Demand Grows for Cyber Insurance in Wake of Ransomware Attacks

Cyber insurance offers companies an “added layer of protection,” said Crowell & Moring’s Michael Gruden. Companies often “underappreciate” how much an attack can affect their infrastructure and how quickly costs can grow, he said. A cyber insurance policy helps companies manage risks “upfront.”

Cyber insurance is more than “mess-up insurance,” said Davis Hake, Venable senior director-cybersecurity services. Cyber insurance is aimed at addressing the “residual risk” companies have “after they do all their work trying to defend their critical assets and keep their business running,” he said. Companies purchase property and other liability insurance, but they don’t necessarily think about their “digital” risks, the data they hold, he said.

Cyber insurance has “evolved” from a “very narrow product” that covers privacy breaches and pays the costs of potentially getting sued to one designed to take on “residual financial risk that pretty much every company has,” Hake said. Companies should “think about, quantify and understand” the “sort of unknown financial cost” of cyberattacks, he said. No security program is “100% perfect” and companies are already assuming risks and liability with online sales or when they offer a digital product, he said.

Cyber insurance can cover the costs of ransomware payments, business interruption, public relations and marketing and incident response, said Sasha Romanosky, Rand senior policy researcher. It can cover “all the costs” for a company “to figure out what went wrong and then to fix it,” he said. It also covers the costs of potential liability when the company is sued as well as fines and fees, he said.

Insurance isn’t a substitute for following cybersecurity best practices, such as investing in tools that will shield systems from attack, Romanosky said. In general, that hasn’t been happening, “but it’s certainly a concern that we all have,” he said. Insurance carriers are also helping companies prepare for attacks, he noted.

The typical ransomware attack shuts a company’s systems for three weeks, Hake said. “That can be devastating,” he said. Those costs are covered under first-party insurance, he explained. Some companies face greater risks from lawsuits and other “legal effects” and must notify customers and regulators of breaches, which is covered by third-party insurance, he said. Over the past six years, as ransomware attackers have become much more efficient at locking down systems and are raising their financial demands, first-party coverage has “really become a major focus of the industry,” he said. The process of negotiating with criminals, working with law enforcement and unlocking systems, is costly and complicated, he said.

The level of insurance that companies choose depends on their size and the level of risk they face, Gruden said. Companies that have calculated the potential costs and recognized the possible business impact "have more substantial policies, and they have determined that it’s better to absorb [the costs] upfront … instead of taking an a la carte approach,” he said.

Romanosky said in the past, the market was “soft,” favored buyers and insurance was relatively inexpensive. “Then ransomware happened,” he said. “Prices went up and policyholders had to demonstrate a lot more investment [in] and protection of their networks” before they could obtain a policy, he said. The market is softening once again as insurance carriers better understand the risks of ransomware, he said: “There’s still lots of ransomware but” insurers are “better able to keep it under control.” Prices are still increasing but not as much as previously, he said. Small- and medium-sized companies are less likely than their larger peers to invest in insurance, he said.