Where do ransomware, cyber education and cyber insurance intersect?
One of the hottest cyber debates since 2021 has been: should companies pay ransoms?
Similarly, cyber insurance providers are asking if they should require companies to check all of the cyber risk prevention boxes — particularly cybersecurity education.
To learn more, I spoke with Steve Whelan, director of management/professional liability product development at Verisk Analytics. As a leading provider of predictive analytics and decision-support solutions in the insurance industry, Steve provided unique insights into what organizations should have top of mind regarding cyber risks and cybersecurity education.
Jack Koziol: I want to start with the increase in prices that we’ve seen across cyber insurance. What has it been in prior years and what does it look like in the future?
Steve Whelan: Cyber insurance may still be in its infancy stage, but more and more carriers have entered the market to get a piece of the cyber pie. For several years, pricing was coming down because it was profitable. In the past two years, we’ve seen a significant change, including limits being cut down from traditional carriers and an increase of carriers in the marketplace. There’s only a handful of carriers that will write cyber on a primary basis, whereas other carriers will come in on an excess basis.
They’ve cut their limits back, in many cases significantly, where if a carrier had $15 million on a primary, it’s now $5 or $10. As that follows, so does the rest of the market. The self-insured retentions, which many people know as a deductible under normal policies, have also increased. In 2021, pricing saw a 50% average increase and will probably continue to grow in the future.
JK: Is there a specific thing that’s driving that increase?
SW: The best way to describe it is in regard to ransomware. It’s been said that ransomware is the new pandemic. I think it caught many in the insurance industry off guard with how severe and how frequently it occurs. Ransomware demands, which used to be only a couple thousand dollars, are now often in excess of $10 million. And it’s no longer just a problem for large enterprises. It is hitting every industry and companies of every size. For instance, the city of Baltimore was a victim of a ransomware attack two years ago. In that case, they had to shut things down, and people couldn’t close on their mortgages.
Carriers know that they can’t just raise prices because no one will afford the coverage—along with the fact that the only people winning in this process are the criminals, which is not helping our clients by paying it out. So many carriers have started eliminating ransomware coverage or extortion threats. They’re raising those retentions or deductibles to higher levels, and the premiums are going up.
JK: Would you be able to offer any insight into which of those areas of a multilayer security strategy could potentially cause someone to not get paid out on a policy if they were breached or they had ransomware?
SW: I would say that, unfortunately, with insurance, these contracts are generally set up on a yearly basis, and cyber is one of those risks that is very scary to underwriters. They may look at a company today and say, “You know what? Everything looks in top shape.” One of the solutions we have at Verisk is to assess individual risk. I’ve looked at companies during these assessments where one week they had a very good cyber score of hygiene, and the next it was incredibly low. It can be anything from infrequent patching or open ports.
I would say that it’s up to each individual company that writes the risk in the policy. It can be as simple as “You must maintain these controls and these policies throughout.” And where contracts are generally set up on an annual basis, many ask clients to supply security audit information on a more frequent basis, which could be semiannually or quarterly. If they see that these practices are not being done, they may have the right not to cover that. Or the traditional case is, if you are filling out these applications and saying, “I have a firewall, we use VPN, we have strict passwords,” and they find out later on, you do not, they can refuse to pay out on the policy.
JK: There’s no silver bullet or one-size-fits-all solution to combating threats. What components do you think are most important for a layered security strategy?
SW: There are myriad things that should be implemented or reviewed when it comes to creating a security-first environment, and while not a complete checklist, this is a good place to start.
- Are you training every employee on security practices? Every person is vulnerable in the organization, so training is an absolute must. This includes putting the policy in the employee manual and requiring everyone to sign off an acknowledgment.
- Are you focused on data security? That is, is your company being proactive about firewalls and data encryption? This includes when people are working in public environments like coffee shops or airports.
- Have you implemented a data backup policy, and how often do backups occur?
- Do you have a safe password practice, including change frequency and password complexity? This can also include multifactor authentication or 2FA. Yes, it can be cumbersome, but it adds layers of protection that can deter hacking attempts.
- Does your company require its vendors to live up to similar safety standards? Knowing that you may have the best security practices, if one of your vendors doesn’t, you’re just as at risk.
- Do you test your employees? By sending test emails to find out what knowledge gaps exist, you can learn what types of training are most needed. Remember, it’s training, it’s monitoring and it’s testing.
Those are just a few of the things that I would lead with, but you need to make sure that, as an organization, you’re watching this.
JK: Where do you see a cyber insurance partner fitting into all of this more multilayered security?
SW: Many of these insurance companies do their due diligence by partnering with experts in the cybersecurity industry to ensure that they are working from a position of knowledge. These industry experts come in and perform their assessments, and it’s trustworthy since they often have multiple facets of cybersecurity expertise. And many insurance companies will mitigate their own risk by partnering with them after the assessment is complete.
When a cyberattack happens, having industry knowledge about how to handle the next steps is invaluable, so having those relationships with industry experts can limit the damage that can come with being the victim of a cyberattack. They’re going to know who is best to come in, get the system shut down, isolate the situation, find out where it happened, how it happened and how to fix it. They’re also going to know the best PR firms and likely the best attorney to help defend potential claims from customers whose information was breached.
JK: What’s the one piece of advice you’d give to security leaders listening in on the session here today who are building out security teams and strategies? What do you think that they can do today to prepare for the next three years?
SW: Daily awareness of the cybersecurity industry is key in your organization and the world. Start your day by reading news from relevant and trustworthy sources in the industry. Knowing what’s going on in the world of cybersecurity can open your eyes to changes you need to make in your organization that you may not have considered.
Next, review your organization’s cyber policy and how it’s distributed to employees. Make sure that you’re monitoring, testing and training employees constantly with experts in the field.
Lastly, prepare for a cybersecurity incident now. It’s not if you will get hit, but when you will get hit. I firmly believe that everybody will, at some point in time, be affected by a cyberattack. Either directly or indirectly, getting a disaster recovery plan in place is integral to survival. This means knowing how to shut down affected systems immediately, ensuring they’re not all tied in together.
Think of water valves in your house. You have a leak in one room. Do you have to shut off the water to the whole house? Or can you just shut off the water to that one main area until you figure out what’s wrong with it and how to fix it? Segmentation of systems allows you to resolve issues without shutting down your whole business.