Bloomberg reports that cyber insurance premiums shot up as much as 50% in 2022 as ransomware attacks continue to hammer both public and private organizations.
“Ransomware attacks soared last year, pushing demand for coverage after the pandemic-induced work-from-home era also made remote workers more vulnerable to digital attacks. Those attacks also spurred companies and individuals to adopt more robust cybersecurity measures,” the report notes.
“Premiums collected from policies written by insurers reached $7.2 billion in 2022 and tripled in the past three years, ratings firm AM Best said in a study released this week.”
Takeaway: It's not surprising to see cyber insurance premiums surge as the industry struggles to ascertain how to effectively quantify cyber risk, especially when it comes to ransomware. Insurers want to offer affordable policies, but they also have a responsibility to their shareholders and can't offer policies that produce a negative return.
Many organizations purchase cyber insurance policies to cover the cost of a cyberattack or data breach event. The increased damage posed by ransomware attacks in recent years had made cyber insurance even more appealing. Today, however, most insurers no longer cover all the potential losses from ransomware attacks and those that do have significantly increased premium costs.
With so many variables in a ransomware attack, insurance providers find it difficult to quantify the real risk of ransomware to accurately set premiums. Whether or not cyber insurance is the right instrument for organizations to adopt and if the continually rising costs are worth it is a hot topic at the executive levels across the Fortune 500.
For cyber insurance policies that do offer ransomware coverage, most will no longer cover the ransom payment (they can vary too wildly, so it is too hard to define actuarially). Only after a ransomware attack hits an organization do they find that the policy will only cover a fraction of the remediation and recovery costs.
Thus, cyber insurance is not always a viable option for all organizations, especially small and mid-size businesses, and it’s certainly not for companies who think they can indemnify instead of investing in security.
For a policy to be in force, the organization needs to have an extensive accounting of its security program. If the organization is out of compliance when it comes time to submit a claim – for example, if it did not apply patches in a timely manner or if it misconfigured security applications – it will quickly find that its policy coverage is useless.
Modern companies recognize the need to invest in a proactive approach to ransomware, leveraging tools and solutions that will prevent an attack from happening in the first place and ideally reducing their policy premiums at the same time. If customers can reduce premiums with effective controls, then insurance providers can scope risk more accurately and improve their policies to the benefit of both parties.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.