Ransomware attacks are becoming alarmingly common, and the skyrocketing number of exposures is putting more and more organizations at risk—and the cyber insurance industry is taking note.
The rise in attacks even prompted the White House to urge U.S. businesses to implement security measures to better protect themselves. The White House suggested businesses consider adopting defensive security measures like those now required of federal agencies and other organizations that do business with the U.S. government.
The increasing amount and severity of cyber-attacks is taking a toll on the cyber insurance industry, leading to a slew of ever-changing insurance policies, tightening terms, rising premiums, and more difficulties for organizations trying to determine if a policy will pay out for a disruptive cyber event.
In response, insurance companies are implementing new requirements for minimum security standards like multifactor authentication, endpoint detection, Zero-Trust policies, and other technology and event-specific exclusions. Many of these requirements differ from one cyber insurance provider to another but are related to a common theme—reducing risks for insurers.
Why is this important? Because as ransomware and other breaches continue to increase, so do the risks for insurers. According to a 2020 survey from the New York’s Department of Financial Service (NYDFS), between early 2018 and late 2019, ransomware insurance claims increased by 180%, and the costs of those ransomware claims increased by 150%. When increases like this happen, consumers feel those costs in the form of higher premiums, more exclusions, and changing terms and limits—essentially reducing the risk on the insurers by putting more of the potential financial impact of ransomware attacks back onto your company.
As ransomware and related breaches continue to increase alongside insurance underwriter scrutiny and costs, how can the insurance industry better manage these risks? Can it streamline best practices across the nation, while continually managing risks and adapting to the ever-changing landscape of cyber threats?
Only time will tell, but the answer may very well be in a unified risk management framework, like what we’ve seen recently with the creation of NYDFS’s new Cyber Insurance Framework.