Cyber Insurance in the Fight Against Ransomware

Cyber insurance underwriters ask more probing questions, condition coverage on strong security controls

Increasing Web Compliance Awareness for ADA

The sustained surge in ransomware attacks has hit the cyber insurance market hard.

The surge started a couple of years ago and accelerated since early 2020, and it has caused both greater frequency and severity in the claims made under cyber insurance policies. Ransom payments toward the end of 2020 averaged in the hundreds of thousands of dollars, with some in the millions.

Beyond the cost of the extortion payment itself (when paid), ransomware typically triggers many other losses and expenses that can be covered by cyber or cyber/E&O policies. Some of these include breaches of personal information, business interruption and extra expense, data recovery, regulatory investigations, fines and penalties, and (in cyber/E&O policies) liabilities for the failure of products or services. Such costs are often several times greater than any ransom payment.

Cyber insurers respond to the new marketplace due to ransomware

Cyber insurers are scrambling to try and stanch their losses. They have increased their premiums for both new business and their own renewals, often in the range of 15-50% or more. They have in many cases imposed coverage limitations, including sublimits on certain key coverages and even outright exclusions, based on vulnerabilities to specific high-profile breaches such as those involving SolarWinds, Microsoft Exchange Server and Accellion.

Insurers have adapted their underwriting practices as they scramble to keep up with the changed exposure landscape caused by the explosion in ransomware. They have also examined their ransomware claims, seeking to identify vulnerabilities commonly exploited in successful attacks. Their findings have driven them to ask more probing questions during the underwriting process and to raise their thresholds for what they consider to be satisfactory responses.

As a result, organizations buying cyber insurance programs in the last few months have had to answer more extensive and probing questions from underwriters. The premiums quoted and the quality of the coverage terms offered are now far more sensitive to underwriters' higher thresholds for satisfactory answers.

Cyber Insight Series

Learn More

Many cyber insurers are now requiring insureds to complete special ransomware supplemental applications as a condition of coverage – or even of offering terms. Some cyber underwriters mandate use of their own applications (there are more than a dozen currently in use) for renewals, although most will accept competitors' applications to quote what would be new business to them. They are also asking additional questions during the underwriting process. Some who accept competitors' applications in order to quote will still require submission of their own applications prior to binding.

Ransomware concerns and best practices on addressing them

Insurers are looking for the use of security controls that they consider effective at preventing, detecting and remediating malicious activity at various stages of the ransomware lifecycle. While cyber insurers ask a wide range of questions in their applications, certain central themes have emerged that point to their principal ransomware concerns and the security controls they believe best address them. Below are some of those concerns, with what appear to be the most frequently mentioned controls italicized.

Keeping the attackers and their malware out of the network

Multi-Factor Authentication (MFA) – including whether MFA is required for access (1) to the network generally, (2) to privileged accounts, (3) to web or cloud-based email, (4) by vendors, and (5) to online backups.
Patch management/patching cadence
Employee training – phishing training/testing
Remote Desktop Protocol (RDP) – e.g., remote access controls (VPN, network-level authentication, MFA), firewall configuration
Presence/management of End-of-Life (EOL) software
Email/web filtering and response systems – Sender Policy Framework (SPF), DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting and Conformance)
Microsoft Office 365 – e.g., Data Loss Prevention, Advanced Threat Protection add-on

Detecting network intrusions and suspicious behavior

Endpoint Protection Products (EPP) and Endpoint Detection and Response (EDR) Products
Vulnerability scans
Other Endpoint Protection solutions – such as signature and behavioral-based antivirus products
Intrusion Detection Systems and Intrusion Prevention Systems
Security Incident Event Management (SIEM)

Protecting user and privileged accounts/limiting the attackers’ lateral movement

Identity Access Management (IAM)/Privileged Account Management (PAM)
Network segmentation/segregation
Configuration management practices – hardened baseline configurations
Service account management

Preparing for, responding to, and mitigating an attack

Backup practices – use of encryption; maintenance of backups online, offline, onsite and offsite; testing of restoration from backups
Incident response/ransomware plans – frequency of testing, table-top exercises
Disaster recovery/business continuity plans – Recovery Time Objectives (RTO)

Choosing the best cyber insurance terms for your organization

Obtaining the best available cyber insurance program requires putting your best foot forward and offering cyber underwriters a complete and nuanced understanding of your cyber risk profile. Doing so is a time-sensitive, labor-intensive process that requires ongoing contributions from many people both within and outside of the organization. By starting early with the right team and the right focus, a company can position itself to obtain the best cyber insurance terms available for its particular exposures in the current choppy market. Talk to a Gallagher cyber specialist today, and learn more about how you can effectively manage and transfer your changing cybersecurity risks.

Author Information:

John Doernberg

National Director, Cyber Practice

Phone Number (617) 646-0336

Disclaimer

Disclaimer: The information contained herein is offered as insurance Industry guidance and provided as an overview of current market risks and available coverages and is intended for discussion purposes only. This publication is not intended to offer legal advice or client-specific risk management advice. Any description of insurance coverages is not meant to interpret specific coverages that your company may already have in place or that may be generally available. General insurance descriptions contained herein do not include complete Insurance policy definitions, terms, and/or conditions, and should not be relied on for coverage interpretation. Actual insurance policies must always be consulted for full coverage details and analysis.