Throwing insurance money to cover ransom payments only seems to have worsened the situation. Knowing that victims would be able to draw upon their insurance policies, cybercriminals continue attacking organizations fiercely.
The perfect storm of occurrences led us here: deploying ransomware became as easy as ever. With many hacking tools available as-a-service, the rise of cryptocurrencies made it easier for attackers to leave traces behind, insurers jumped at the opportunity to offer cyber insurance services, and overworked security teams became less cautious knowing that their organizations were covered.
A new report by security company Ordr detailing the unintended consequences of the cybersecurity insurance industry speculates how insurance companies may have made the situation worse by paying for cybercrime and possibly even covering costs associated with ransom payments, remediation, and recovery.
“As ransomware became an easy way for cybercriminals to extract money from various organizations, insurance companies saw an opportunity to offer a new class of policies to vulnerable institutions. If a company had to pay the attackers to regain control of their databases or other portions of their IT systems, the insurance company would foot the bill,” the report reads.
Well aware of that, cybercriminals leverage it in their attacks. Ordr argues that security teams, worn down by an onslaught of crimeware, might have become less cautious, knowing that insurers have their back.
“To be sure, this is a supposition that would be difficult to prove because no security team wants to admit to such an attitude. But the response is understandable,” the report said.
However, the insurance industry is adapting to the new reality by implementing novel rules designed to avoid overextending itself and losing money on its cybercrime policies.
As per the report, carriers increased premiums as high as 300% and trimmed coverage limits from $5 million to a maximum of $1 million to $3 million.
“Insurance companies insisted that the insured not leave themselves so vulnerable. They set IT infrastructure minimums, such as having MFA as an underwriting requirement. While logical, many organizations weren’t prepared for the sudden change and didn’t have funds set aside to beef up their security infrastructures before needing to renew their policies,” Ordr said.
Another report by cybersecurity company Sophos stated that the majority of companies hit by ransomware in the last year have more cybersecurity budget and headcount than they need, illustrating that throwing money at the problem doesn’t help to solve it.
“These findings suggest that many organizations are struggling to deploy their resources effectively in the face of the accelerating volume and complexity of attacks,” Sophos said.
In an interview with Cybernews, a longtime cybersecurity expert Patricia Muoio emphasized that cybersecurity budgets might be adequate, but cybersecurity buying is not.
“Many people are buying in response to what I call the attack de jour. This is a cool thing, and you have to buy another piece to plug in on top of whatever you have. Not many people are thinking of how this is architected, how these tools interact, is it redundant to something they already have, is there a more fundamental way to address this problem,” she said.
Sophos also highlights that cyber insurance is driving improvements to cyber defenses. According to their research, 7% of organizations that have cyber insurance have made changes to their cybersecurity to improve their cyber insurance position. 64% have implemented new technologies/services, 56% have increased staff training/education activities, and 52% have changed processes/behaviors.
“Cyber insurance is getting tougher, and in the future, ransomware victims may become less willing or less able to pay sky-high ransoms,” Chester Wisniewski, a principal research scientist at Sophos, said.
Insurers are more likely to cover the cleanup costs to get the organization up and running. However, they are reluctant to pay ransoms – 40% of respondents reported that the insurer paid the extortion, down from 44% in 2019.
More from Cybernews:
Subscribe to our newsletter