Why Cyber Insurance Won’t Protect Your Business from Ransomware
Strict standards and rising insurance premiums are threatening to undermine the cyber insurance model.
Updated: Sept., 2023
Despite lots of attention from the national media and cybersecurity experts, the threat of ransomware attack remains. According to a cybersecurity firm Malwarebytes, the number ransomware attacks remains at record highs after the COVID-19 pandemic, meaning that business must remain extremely vigilant about this threat.
This isn’t just cybersecurity hyperbole. In just the last 12 months, several major companies have fallen victim to ransomware attack. Here are just a few of the bigger cases:
- The UK’s Royal Mail fell victim to the LockBit variant, blocking all their international shipments. The hackers asked for $80 million, which the Royal Mail chose not to pay, and their data was leaked online.
- The U.S. Marshals Service experienced a devastating attack in February of this year that took their “most critical tools” offline for 30 days, and leaked PII and other sensitive documents online.
- The Medusa variant struck the Minneapolis Public School System, leading to a trove of sensitive data, including information about sexual assault cases, medical records, discrimination complaints, and social security numbers
These are just the high-profile attacks. According to research by by Astra Security, small businesses in America are breached by cyber criminals every 14 seconds, with many businesses not even knowing that they’ve been compromised until it’s too late.
But I Have Cyber Insurance, Isn’t My Business Protected?
To counter the threat of ransomware, some businesses have started to rely on cyber insurance policies, which will compensate them for all the costs associated with recovering from a ransomware attack, such as hardware costs, engineering manhours, forensic work, and others.
Just a few years ago that may have been a sound strategy, but no longer. Insurance companies who struggle to pay ever-growing claims have started to take steps to protect themselves. This includes limiting the types of protection they offer, raising the standards for coverage, and increasing their premiums.
How much of an increase? According to research by Bloomberg News, cyber premiums surged during the COVID-19 pandemic by over 50% in 2022 alone. That’s on top of an increase on average between 10% and 30% from 2020 until 2022. However, higher premiums are just one reason why your business can’t rely on cyber insurance as protection from ransomware.
The Hidden Cost (and Danger) of Relying on Cyber Insurance
Higher insurance premium is not the only downside to over-reliance on cyber insurance; some experts believe that it lulls businesses into a false sense of security.
That’s what happened at Heartland Payment Systems, a payroll and credit card processing firm who bought a $30 million cyber insurance policy, only to later face a $115 million bill for the remediation of a devastating ransomware attack.
In cases like this one, insurance provides a feeling of being invulnerable. The problem is that many cyber insurance policies will not cover attacks that originate from a staff member of your firm, meaning that well-optimized cyber defense is still absolutely essential to avoiding downtime and huge damages.
There may be other unintended consequences of having insurance as well. This paper from the Royal United Services Institute (RUSI) finds that criminal gangs are now actively targeting companies that hold cyber insurance policies, because they know that they’re far more likely to receive their money from insured companies. These reliable payouts give criminals the resources and confidence to launch more ambitious attacks.
So, what should businesses in Ohio do?
Ransomware Demands an Emphasis on Cybersecurity Fundamentals
To purchase cyber insurance and keep your premiums within reason, businesses will have to view insurance as one part of their security toolbox. That means revisiting all their security controls and ensuring they’re up to standard.
Here are some of the steps that you should take in addition to purchasing cyber insurance.
- Regular Security Assessments
Your network changes every day. The only way to keep such a dynamic environment secure is with regular cybersecurity risk assessments from a team of experts. The regular assessments we perform help businesses find weaknesses in their hardware, software, and business processes, so that they can best allocate security manpower and resources. Here’s more information about our network security assessments.
- Vigilant Security Awareness Training
Your staff is the first line of defense against ransomware. Keeping them aware of the latest ransomware and hacking methods (which are constantly changing) is the single greatest way for you to defend your business and demonstrate preparedness to an insurer. Topics that you should include in your employee training include email security and phishing, password hygiene, physical security best practices, and the dangers of using social media at work.
- Deploy Multi-Factor Authentication
Multi-factor authentication (MFA) is when you use another method or “factor” to secure your network systems. This additional factor is often biometric information like a fingerprint, or a temporary password sent to a trusted mobile device. MFA is considered one of the most cost-effective and impactful security steps a business can take.
- Harden Your Network and Technology
For criminals to take your network hostage, they must have an entry point . The most common way into a business network is through outdated hardware or software systems, which is why you should be vigilant about applying new software patches and firmware as they’re released, then testing to make sure they haven’t harmed the stability of your network.
- Employ a Risk Management Framework
Enterprises have long employed security frameworks like the National Institute for Standards and Technology (NIST) Cybersecurity Framework to better assess risk and build meaningful protections. Now that cybersecurity is such a major concern, small and midsized businesses in Ohio should be looking for in-depth guidance from NIST and similar frameworks to guide their efforts.
- Monitor Your Network Security
Do you know if an unauthorized party has entered your network recently? The unfortunate answer is, probably not. The average “dwell time,” the measurement of how long a criminal remains undetected in your network is now 8 days. To ensure that you detect and respond to threats quickly, you’ll want to deploy systems for network monitoring and intrusion prevention, then maintain them so they always offer optimized defenses.
20 Years of World-Class Cybersecurity Service for Ohio Businesses
Cyber insurance premiums may be on the rise, but the cybersecurity team at Astute Technology Management can help. We’ll guide you through the process of optimizing your cybersecurity defenses, ensuring that you’ll qualify for the cyber insurance you want while keeping premiums under control.