizations putting their faith in government aid; BlackBerry’s suggestion is that firms with IT budget problems look to a cybersecurity managed service provider (MSP) that at least meets the minimum standards required by cyber insurance policies. Insurance providers may also decrease rates substantially if organizations are willing to share security posture insights, somewhat akin to the auto insurance discounts offered for installing a monitoring device.

John Gunn, CEO of Token, believes it is imperative that organizations carry adequate cyber insurance even if it is difficult to put into place: “The report underscores the fact that an “Ostrich-approach” is no longer viable in an era of hyper-aggressive ransomware attacks. Every organization, and especially SMBs, are at increasing risk every day. Since most attacks start with compromised user credentials, insurance is the smartest place to start in establishing proper defenses.”