Cyber insurance crisis to fuel enterprise shift in cyber protection
March 2022 by Panaseer
Panaseer, an enterprise security company, shares data on actions enterprises are willing to take to solve the escalating cyber insurance crisis.
In recent years the cyber landscape has been dominated by a sharp increase in ransomware attacks. According to SonicWall, ransomware attacks increased 105% in 2021 and Sophos’ report, the “State of Ransomware 2021,” revealed the average ransom paid is now $170,404 but remediation costs $1.85 million, ten times the size of the ransom payment, on average.
The increase in frequency and cost of ransomware attacks has made ransomware a board-level risk and put the cyber insurance industry under extreme pressure. This is evidenced by a recent survey Panaseer conducted with over 1,200 global enterprise security leaders – over four in five (84 per cent) respondents said their Board now wants to understand their ransomware protection levels. As such, nearly all (91 per cent) security leaders are reporting their ransomware protection levels to the Board. For 86 per cent of security leaders, ransomware protection is a budgeted 2022 priority.
The proliferation of ransomware has led to an increase in the frequency and value of cyber insurance claims. As such, many insurance providers have increased their premium prices and turned away prospects without sufficient cybersecurity precautions. According to Marsh, the price of cover in the US grew by 130 per cent in the fourth quarter of 2021 alone, while in the UK it grew by 92 per cent. These changes in cyber insurance practices are putting businesses in a difficult position, as cyber insurance is fast becoming a condition for doing business in certain sectors. According to Forrester, cyber insurance has even become the price of admission for the partner ecosystem. To resolve the issue, many insurers will want some form of verification that businesses are taking the correct cyber hygiene measures, so they can more effectively price and allocate cover, akin to the shift that took place in the automobile market with black box car insurance. Panaseer’s research shows that businesses are willing to make this shift, but they aren’t ready yet. According to Panaseer’s research, all the security leaders would be willing to demonstrate the strength of their cyber programme to cyber insurers, with data-driven metrics, if it meant they could reduce their cyber insurance premium. However, none of them are ready to do this immediately.
Just over a quarter of security leaders (29 per cent) believe they will be ready in the next 12 months, over half (57 per cent) hope to be ready in the next 13-24 months, with 14 per cent not sure when they will be able to share the data. The most prepared industry is financial services (46.5 per cent of respondents would be ready in the next 12 months), followed by healthcare (46 per cent), utilities (27 per cent), life sciences (21 per cent), energy (20 per cent) and lastly retail (13 per cent).
Nik Whitfield, Chairman, Panaseer: “In recent years, Ransomware has been the most high-profile risk in cybersecurity, which is why many Boards are concerned about its potential for disruption and damage. Thanks in part to the proliferation of ransomware claims during the Coronavirus pandemic, cyber insurers have also been forced to pay out on underpriced policies, pushing their portfolios towards being loss-making. The result is that the market has hardened, insurers have withdrawn and it’s much tougher for customers to get insurance at all, let alone good value on a policy.
“The current, distressing situation in the Ukraine may well increase the cyber risk to companies, making it harder for underwriters to effectively price policies and even harder for companies to buy any cyber insurance cover. “However, a positive by-product of insurers pushing back, is that it will become another driver for businesses to enhance their cybersecurity measurement. As insurers look to find a way to make cyber protection workable for both parties, organisations will need to improve the way they communicate their security posture. We’re moving towards the era of evidence over opinion, hard data rather than subjective questionnaires.”