The threat of cyber-attacks is nothing new, but ransomware is proving far more effective at generating revenue than ever before. This has pushed businesses towards insurance for some protection from the hefty financial impact of these attacks. As demand has grown to unprecedented levels, the space has become highly volatile. Premiums are going up, there are more rules about what is and isn’t covered, and minimum standards have been introduced for businesses that want to be insured. This might sound like bad news for businesses, but many should ultimately see these developments as a positive.
Insurance for the digital world
People sometimes think of cybersecurity as this mysterious shadow realm. The reality is that the physical and digital worlds are much more similar than people realise. Thirty years ago, businesses looking to protect their critical assets would think first of fire and theft insurance. These days, the risks are more digital. According to the Veeam Data Protection Trends Report 2024, three out of four organisations suffered at least one ransomware attack in the last year, with one out of those four being attacked more than four times in that period.
It’s no wonder that cyber insurance has become an increasingly popular choice for many organisations – predicted to grow by 24% to a $84.62 billion industry by 2030. However, as more businesses purchase and claim back insurance, its cost has also steadily grown, with premiums increasing for the last three years. This has not been the only change from insurers looking to keep cyber protection profitable – more significant risk assessment, the introduction of minimum-security standards, and reduced coverage have all become common practice in the last few years.
Don’t feed the criminals
Cyber insurance has become a divisive topic recently, and this mostly comes down to the million-dollar question with ransomware: to pay or not to pay? While many refute the idea that insured companies are more likely to pay ransoms, a 2023 report of victims found that 77% of ransoms were paid by insurance. However, many insurers are trying to put a stop to this. The same report found that for 21% of organisations, ransomware is now explicitly excluded from their policies. We’ve also seen others specifically exclude ransom payments from their policy – they’ll cover the cost of downtime and damage, but not extortion costs.
In my opinion, this last approach is the best. Paying ransoms isn’t a good idea and isn’t what insurance should be used for. It’s not just a question of ethics and fuelling more crime, but the fact that paying the ransom doesn’t immediately solve the problem – and often creates new ones. Firstly, ransomware gangs will ‘mark’ companies who pay so they can return for seconds or share this information with other gangs. One study found that 80% of companies that paid a ransom were hit a second time. But even before you get to this point, recovering via ransom payment is rarely plain sailing. It takes a long time to recover with the decryption keys provided by the attackers – this is often intentional as some groups will charge per key to speed up the process. This is if decryption even works – one in five businesses pay ransoms and are left unable to recover their data.
Raising standards
So, paying ransoms via insurance money is, thankfully, slowly dying out. But that’s not the only thing that’s changed. Companies in need of cyber insurance are increasingly required to meet minimum security and ransomware resilience standards. This can include using encrypted and immutable backups and implementing best practice data protection principles like least privilege (only giving access to those who need it) or four-eyes (requiring significant changes or requests to be approved by two people). Some policies also require businesses to have robust plans to ensure system availability, including well-defined disaster recovery processes to prevent downtime from a ransomware attack. After all, the longer an environment is out of action, the higher the cost of downtime and, with it, the insurance claim cost.
Enterprises should have all of these things in place anyway. If there is only insurance alongside flimsy data protection and recovery processes, insurance payouts will just paper over the cracks. The introduction of minimum standards is good news for businesses. Not only will it push the cost of premiums down in the long run, but the security principles they dictate will be more valuable to businesses than the insurance was to begin with. Cyber insurance is not a silver bullet but can be a beneficial element of a wider cyber resilience strategy. Both are nice to have, but if you could only have one, resilience is the pick every time. Fortunately, insurers agree, as unprotected businesses are becoming too unprofitable to cover.
This is why Veeam recently launched its Cyber Secure Program. While it includes financial protection of up to $5 million in data recovery expenses, it, more importantly, includes seven-phase onboarding support to ensure best practices are being followed and solutions are employed to the highest security standard. This, alongside a 24-hour ransomware recovery SWAT team to ensure smooth response and recovery, means businesses are highly unlikely to need financial insurance at all. But it’s there, just for peace of mind.
Cyber insurance, particularly around ransomware, is moving towards a world where insured businesses have strong cyber resilience, well-defined disaster recovery plans, and only use insurance to mitigate the impact of attacks and the cost of downtime while they recover via immutable backups. This is a world that is far more resilient to ransomware than the one where businesses throw insurance money at the problem.
Discussion about this post