Computer system hack warning showing ransomware attack and cyber insurance

Prevention Is Better Than Cure: Ransomware Insurance Is Not a Cybersecurity Strategy

2021 was the year of ransomware, with attacks almost doubling from 2020.

It was already trending upwards before the pandemic but, when the business world suddenly shifted en masse to remote work, cyber criminals jumped at the opportunity to exploit newly exposed vulnerabilities arising in the hybrid work environment.

Work-from-home employees became prime targets for threat actors, and the volume of successful ransomware breaches skyrocketed. And so too did the cost of data recovery.

The latest reporting shows the average total cost of a data breach increased by more than 10% in 2021, from $3.86 million to $4.24 million – the highest on record.

In the vast majority of cases insurance covered these costs for businesses, including ransom payments. However, 2022 is a different story. Just like the cybersecurity threat landscape has evolved rapidly over the past year, so too has the cyber insurance market.

Cybersecurity insurance providers, reeling from an historic couple of years, are maturing their qualification processes and raising the bar for pay-outs, so businesses can no longer rely on insurance alone as a protection and recovery strategy.

The need for a sophisticated cybersecurity playbook, featuring people, processes and technology all working together towards the goal of ‘prevention’, has never been more important. Processes also need to be set up in case of the technology failing or a cybercriminal finding a way around it, including proactive monitoring, rapid detection, immediate response and containment. Insurance remains only as the emergency ‘cure’, as cyber resilience has never been more business critical.

The new ransomware ‘Wild West’

The headline-grabbing, and highly lucrative, successes global cyber gangs achieved with ransomware has not gone unnoticed. And it’s led to a flood of new – often less experienced – players into the market, looking for opportunities of their own.

The problem is not all cybercriminal gangs are created equal.

Previous ransomware developers operated with a level of sophistication and technical ability that allowed them to not only steal and hold a firm’s data, but also to release it intact once the ransom had been paid,

They act like businesses, offering Ransomware-as-a-service (RaaS) and selling their code on the dark web to the highest bidder.  The knock-on effect is this has lowered the barrier to entry to a new wave of criminal gangs.

And not only do these new rogue players lack the same level of skills and knowledge to manage this kind of complex undertaking, but they’re also less interested in playing by the rules established by notable gangs, such as GandCrab. There’s a real danger that victims of the class of ‘22, and beyond, may find themselves paying a ransom without their data being returned. If they pay the ransom even once, companies also run the risk of becoming a target again, as this is a show of weakness to cybercriminals.

Data is priceless and its loss can be crippling for businesses. And even the most expensive insurance cannot bring it back.

So, the only viable option to stop this from happening is to prevent a breach in the first place. This means putting best practice cybersecurity measures in place.

A rising insurance tide raises all standards

In large part, companies that have been falling victim to ransomware have been paying the ransom. This has only acted to encourage bad actors to attack more, with the knock-on effect making insurance providers reassess their policy offerings.

Insurance companies are reacting to the growing number of claims by either raising the prices of their policies or refusing to cover certain vectors of attacks to avoid being left out of pocket. For example, Lloyd’s of London has excluded nation-state attacks from their insurance, while AXA France, a major European insurance company, has stopped covering ransomware payments altogether. Many insurance providers globally have halved the amount of cover they provide after the pandemic and remote working drove a surge in ransomware attacks that left them wincing at the hefty pay-outs.

This raising of prices and pay-out thresholds by the insurance industry is having a positive hidden impact for the business world. It is forcing firms to reassess their defences, weaknesses and ensure they have best practice cybersecurity defences in place. It is also boosting cybersecurity awareness across organisations.

As insurers core role is measuring risks, they require proof that companies are prepared to withstand a future attack, thus pushing businesses to raise their standards.

This one-two punch of more stringent insurance policies and rising prices, alongside the entrance of new ‘Wild West’ ransomware players, is the wake-up call that many businesses need to not view insurance as the security blanket.

To not be hit and stay on their feet, businesses need to take it upon themselves to end their insurance over-reliance and focus proactive measures to defend their data.

One key technology to consider is Extended Detection and Response (XDR).

Greater visibility in a remote working world

XDR enhances the visibility of security operations and boosts the effectiveness of defence teams. These solutions provide more data sources and give security teams more context across their stack, enhancing and supporting the work of existing blue teams with better visibility into threat types, attack vectors, and the scale of the attack across the organisation.

XDR also gives your security teams the tools they need to stop an attack and analyse it by running a cross-correlation of threats based on its behaviour and indicator of compromise (IOC)across the entire environment to ensure your defences are up to date and ready to thwart the next one. XDR also boosts the Managed Detection and Response (MDR) solutions many companies already have in place and the combination of these two technologies is crucial to stop attacks in early stages and prevent ransomware attacks from being successful.

Cyber insurance is increasingly becoming something that organisations will likely need to have in place. But like car insurance and home insurance, it will only cover the worst-case scenario. Having a car and home insurance doesn’t mean you shouldn’t drive safely or lock the doors and windows. Similarly, cyber insurance doesn’t mean companies shouldn’t have a robust and proactive security posture.

When it comes to money, breaches cost companies more than their insurance premiums, as aside from the data loss and recovery process, companies also pay for remediation, reputational damages and regulatory fines. Rising costs usually isn’t a positive thing but, in this case, growing cyber insurance premiums might just be the exception. This should be a call to action for all businesses to urgently review their cybersecurity protocols, and ensure their teams are equipped to identify, report and deal with threats so the shift moves to proactive prevention and cyber resilience from reactive recovery.