Cybersecurity threats targeting organizations of all types and sizes in the public and private sectors are continuous, severe, and likely to increase for the foreseeable future. The main threat is ransomware.
Failing to take the ransomware risk seriously from a cyber defense and post-incident planning perspective is likely to lead to poor outcomes when an attack targets your organization. In the worst cases, the damage from a successful ransomware attack can be fatal to an organization. We wrote about how to defend against ransomware in a previous article titled What is Ransomware, and How Do I Prevent It?.
In this article, we’ll provide some more recent figures on the financial impact of ransomware attacks, outline how the number of successful attacks is impacting the costs and availability of cyber insurance, and discuss the main steps you need to take to ensure your organization can get insurance and increase the likelihood of your policy paying out after an attack. Even though ransomware is the focus here, the advice applies to getting cyber insurance more generally.
The Ransomware Landscape
Ransomware attacks have increased significantly over the last few years due to the success rate and the financial returns that cybercriminals have enjoyed. Ransomware is so lucrative for cybercriminals that ransomware-as-a-service solutions are now available for those without the technical skills to create attacks.
The SonicWall 2023 Cyber Threat Report (ref 2) shows that they counted 494 million ransomware attacks in 2022. This was the second-highest recorded number in any year. However, the fact that it wasn’t the year with the most attacks isn’t an indication of the number decreasing. The data also show that the final quarter of 2022 had the highest recorded total since 2021 Q3. This upwards trend at the end of the year is likely to continue in the 2023 data when available.
The data from 2022 also shows that the attacks recorded were more damaging and costly to those impacted than in previous years. Sophos’ The State of Ransomware 2023 report (Ref 3) backs this up. It shows that the average cost to organizations hit by ransomware and who paid the ransom was $750,000 in recovery costs per incident. The mean recovery cost in 2023 was $1.82 million (up from $1.4 million in 2022). These costs include all the activities required to clean up after an attack, including disruption to operations, staff costs (overtime, etc.) during recovery work, and lost revenue due to the disruption. The ransom is only a portion of the overall cost of dealing with an attack. And usually not the most significant part of the costs.
Cyber Insurance and Ransomware
Many organizations have found that getting cyber insurance to cover their costs in the event of a cyberattack (specifically a ransomware attack) has recently become more challenging and costly. This is due to cyber insurance providers and private equity financiers feeling the pain from the upsurge in attacks they have had to cover. The Grant Thornton article linked from ref 4 discusses the pain that providers are experiencing.
The outcome of this pain that cyber insurance providers feel is increased scrutiny on insurance purchasers to ensure they have appropriate cybersecurity protections and best practices in place and that they are maintaining their defenses throughout the duration of their policy.
To get insurance, organizations will need adequate safeguards, protocols, and strategies in place as a prerequisite. Insurance providers will typically send out comprehensive questionnaires to organizations and conduct interviews with their designated security professionals. The objective of this data gathering is to obtain a picture of the organization’s cybersecurity readiness, so the insurer can determine whether or not to provide coverage at all. And if they do, set the coverage premium at a level commensurate with the risk level involved.
What Cyber Insurance Providers Want to See
Cyber insurance providers will be looking to see documentary evidence that the organization seeking insurance follows good cybersecurity hygiene and best practices. Typically evidence that a security framework such as the NIST Cybersecurity Framework (ref 5) is in use will be mandatory. From within all the advice and procedures in the NIST framework, there are several core items that cyber insurance providers are looking for.
24x7 Monitoring, Detection and Response
Delivering cybersecurity is a continuous process as attackers are active around the clock and have become more innovative, tenacious, and well-funded. To combat this, Critical Insight’s Security Operations Center offers 24/7 monitoring, thorough investigations, and proactive threat hunting. Our advanced systems enable us to detect potential threats in minutes. With our Managed Detection and Response (MDR) service, your team can avoid alert overload and avoid costly distractions. Our MDR covers On-Premises infrastructure, Cloud deployments, and Endpoint Devices. See the Services page for more info.
Multi-Factor Authentication
Multi-factor authentication (MFA) is a requirement for many insurers. They will look for a user and password management system based on a secure directory service like Microsoft Active Directory, with MFA as a must, plus sometimes Privileged Access Management (PAM) layered on top to increase the security of critical systems. Critical Insight partners with a leading MFA solution provider for MFA solution delivery. Contact us to find out more.
Incident Planning & Incident Response Practice Simulations
Incident planning and practicing what to do when an attack occurs reduces the impact of a cyberattack. It’s vital that everyone knows what to do when an incident is ongoing. As the saying goes: “When you’re in the middle of a fire, you don’t want to be reading the instructions for the fire extinguisher.” Cyber insurance companies want to see evidence that there are plans in place and that organizations test them. Critical Insight’s cybersecurity team has decades of experience creating and testing incident Response plans. See our Incident Preparedness page for more details.
Data Recovery Processes
In the worst-case scenario, after a ransomware attack, there will be a choice as to whether to pay any ransom demand that the criminals demand. The choice about paying is outside the scope of this article. Many insurance providers look for an organization’s capacity to recover encrypted data and systems without paying a ransom. Doing this requires having access to recent and unaffected backups to restore systems. It also involves making sure that the ransomware for other malware has been cleaned from all systems so that it does reinfect after a restore. Data recovery after an attack needs careful planning and execution. It is an area that Critical Insight can help you with to ensure no reinfections and additional data loss occur.
Conclusion
Ensuring you have the protections and ongoing policies & procedures to satisfy cyber insurance providers is essential. Our team has years of experience in this area and can advise and work with your team to get to where you need to be. Or to help you decide that spending your budget on other cybersecurity improvement work if the insurance quotation you can get is excessive given your current cybersecurity posture. There is often a case for spending that sum bolstering defenses for a year to reduce future premiums.
Use the form below to contact us and start a conversation about your cyber insurance journey, and let our experts help you map it out.
References
- Critical Insight: What is Ransomware, and How Do I Prevent It? - https://www.criticalinsight.com/resource/what-ransomware-prevent
- SonicWall: 2023 SonicWall Cyber Threat Report Casts New Light On Shifting Front Lines, Threat Actor Behavior - https://www.sonicwall.com/news/2023-sonicwall-cyber-threat-report-casts-new-light-on-shifting-front-lines-threat-actor-behavior/
- Sophos: The State of Ransomware 2023 - https://news.sophos.com/en-us/2023/05/10/the-state-of-ransomware-2023/
- Grant Thornton: PE seeks cyber insurance for portfolio companies - https://www.grantthornton.com/insights/articles/pe/2023/pe-seeks-cyber-insurance-for-portfolio-companies
- NIST: Cybersecurity Framework - https://www.nist.gov/cyberframework/getting-started