Ransomware negotiations: An inside look at the process Best practices for reporting ransomware attacks

How to find ransomware cyber insurance coverage in 2022

It's harder to buy cyber insurance coverage for ransomware attacks in 2022. Our expert reviews what to look for in a policy, how to qualify and how to get the most out of it.

Cyber insurance can play a critical role in reducing enterprise concerns about ransomware attacks if one can find affordable insurance. In the developing cyber insurance market, insurers do far more than reimburse victims. They often offer proactive risk mitigation resources, along with critical services such as breach response support to get businesses back up and running quickly after being hit with a ransomware attack.

Unfortunately, in 2021 it became more difficult to even get cyber insurance coverage. Premiums have risen sharply. By the end of 2021, cyber insurance pricing in the US increased an average of 96% year-over-year, according to data from Marsh, a New York City based insurance broker and risk advisor.

Cyber insurance may become even more unaffordable as premiums climb and if insurer guidelines require more staff and costs to update older systems and software. Many organizations can't get a quote at all. Behind the scenes, these changes are being driven by skyrocketing losses within the cyber insurance industry.

With increasing ransomware challenges facing enterprises, businesses need to know how to buy the right cyber insurance coverage at a reasonable rate, what to look for in a cyber insurance policy, tips for qualifying and reducing premiums, and how to get the most value out of a policy once it is in place.

What to look for in a cyber insurance policy

Ransomware attacks can trigger multiple types of cyber insurance coverage, including the following:

  • Business interruption. Companies want reimbursement for lost revenue due to downtime. As of Q2 2021, the average downtime from a ransomware attack is 23 days, according to Coveware Inc., an incident response firm located in Norwalk, Conn. For many businesses, an outage of this length is unsustainable without insurance coverage.
  • Data recovery. Businesses may need to restore data from backups, decrypt data using a special tool or even manually recreate data. Insurance policies may cover the costs of data restoration, including fees for outside specialists that can speed up the effort.
  • Security incident and breach coverage. Today, 81% of all ransomware cases involve data theft, according to Coveware. Fortunately, cyber insurance policies typically include coverage for investigating and responding to a potential data breach. This includes covering notification costs, information security and privacy liability, and similar risks associated with potential exposure of sensitive data.
  • Dependent business interruption. Businesses also need to pay attention to supply chain risks. Cybercriminals increasingly target technology suppliers, such as managed service providers, cloud providers and vendors. If a company's network or website is down because of an attack on a technology vendor, will it be covered? Dependent business interruption insurance can protect against risks to the organization that result from dependence on third-party systems.

More than cash -- cyber insurance is a service

"The name of the game in cyber insurance is services," according to Andrew Lipton, head of cyber claims at AmTrust Financial Services Inc. "Coverage and indemnity is one thing, but the other thing that separates a good cyber insurer from a not-so-good one is service."

Lipton said some cyber insurers offer a 24/7 hotline for reporting incidents, as well as a team that can help insured companies respond effectively when they've been hit.

When shopping for a cyber insurance policy, evaluate the services the insurer provides, including the following:

  • Incident reporting process. Look for an insurer with 24/7 incident response. According to cybersecurity vendor Fortinet, 76% of ransomware attacks occur after hours and on weekends. Make sure to evaluate the insurer's commitment to responding outside normal business hours.
  • Breach manager/coach. Does the insurer offer access to an experienced breach manager or coach that can help coordinate the response? This is key to minimizing damage and ensuring an organization is back up and running quickly.
  • Access to trusted service providers. The most effective policies provide fast access to experts who can help, such as qualified incident responders, data breach attorneys, ransom negotiators, etc.

Make sure to understand how long the insurer will take to approve ransom payments and other key expenses. Time is of the essence in a ransomware attack, and businesses don't want responses slowed down by red tape.

How to qualify for cyber insurance

Reeling from their own losses, cyber insurers have tightened the reins when it comes to issuing cyber policies. Many organizations are suddenly seeing huge cyber insurance coverage premium increases and conditions for payouts becoming stricter. Some companies are denied coverage if their security posture doesn't meet the insurer's minimum requirements. While this change is causing many organizations to scramble, ultimately the widespread push to implement security controls reduces risk.

"Insurance historically helps set standards, and we are doing the same now for cyber," according to Bob Wice, head of underwriting management for cyber and tech at Beazley, an insurance firm. "We are in a prime spot to be able to evaluate where organizations are having problems and seeing losses … and then we transparently inform the prospective insureds and current buyers."

Although every insurer has its own "secret sauce" it uses to evaluate risk, here are the top security measures insurers commonly look for:

  • Multifactor authentication. This involves the use of more than one method to verify a user's identity, such as a password plus a code from a smartphone. "Multifactor authentication is top of the list," Wice said. "There's not a day that goes by that we don't talk about it and preach implementation."
  • Restrict remote login interfaces. It's convenient for users to remotely log in to computers directly from the internet, but that's a target for attackers, too. Instead, block direct access and consider using a VPN.
  • Backups. Make sure the company has excellent backups that can't be overwritten by an attacker, even if they get an administrator password. Test backups to make sure they work.
  • Patch systems. Regularly apply software updates to computers, applications and network devices. Hackers take advantage of known weaknesses and use them to spread ransomware. Patches are often simple to install and can prevent ransomware from spreading.

"You're going to have to prove and demonstrate that you have a commitment to network security controls and to cyber controls generally," Wice said. As insurers place new emphasis on proactive controls, more organizations are investing in strong security measures, which reduces risk across the board.

To help businesses cut down on risk, the Cybersecurity and Infrastructure Security Agency has released a ransomware assessment tool companies can use to determine how prepared they are in the case of an attack.

Scans provide the next level of cybersecurity vetting

Increasingly, insurers have moved beyond questionnaires to evaluate risk and now actively scan the domains and internet-facing networks of prospective businesses that want to buy cyber insurance. This practice has become common, even though many companies seeking insurance don't realize it's part of the quote process.

Before applying for cyber insurance, businesses should consider checking their internet-facing security posture. Companies can do this quickly using a public service, such as Shodan.io, or contracting a security firm to run an external scan on their IT infrastructure.

How to get the most out of a cyber insurance policy

Companies hit with a ransomware attack should make sure they get the maximum value out of their policies. This starts with notifying the insurer right away. Many people are hesitant to contact the insurer out of fear their rates might go up in the future and don't realize that waiting can jeopardize coverage.

Most policies require notification as soon as practicable after a company discovers a potentially qualifying event. If organizations don't notify swiftly, the delay may impact coverage. Businesses should read their policies carefully and make sure their teams are aware of any notification requirements.

Another reason to notify the insurer is to take advantage of the ransomware response resources the insurer provides. For example, involving response specialists early on can dramatically reduce the spread of ransomware and minimize damage.

It's a good idea to have a notification plan in place, according to Lipton. "Know who in your company is responsible for getting your insurer on notice," he noted. Organizations can go through their broker, but that can also introduce delays. If insurers have a direct notification form, use it to put the insurer on notice as soon as a potentially qualifying event is discovered.

The cyber insurance for ransomware bottom line

Cyber insurance has become a key part of ransomware response. Now that insurers are identifying clear risk factors and screening for effective security practices, organizations have even more incentive to proactively invest in risk reduction. The right policy can also provide access to valuable services to help mitigate damage and get organizations back up and running quickly in the event of a ransomware attack.

Next Steps

How to prevent ransomware: 6 key steps to safeguard assets

Ransomware negotiations: An inside look at the process

3 ransomware detection techniques to catch an attack

17 ransomware removal tools to protect enterprise networks

How to remove ransomware, step by step

This was last published in February 2022

Dig Deeper on Risk management