As demand has grown to unprecedented levels, the industry has become highly volatile. Premiums are rising, there are more rules about what is and isn't covered and minimum standards have been introduced for businesses wanting to be insured. This might seem like bad news for businesses, but ultimately there are several positives.
Sometimes people think that cybersecurity is a dark world. In reality, physical and digital reality are much more similar than you might think. Thirty years ago, companies that wanted to protect their assets thought first of all about insurance against fire and theft. Today the risks are more digital. According to Veeam Data Protection Trends Report 2024, three in four organizations have suffered at least one ransomware attack in the past year, and one in four has been attacked more than four times in the same period.
It's no wonder that cyber insurance has become an increasingly popular choice for many organizations – expected to grow by 24% to become an $84,62 billion industry by 2030. However, as the number of businesses purchasing and requiring insurance has increased, its cost has also steadily grown, with premiums rising in the past three years. This hasn't been the only change by insurers looking to keep cyber protection profitable: more meaningful risk assessment, introducing minimum security standards and reducing coverage have become common practice in recent years.
Cyber insurance has become a controversial topic recently, which mostly boils down to the million-dollar question about ransomware: to pay or not to pay? Although many reject the idea that insured companies are more likely to pay ransoms, 2023 report on victims found that 77% of ransoms were paid by insurance. However, many insurers are trying to put an end to this situation. The same report found that 21% of organizations now explicitly exclude ransomware from their policies. We also saw others explicitly exclude ransom payments from their policies: they will cover downtime and damage costs, but not extortion costs.
In my opinion, the latter approach is the best. Paying ransoms is not a good idea and is not what insurance should be used for. It is not just a question of ethics and fueling crime, but of the fact that paying the ransom does not immediately solve the problem and often creates new ones. First, cybercriminals track which companies pay so they can come back for a second attack or share this information with other organizations.
One study found that 80% of companies that paid a ransom were hit a second time. But even before getting to this point, recovery through paying the ransom is rarely easy. Recovery with decryption keys provided by attackers takes a long time, often intentionally, as some groups charge for each key to speed up the process. As long as the decryption works, one in five companies pay a ransom and fail to recover the own data.
So, paying ransoms through insurance is, fortunately, slowly disappearing. But that's not the only thing that's changed. Companies requiring cyber insurance are increasingly required to meet minimum standards of security and ransomware resilience. This may include using encrypted, immutable backups and implementing best-practice data protection principles, such as least privilege (giving access only to those who need it) or four-eyes (requiring that changes or significant requests are approved by two people). Some policies also require companies to have solid plans to ensure system availability, including well disaster recovery processes definited to prevent downtime due to a ransomware attack. After all, the longer a system is down, the higher the cost of downtime and, with it, the cost of an insurance claim.
Companies should still have all these elements. If insurance is accompanied by sloppy data protection and recovery processes, insurance payouts will only paper over the flaws. The introduction of minimum standards is good news for companies. Not only will it bring down the cost of premiums in the long run, but the security principles they require will be more valuable to businesses than the insurance was to begin with. Cyber insurance is not an absolute guarantee, but it can be a beneficial element of a broader cyber resilience strategy. Both are useful, but in case you are forced to choose only one, resilience would always be the best choice. Fortunately, insurers agree, as unprotected businesses are becoming too unprofitable to cover.
Cyber insurance, particularly as it relates to ransomware, is moving towards a world where insured companies have strong cyber resilience, well-established disaster recovery plans definited and use insurance only to mitigate the impact of attacks and the cost of downtime while they restore through immutable backups. This is a world that is much more resistant to ransomware than one in which businesses rely solely on insurance.
BlogInnovazione.it
Developing fine motor skills through coloring prepares children for more complex skills like writing. To color…
The naval sector is a true global economic power, which has navigated towards a 150 billion market...
Last Monday, the Financial Times announced a deal with OpenAI. FT licenses its world-class journalism…
Millions of people pay for streaming services, paying monthly subscription fees. It is common opinion that you…
