When it comes to dispelling the lingering myths surrounding cyber insurance a clear understanding of what it brings to the table is required, according to Hamir Patel (pictured), head of cyber at Pen Underwriting.
Patel, who is featured in the Insurance Business UK 2021 Cyber Report, noted that comments made by senior cyber security figures demanding that cyber ransom payments be outlawed overlook the fact cyber insurance is a complex and multi-faceted product that goes far beyond just paying ransoms. For example, a typical cyber policy offers expert services around event management that a member of the public could not easily have access to, from PR consultants to forensic experts, to the setting up of call centres and credit monitoring for customer protection. It is never a case of the first option being to pay the ransom, but it often can be the best solution for the customer.
Another key element is cyber insurance’s role in mitigating threats. Insurance providers rose to the challenge of the pandemic by issuing specialist guidance and advice on how businesses could protect themselves after the sudden shift to remote working significantly increased the surface area available for cyberattacks.
“And interestingly,” said Patel, “what we saw over the last six months, is a reduction in the number of ransomware claims, and it’s this awareness from the customer and them taking action to prevent attacks that has really driven that. What we’ve seen at Pen is a 38% reduction in ransomware attacks over the last six months, compared to the six months before that.”
Pen Underwriting’s team works quite extensively with the smaller end of the market, he said, and by communicating with brokers and the end clients, they have managed to increase awareness of the many simple, inexpensive and accessible options out there that can protect businesses. Now, Pen is looking to work even more closely with brokers to communicate why certain questions are asked in the underwriting process and how addressing these areas will allow customers to get coverage at an affordable rate.
“Unfortunately,” he said, “because cyber criminals are incredibly sophisticated, what we are seeing now is changing tactics. So alongside that reduction in the number of ransomware attacks, we’ve seen the size of businesses that are suffering attacks now increasing significantly. We’ve looked at the revenue size of firms with claims over the last six months compared to the six months previously and that has increased by 80%. So, the criminals are moving away from the low hanging fruit that used to exist because they were easy, to now attacking customers with greater assets that they can leverage against.”
Patel highlighted another recent strategic shift in the ransomware environment - the rise of data exfiltration and double extortion ransomware attacks, where the hackers sell the stolen data even after a ransom has been paid. Cyber is an ever-evolving industry, he said, so the focus now is on keeping abreast of the strategies adopted by different groups and establishing which are ‘trustworthy’. This shift is influencing the recommendations from insurance companies regarding whether or not to pay a ransom and, in the second half of 2020, Pen saw an 18% increase in ransomware claims where the recommendation was not to pay.
“This comes back to the fact that firms have become more resilient,” he said. “There’s been a lot of talk about what firms can do to back up their data and, as they have got better at this, the recommendations have shifted from ‘let’s pay this to get you back on track now’ to ‘hang on, you’ve got your back-up here and we can get you back on track tomorrow’.”
Read more: What is actually fuelling cybercrime?
Any blanket ban on ransom payments could lead, in a worst-case scenario, to businesses going under due to the time required to restore their functions, Patel explained. But even when this is not the case, banning ransomware payments could lead to increasing claims costs, which in turn will push up premiums. Cyber insurance is still – incorrectly – seen as a luxury good rather than a necessity and increases in pricing would likely mean even more businesses opt out of coverage, warned Patel. And then who is protecting the end customer in the event of any data loss?
To hear more cyber insights from Hamir Patel and other cyber insurance experts, read Insurance Business UK’s 2021 Cyber Report now.