In recent years, the frequency and sophistication of ransomware attacks have continued to escalate. In many cases, those attacks have piled up significant costs for their victims, and not just from the ransom payment. Extended downtime after an attack, expensive recovery efforts and reputational damage all hurt an organization’s profits after a breach.
“The actual cost of a ransomware attack extends far beyond the ransom payment — it can add up to be 7 times the ransom demand,” notes NetApp in a blog post.
“As far as overall costs go, experts estimate that the ransom payment adds up to only about 15 percent of the total cost of the ransomware attack,” the post continues. “And the real stinger in all of it is that only 1 in 7 organizations who pay a ransom actually get their data back.”
Some Vendors Offer Warranties Along with Cyber Insurance Policies
Cyber insurance is a growing trend and, in many cases, an operational requirement. However, some organizations don’t have the resources to self-insure. For smaller organizations, there are still ways to reduce the cost of cyber insurance premiums. Roberts notes that some third-party security providers, such as Rubrik, offer warranties that insurance companies recognize as extra assurance of an organization’s data protection strategy.
In April, Rubrik made two groundbreaking announcements about its ransomware warranties. In a press release published during this year’s RSA Conference in San Francisco, Rubrik said “With the rapid growth of cyberattacks, organizations share the same concern: ‘If we get hit by ransomware, can we recover?’” The company’s response was to increase the value of warranty it offers as part of its cyber insurance policies.
“Rubrik is confident in our data security solution and committed to a shared responsibility between customers and software vendors,” the release notes. “As such, we are putting more skin in the game by doubling our warranty to $10 million.”
In addition, Rubrik issued a separate press release to announce its partnership with Zscaler to offer a double extortion ransomware solution. “Rubrik’s integration with Zscaler Data Loss Prevention proactively identifies sensitive business data across enterprise, cloud and SaaS environments so that specific data protections can be implemented easily to prevent data loss,” the release noted.
Larger Organizations May Consider Self-Insuring Against Ransomware
While cyber insurance can help to defray the costs of a ransomware attack, it also can be a beacon to cybercriminals, indicating a willingness to pay the ransom they intend to demand. In some cases, organizations might want to consider self-insuring to protect themselves in the event of a ransomware attack.
“Self-insurance basically becomes a line item in the budget,” explains Jason Cray, data protection strategist at CDW. “They budget and say, ‘We already pay X amount on premiums to an insurance company to have insurance. Instead of doing that, we’re going to take that money, budget it and essentially put it into a savings account that is overseen by a third party.’”
Some Cyber Insurance Companies Are Tightening Their Payout Policies
According to Heidi Shey, principal analyst at Forrester, “Cyber insurance is only one component of a bigger enterprise cybersecurity risk management program. However, the cyber insurance market has been on a roller coaster, with skyrocketing premiums, changes in coverage and a demand for policies that outweighs available supply.”
After years of affordable and readily available policies, she says, “the ubiquity of cyber insurance combined with the rise in cyberattacks has changed the power dynamic in favor of the insurers.” Cray says he has picked up on similar shifts in the cyber insurance market. He and Tony Roberts, senior solutions engineer at CDW, have both noticed new limitations on cyber insurance policies during their work with CDW customers.
“The insurance premiums are just going through the roof, if you can even get them,” Roberts says. Plus, “insurance companies now are defining in their contracts that they’re not going to cover an attack if it comes from a specific nation-state.”
DIVE DEEPER: Find out what small businesses need to know about cyber insurance.
Cray agrees, citing insurance companies’ use of overly complicated paperwork. Insurance applications used to pose 20 to 30 questions, Cray says, but those forms now routinely include more than 400 questions worded in conflicting or confusing ways that make them difficult for applicants to answer.
Regarding questions about an organization’s immutable storage, Cray says, applicants might wonder, “‘Do I answer yes? My answer is yes.’” And then the insurer comes in and says, ‘Well, no, you didn’t have it across your entire environment, so we’re not going to pay.’” Of course, if applicants answer no to the question, their rates will certainly go up — if the insurance company doesn’t completely refuse to insure them. “That’s the reality of what clients are facing today,” Cray says.
DISCOVER: Find out the cyber insurance options you need to fight ransomware.
“It’s getting super difficult to get it, to maintain it and then to adhere to it,” Roberts says of cyber insurance. Even when trying diligently to comply with the terms of a policy, organizations run the risk of an insurance company picking apart a policy and ultimately saying,
“‘Well, you weren’t doing this one thing, so we’re not going to pay out.’” “I think companies have to take a look at that from a risk perspective,” Roberts says.