According to a recent survey, ransomware attacks went up nearly 11-fold between July 2020 and June 2021. 72% of respondents said they have a cyber ransom insurance policy in place, and 49% stated they would pay a ransom outright. The average ransom paid by mid-sized organizations was $170,000.
In a typical ransomware attack, malicious hackers encrypt data until a ransom has been paid. For those that have ransomware insurance, the insurance company often pays the ransom and compensation for business downtime and data recovery. A recent report found that for those organizations that have insurance against ransomware, 94% of the time, when the ransom is paid to get the data back, it is the insurance company that pays.
There is an argument that insurance companies that pay the ransom for ransomware victims are actually making the attack safer to cybercriminals, expanding their tactics to speed up the process and being quite sure to obtain a return on investment. The malicious actors behind Maze and DoppelPaymer, for example, have threatened hacked enterprises with the publication of their stolen data on a data leak site as part of their extortion plans and suggest they contact their insurance companies as a matter of urgency.
Given the average bill for remediating a ransomware attack, including downtime, lost business, and the cost of the ransom itself, is estimated to be around $1.85 million , paying the ransom is often seen as the only option or see the business suffer.
Coalition, one of the largest cyber insurance providers in North America, maintains that it has processed more claims across more organizations in the first half of 2021 than in any other period. Ransomware ranks the highest, with the average ransom demand made to a Coalition policyholder now sitting at $1.2 million. It says that the average payout has decreased slightly due to Coalition’s efforts on negotiating ransoms on behalf of policyholders.
The cyber insurance landscape is getting harsher
However, what seems like a vicious circle between the attacker, the victim, and the insurance company may be about to be broken. As the severity and frequency of ransomware attacks skyrockets, so will the cost of premiums. As a result, the cyber insurance market will continue to harden.
Coalition, like many insurers, believes it will become harder for enterprises to qualify for cyber insurance, and the deployment of a cybersecurity strategy and controls will be required as a condition of insurance coverage. Coalition goes as far as predicting that many insurance carriers will also begin to need companies to address identified vulnerabilities during the policy period or risk losing part or all of their coverage.
Time to shore up defenses
The fact that insurance companies are becoming more vigilant and looking to enforce levels of security is a welcome move.
For example, companies rely on insecure and remote tools that are not properly secured and don’t have adequate backup in place and the know-how to restore it. In its recent report, Coalition claimed that had insecure remote access enabled when they applied for insurance went up nearly 50% between the first half of 2020 and the first half of 2021.
Protective steps to take:
Cybercriminals like ransomware, because it is easy to trigger and can result in significant payments. They are undoubtedly taking advantage of the fact that insurance companies pay out on ransoms by making more considerable demands.
Once an enterprise has paid a ransom once, it is seen as an easy target. Enterprises are frequently held to ransom with repeated demands or sent decryption keys that either does half the job or don’t work at all.
Whether or not you choose to be supported by an insurance company, the fact remains that a good knowledge of your actual security is paramount. This includes a maintaining a security level (audit, pentest), a good segmentation of your network, regular backups, a solid IAM policy and sufficient training of your employees. These remain the most effective protection against a ransomware attack and limit the damage to a minimum.