Ransomware: The role of cyber insurance in protecting businesses

Ransomware can take several forms, but in its most common guise it involves the use of malware that infiltrates a network and encrypts critical files. This may be business information such as databases or critical files that render a device unusable. The hackers then demand payment in order to grant businesses access to their data again.

Increasingly, however, ransomware doesn’t end at simply encrypting files. Another growing trend is extortion, where data is also exfiltrated from a network. Hackers then demand further payments to prevent them publishing sensitive private data online.

Ransomware has become a hugely popular form of cybercrime for hackers as it’s relatively cheap and fast to deploy and offers the potential for large gains. Self-contained kits can be easily found on the dark web, meaning even criminals without advanced hacking skills are able to effectively launch such attacks.

As a result, ransomware is booming. Figures from International Data Corporation suggest that in 2021, more than a third of organizations globally fell victim to a ransomware attack, with the average payment almost a quarter of a million dollars.

The UK’s National Cyber Security Centre, meanwhile, declared in its 2021 Annual Review that ransomware has now become the “most significant cyberthreat” facing the country, due to its potential impact on areas such as critical infrastructure.

For businesses, the impact of ransomware can be huge, with the effects extending far beyond individual companies. For instance, consider the case of energy infrastructure firm Colonial Pipeline, which fell victim to a ransomware attack in 2021 that led to long lines at gas stations across the US east coast as the attack disrupted critical infrastructure supplies.

Another growing trend is the rise of secondary tactics such as data exfiltration and extortion. In this ransomware variant, hackers

actively steal private data instead of merely encrypting it, then threaten to release it publicly unless more ransoms are paid.

This can be especially harmful for businesses if highly sensitive material such as trade secrets get exposed. What’s more, publicly releasing data such as customer financial details can not only increase a firm’s risk of facing regulatory action, but can result in severely damaged reputations or the potential for class-action lawsuits.

Cybersecurity insurance has long been an important protection for firms concerned with the threat of data breaches. But policies that offer specific protection against ransomware attacks are becoming increasingly popular.

For instance, one insurer, AIG, reported a 150 percent increase in ransom and extortion claims between 2018 and 2020, with these now being responsible for one in five insurance claims. So what do these policies offer?

This type of insurance essentially allows businesses to claim back the costs associated with these attacks. While many enterprises may see this as a way to recoup the direct financial cost of any ransom they pay, it does not end there.

Ransomware protection is often covered as part of cyber liability insurance, so there is no ‘standard’ policy, with the specifics varying significantly depending on the cyber insurer. However, many insurers are increasingly offering standalone cover that may be especially useful to businesses in industries that may be most at risk of this type of attack.

As well as helping meet the costs of a ransom demand, a good cyber insurance policy may assist with a range of associated costs.

This often includes business interruption expenses, hiring specialist third-party consultants to negotiate with hackers, controlling reputational damage, digital forensics activities, replacement hardware or data restoration, and increasing the resilience of systems to prevent future ransomware infection.

Many companies’ main incentive to pay a ransom is to ensure they can get back up and running again. For organizations that may not have extensive backups in place, or run critical services that cannot afford to be offline for any length of time, this can reduce the overall impact of the attack, and may end up costing them far less in the long run compared with the time and investment needed to rebuild systems or compensate customers.

However, there are also many disadvantages of paying a ransom. Firstly, it greatly increases the chances that businesses will be subject to repeat attacks. Indeed, it’s estimated that 80 percent of businesses that pay to regain access to their files are attacked for a second time.

What’s more, even if firms do make a ransom payment, this is no guarantee that they will regain access to their data. On many occasions, decrypted or returned data may be incomplete or corrupted, and will require significant time to organize and verify, while in some cases, hackers may simply take the money and disappear.

Ransomware insurance premiums have risen significantly in recent years, which reflects the growing threat posed by these attacks. In many cases, costs have risen by around 40 percent as cyber liability insurance providers look to mitigate their own risks as ransomware payments continue to rise. Despite this, they may still represent value for firms when compared with the overall cost of a data breach without protection.

It’s also important to remember that having a data breach insurance policy that covers ransomware does not necessarily mean you can expect to be reimbursed for any ransom payments. In fact, many insurers now place limits on how much they will pay out for such a breach, and in what circumstances.

For instance, many cyber insurance policies won’t cover losses they define as acts of war or cyberterrorism. This can be a wider exception than firms may think, with some insurers classifying the 2017 NotPetya attack under this category, for example. Other exclusions may be made if insurers determine companies failed to follow best practices or maintain standards.

However, different insurers may have their own definitions of what these standards involve, so it’s vital firms study their policies carefully and ensure they are clear on the language they use.

While ransomware insurance is an important piece of the puzzle when it comes to protecting yourself from cyberthreats such as extortion, it shouldn’t be something you rely on too heavily. Prevention is always better than cure, so you must have strong defenses in addition to these tools to avoid falling victim in the first place.

Although it can help with the recovery process should you fall victim to a cybercrime incident, ransomware insurance should be viewed as a last resort rather than a first line of defense.

For instance, consider ransomware protection as analogous to a home insurance policy. While it may compensate you for any direct losses, you are still expected to invest in security systems such as strong locks or burglar alarms, as well as remember to take basic precautions such as not leaving windows open.

Indeed, just as is the case with other types of insurance, if an investigation determines your business has been negligent, then a provider won’t pay out. What’s more, a growing number of firms are starting to reconsider offering reimbursements for direct ransom payments amid concerns that this will only encourage businesses to pay up – and in turn, lead to more attacks.

Ransomware security therefore needs to encompass a full range of tools, from intrusion detection and prevention software and internal monitoring through to anti-data exfiltration (ADX) that can help prevent extortion by ensuring criminals are unable to steal data.

In many cases, having such technologies in place will be a prerequisite for any good cyber insurance policy, with diligent providers insisting on a secure foundation before they will agree to cover a business. As such, while insurance is a highly valuable supplement to a strong cyber security defense platform, it’s not an answer by itself.

Find out more about how Blackfog ransomware prevention helps keep your business safe or sign up for a free seven-day assessment of our technology.