Security

How Useful Is Cyber Insurance When Preparing for a Ransomware Attack?

Experts agree that cyberattacks are inevitable, and ransomware attacks are becoming more frequent, sophisticated and damaging. Is a cyber insurance policy the only answer for your healthcare organization?

Joe Kuehne

Joe Kuehne is a Senior Editor at BizTech magazine.

In recent years, the frequency and sophistication of ransomware attacks have continued to escalate. In many cases, those attacks have piled up significant costs for their victims, and not just from the ransom payment. Extended downtime after an attack, expensive recovery efforts and reputational damage all hurt a healthcare organization’s profits after a breach, not to mention the potential impact on patient care.

“The actual cost of a ransomware attack extends far beyond the ransom payment — it can add up to be 7 times the ransom demand,” notes NetApp in a blog post.

“As far as overall costs go, experts estimate that the ransom payment adds up to only about 15 percent of the total cost of the ransomware attack,” the post continues. “And the real stinger in all of it is that only 1 in 7 organizations who pay a ransom actually get their data back.”

Click the banner to get the expertise you need to strengthen your ransomware protection capability.

Some Vendors Offer Warranties Along with Cyber Insurance Policies

Cyber insurance is a growing trend and, in many cases, an operational requirement. However, some healthcare organizations don’t have the resources to self-insure. For smaller organizations, there are still ways to reduce the cost of cyber insurance premiums. Tony Roberts, senior solutions engineer at CDW, notes that some third-party security providers, such as Rubrik, offer warranties that insurance companies recognize as extra assurance of an organization’s data protection strategy.

In April, Rubrik made two groundbreaking announcements about its ransomware warranties. In a press release, Rubrik noted, “With the rapid growth of cyberattacks, organizations share the same concern: ‘If we get hit by ransomware, can we recover?’”

The company’s response was to increase the value of warranty it offers as part of its cyber insurance policies. “Rubrik is confident in our data security solution and committed to a shared responsibility between customers and software vendors,” the release notes. “As such, we are putting more skin in the game by doubling our warranty to $10 million.”

In addition, Rubrik issued a separate press release to announce its partnership with Zscaler to offer a double extortion ransomware solution. “Rubrik’s integration with Zscaler Data Loss Prevention proactively identifies sensitive business data across enterprise, cloud and SaaS environments so that specific data protections can be implemented easily to prevent data loss,” the release noted.

Some Larger Organizations Can Self-Insure Against Ransomware

While cyber insurance can help to defray the costs of a ransomware attack, it also can be a beacon to cybercriminals, indicating a willingness to pay the ransom the criminals intend to demand. In some cases, organizations might want to consider self-insuring to protect themselves in the event of a ransomware attack.

“Self-insurance basically becomes a line item in the budget,” explains Jason Cray, data protection strategist at CDW. “They budget and say, ‘We already pay X amount on premiums to an insurance company to have insurance. Instead of doing that, we’re going to take that money, budget it and essentially put it into a savings account that is overseen by a third party.’”

Some Cyber Insurance Companies Are Tightening Their Payout Policies

According to Heidi Shey, principal analyst at Forrester, “Cyber insurance is only one component of a bigger enterprise cybersecurity risk management program. However, the cyber insurance market has been on a roller coaster, with skyrocketing premiums, changes in coverage and a demand for policies that outweighs available supply.” After years of affordable and readily available policies, she says, “the ubiquity of cyber insurance combined with the rise in cyberattacks has changed the power dynamic in favor of the insurers.”

Cray says he has picked up on similar shifts in the cyber insurance market. He and Roberts have both noticed new limitations on cyber insurance policies during their work with CDW customers.

“The insurance premiums are just going through the roof, if you can even get them,” Roberts says. Plus, “insurance companies now are defining in their contracts that they’re not going to cover an attack if it comes from a specific nation-state.”

DISCOVER: A four-phase approach to procuring cyber liability insurance.

Cray agrees, citing insurance companies’ use of overly complicated paperwork. Insurance applications used to pose 20 to 30 questions, Cray says, but those forms now routinely include more than 400 questions worded in conflicting or confusing ways that make them nearly impossible for applicants to answer.

Regarding questions about an organization’s immutable storage, Cray says, applicants might wonder, “‘Do I answer yes? My answer is yes.’” And then the insurer comes in and says, ‘Well, no, you didn’t have it across your entire environment, so we’re not going to pay.’” Of course, if applicants answer no to the question, their rates will certainly go up — if the insurance company doesn’t completely refuse to insure them. “That’s the reality of what clients are facing today,” Cray says.

“It’s getting super difficult to get it, to maintain it and then to adhere to it,” Roberts says of cyber insurance. Even when trying diligently to comply with the terms of a policy, organizations run the risk of an insurance company picking apart a policy and ultimately saying, “‘Well, you weren’t doing this one thing, so we’re not going to pay out.’”

“I think organizations have to take a look at that from a risk perspective,” Roberts says.

Morsa Images/Getty Images