Industry insights

The evolving role of cyber insurance as part of a layered security strategy

February 28, 2022 by Patrick Mallory

In May 2021, Colonial Pipeline fell victim to a sweeping ransomware cyberattack that prompted the fuel supply company to shut down 5,500 miles of pipeline, casting broad disruptions across the Southeast United States. 

Following days of crushing news coverage and quickly-rising fuel prices, it was later revealed that Colonial Pipeline paid almost $5 million in ransom to the cybercriminals, allowing the company to slowly recover from the attack and resume fuel distribution. In another surprising turn in the landmark attack in early June, the FBI confirmed that they were able to recover $2.3 million of the ransom paid to the group.

While ransomware attacks have unfortunately been a regular — and growing — threat to businesses of all industries worldwide, the scale, cost, and actual payment of ransom has prompted more discussion about the role of cyber insurance as part of an organization’s layered security strategy.

This article will explore some of the recent trends in cyber insurance and how organizations can adjust their security controls in an attempt to stay ahead of tomorrow’s threats.

The rise and role of cyber insurance

When one thinks of cybersecurity, the first controls that come to mind are firewalls, antivirus, VPNs and phishing training. But, especially today, cyber is so much more than that.

Today, tools such as cyber insurance play a significant role in helping many organizations mitigate — or transfer — their risk and other policy and technical controls as part of a layered defense. 

However, it wasn’t always like that when it comes to cyber insurance. 

“Cyber insurance started out in the late ’90s, and it was really a data security protection or network security protection policies; For a very long period of time, there were very few players in that segment. It was profitable,” notes Steve Whelan, Director of Management/Professional Liability Product Development at Verisk in a recent InfoSec Resources Webinar. “But in the past two years, we’ve seen significant changes in cyberspace. We are seeing limits being cut down from traditional carriers and many new carriers in the marketplace — maybe one or two dozen carriers that will write cyber on a primary basis.”

At the same time, organizations and cyber insurance carriers are confronting an unprecedented level of ransomware. According to one study by MSSP Alert, there was a 134% jump in the number of attempted ransomware attacks from 2020 to 2021, affecting organizations no matter their industry or scale. And, for each attack, the amount of the ransom demanded has also drastically increased, jumping 82 percent from 2020 to $570,000 according to a Palo Alto article.

“So who’s making out with so many ransomware payments? The criminals, and only the criminals,” notes Whelan, “It’s not really helping our insureds by paying it out.”

The result of these diverging trends means carriers are either eliminating ransomware coverage or raising their deductibles and the premiums while also increasing the level of security controls required to maintain compliance.

How security leaders can be prepared for the new cyber threat landscape

According to Whelan, even despite the drastic fluctuations in ransomware and cyber insurance, the basic cybersecurity principles and foundations continue to apply because they could jeopardize their coverage without them.

“For instance, a company is not using the latest software that they have from a vendor because they’re just saying it’s too expensive to upgrade right now. Then they get hit with an attack.”

Unfortunately, continues Whelan, the organization will also face cyber liability for not ensuring that they were maintaining and patching their systems and upgrading their systems on that front. 

So what can organizations with cyber insurance do to be ready for tomorrow’s cyber threats? Whelan advises organizations to ensure that they have controls that at least include:

  • Having external and internal firewalls in place 
  • Regularly providing security and phishing awareness training and testing for all employees
  • Utilizing a VPN or other data encryption technologies
  • Having and constantly maintaining a cybersecurity policy that is acknowledged across the organization
  • Having standard asset management, password, and identity and access management policies in place
  • Backing up their critical data frequently based on their operational situation
  • Implementing multi-factor authentication
  • Introducing and enforcing compliance by third-party vendors

What’s next for cyber insurance

Like other aspects of the technology world, what’s next for cyber insurance is largely unpredictable, even for experts like Whelan. 

“When people look back and analyze their books, their losses and what has happened in 2021, you may see more of [change] coming down the pike in the insurance industry,” notes Whelan. “We are not a hundred percent sure what they are yet, but we’re monitoring that and keeping an eye on it.”

So what are those areas that Whelan and his colleagues are “keeping an eye on”? 

Potential for congressional action on ransomware

Currently, because of the risk of fines and punishments, U.S. organizations cannot pay ransoms to countries or states that are on the OFAC list, according to the US Treasury.

But Marketwatch says there is the potential for additional, comprehensive Federal legislative action or Executive Orders to define if ransomware should be allowed to be paid at all. This aims to reduce the profitability of conducting ransomware attacks, but its potential implementation and effects on the insurance market will remain to be seen.

More availability of individual cyber insurance coverage

Just as there are insurance products available to protect one’s home, auto or other assets, Whelan is also watching the rise of cyber insurance for individuals.

“We, as a company, are always monitoring and looking at that as to what we need to do to react to the market,” notes Whelan. And with the increased use of smart cars, smart thermostats, and other digital technology, the risks for individuals can be equally daunting.

“You can do anything from your phone right now: You can turn on your oven from your phone. You can unlock your door from your phone. You can set the temperature in your house. What if that’s hacked?”

Whelan can even imagine a scenario where an attacker threatens to turn off an individual’s heat during the winter until they pay a ransom to control their heat again. 

Increased focus on compliance to maintain coverage

Finally, with the increase in ransomware and lowering profit margins, Whelan predicts that cyber insurance providers will increase their scrutiny of compliance of security controls alongside their growth in premiums. 

Whelan has already seen and foresees providers increasing the specificity of security controls that must be in place to maintain coverage and the frequency that organizations will have to prove their compliance beyond just annually.

Bringing it all together

Despite the variability and ferocity of the cyber threat landscape of the last decade, one thing has not changed: organizations must constantly evaluate their attack surface, security controls and incident response readiness, including if and how cyber insurance fits into their layered security defenses and threat mitigation.

Whelan advises that everyone in the organization stay up-to-date with the latest cybersecurity happens to bring it all together. 

“Daily awareness of the cybersecurity industry is key in your organization and the world. Start your day by reading news from relevant and trustworthy sources on the industry. Knowing what’s going on in the world of cybersecurity can open your eyes to changes you need to make in your organization that you may not have considered,” said Whelan. 

Yet, exactly how the cyber insurance market itself will evolve and change to meet the challenges of tomorrow’s cyber threat landscape remains to be seen. Still, Whelan, his colleagues and businesses worldwide will certainly be watching closely.

To learn more about Verisk’s partnership with Infosec, click here. 



Posted: February 28, 2022
Patrick Mallory
View Profile

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program. Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.