Enterprise security company Panaseer has weighed in on how ransomware has impacted the cyber insurance market — and what organisations can do to reduce their premiums.
According to SonicWall, ransomware attacks increased 105% in 2021, with the average ransom payout standing at $170,404 (about £130,472). Moreover, remediation costs are ten times the size of the ransom payment at $1.85 million.
The high value and frequency of these attacks have the cyber insurance industry alarmed. Four in five security leaders said their board is seeking to revisit their ransomware protection levels. The majority of them have made ransomware protection a budgeted 2022 priority.
Nik Whitfield, chairman at Panaseer, said the surge in ransomware attacks during the pandemic had pushed insurers into debt as they pay out on under-priced policies. Now, many insurance providers are increasing premium prices and turning away the most vulnerable prospects.
“In recent years, ransomware has been the most high-profile risk in cybersecurity, which is why many boards are concerned about its potential for disruption and damage,” Whitfield said. “The result is that the market has hardened, insurers have withdrawn and it’s much tougher for customers to get insurance at all, let alone good value on a policy.”
According to Marsh, coverage pricing grew 130% and 92% in the US and UK in Q4 2021, respectively. This will effectively make it harder for organisations to buy insurance cover. Businesses will have to make the shift and prove the strength of their cyber protection level to insurers to drive premiums down, it is suggested.
Panaseer also found that most businesses are willing to make this shift, but are not ready to. For example, only 29% of security leaders believe they will be prepared in the next 12 months, while 57% will need an extended period of 13-24 months. The most prepared industries are the financial services, followed by healthcare, utilities, life sciences and energy.
“However, a positive by-product of insurers pushing back, is that it will become another driver for businesses to enhance their cybersecurity measurement,” Whitfield said. “As insurers look to find a way to make cyber protection workable for both parties, organisations will need to improve the way they communicate their security posture. We’re moving towards the era of evidence over opinion, hard data rather than subjective questionnaires.”