Cyber Insurance in the Age of Ransomware: Protection or Provocation?

Businesses are increasingly facing the threat of cybercrime, particularly ransomware. This malicious software locks users out of their systems, demanding a ransom for access. The surge in such attacks may have led to the rise of cyber insurance as well, a specialized coverage designed to mitigate financial risks from cyber incidents. 

This insurance has become essential for many businesses, offering protection against the costs of data breaches, business interruptions, and cyber extortion. As ransomware evolves in sophistication, cyber insurance serves as a financial safety net, developing alongside to address these new challenges, but is this a good sign?

The Insurance Industry’s Response to Ransomware

As ransomware attacks have become more frequent and severe, the cyber insurance industry has had to recalibrate its approach. Insurers are now raising premiums and setting more stringent coverage conditions to manage the increased risk. The industry is witnessing a shift where detailed proof of an organization’s cybersecurity measures, like multifactor authentication, is becoming a standard requirement for policy approval. This adjustment reflects insurers’ efforts to balance the need to provide coverage while managing their risk exposure in an environment of escalating cyber threats.

With the increasing demands of cyber insurance, the emphasis on cyber hygiene has become more pronounced. Insurers are scrutinizing the cybersecurity practices of organizations seeking coverage. Effective cyber hygiene, such as regular data backups, updated security protocols, and employee training, is often a prerequisite for obtaining insurance. This focus on preventive measures highlights the insurers’ strategy to encourage better cybersecurity practices, ultimately aiming to reduce the likelihood of cyber incidents and manage the risk more effectively. In conclusion, many necessary cybersecurity steps need to be completed to have insurance.

Although this invites a positive development, it brings to mind the following question: If a ransomware attack occurs due to an attack that does not occur with a zero-day-like critical attack method, will this company’s insurance be valid? Since, minor human errors cause many cyber incidents.

Insurance as a Double-Edged Sword in Ransomware

The ethical and strategic challenges in the context of ransomware and cyber insurance are indeed multifaceted. The core ethical dilemma centers on whether paying ransoms through insurance coverage inadvertently fuels the ransomware industry. This situation places businesses and insurers in a complex position, weighing the immediate need for financial recovery against potentially encouraging further cybercrimes. Strategically, companies must decide whether to rely on insurance and how much to invest in cybersecurity and balance these factors. This situation also raises broader questions about the role of insurance in cybercrime and the responsibility of businesses in preventing such incidents, emphasizing a proactive versus reactive approach to cybersecurity. Let’s look at an example:

Note to insurance companies by Snatch

The first thing you see when you enter the Snatch group’s leak site is a message to insurance companies. Cybercriminals are trying to turn insurance companies and their customers against each other, implying that many businesses are in this situation because of their own mistakes. Such a paradox leaves both insurance companies and their customers in a difficult situation and causes many problems, such as increased insurance fees and sometimes excessive controls. Finally, it also shows how interested ransomware groups are in insurance.

Snatch’s Telegram post about the Washington Post’s article

Washington Post’s article on ransomware and insurance was shared and discussed on the Snatch group’s Telegram channel. Such paradoxes and intimidation with legal penalties can be the source of new methods ransomware groups seek to extort.

In another excellent example of how far ransomware groups can go for extortion, the ALPHV group claimed that a company they allegedly infiltrated in the past months did not report the incident, and ALPHV filed a complaint against them by filing an SEC filing.

ALPHV’s SEC Filing

The Future of Cyber Insurance in the Face of Ransomware

Looking towards the future, the cyber insurance market is probably going to continue evolving in response to ransomware’s growing threat. Insurers may adjust their policies and premiums, reflecting the increased sophistication of cyber attacks. This dynamic landscape presents ongoing challenges for both insurers and policyholders, necessitating constant adaptation to the rapidly changing nature of cyber threats. 

Therefore, In light of the SEC’s newly adopted rules on cybersecurity risk management, strategy, governance, and incident disclosure for public companies, several predictions can be made about the evolving landscape of cyber insurance requirements:

Increased Emphasis on Incident Disclosure:

The SEC’s rules mandate public companies to disclose material cybersecurity incidents promptly. As a result, cyber insurance requirements are likely to emphasize organizations’ ability to promptly and accurately report cybersecurity incidents. Insurers may seek detailed incident reports, timelines, and impact assessments as part of their evaluation process.

Focus on Cybersecurity Risk Management Processes:

The new rules require companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. Insurers may incorporate an evaluation of these processes into their risk assessments for underwriting policies. Insurers may view organizations with robust and effective cybersecurity risk management procedures more favorably.

SOCRadar Attack Surface Management can help you meet many of your insurance compliance needs.

Board Oversight and Management Expertise:

With the introduction of Regulation S-K Item 106, which requires disclosure of the board of directors’ oversight and management’s role and expertise in assessing and managing cybersecurity risks, insurers may place importance on governance structures. Companies demonstrating strong board oversight and management expertise in cybersecurity may be considered lower risks and could receive more favorable cyber insurance terms.

Timely Reporting Requirements:

The rules set specific timelines for disclosing material cybersecurity incidents. Cyber insurance requirements may now include provisions for timely reporting to insurers, aligning with the SEC’s guidelines. Insurers may seek assurances that organizations have processes to meet the required disclosure timelines to promptly assess and mitigate potential risks.

Structured Data Requirements:

The SEC rules include a requirement for structured data tagging in Inline XBRL. Insurers may incorporate this into their assessment processes, potentially seeking assurances that organizations are compliant with structured data requirements. This could become a factor in determining cyber insurance eligibility and terms.

International Compliance Expectations:

Foreign private issuers are also subject to comparable disclosure requirements. Insurers may consider international compliance as a factor in assessing cyber insurance policies for multinational companies. Compliance with regulations in multiple jurisdictions may become a standard consideration in underwriting cyber insurance.

Conclusion

In conclusion, the relationship between cyber insurance and ransomware is complex and evolving. Businesses must navigate this challenging landscape by balancing robust cybersecurity measures with appropriate coverage. As ransomware threats continue to grow in sophistication, both insurers and policyholders need to adapt their strategies. The importance of understanding policy terms, staying updated with industry changes, and maintaining strong cyber defenses cannot be overstated in this dynamic cyber threat environment.