It is no secret that cyberattacks have been rising over the past decade. A 2019 Accenture and Ponemon Institute report found that security breaches increased by 11% since 2018 and 67% since 2014. To meet this rising challenge/opportunity, cyber liability insurance (cyber insurance) has also been growing in popularity over the past decade. Broadly speaking, cyber liability insurance helps organizations respond to cyberattacks as they are occurring and recover lost files and income. These policies may also assist in the response actions following a data breach that has exposed consumer data. As cyberattacks have increased in frequency and value of damages, organizations of all sizes have sought out these insurance policies as a way of mitigating a threat that even the most security-aware companies fall victim to.
More recently, many organizations with cyber liability insurance have found the cost of these premiums to be increasing dramatically (as much as 25%). What appeared to be a highly profitable business opportunity for insurance firms has proven to be concerning. The frequency of claims and the cost of each claim has grown exponentially. According to a report by AIG, a global insurance company with operations in more than 80 countries, there has been a staggering increase in overall cyber claims frequency. The number of claims nearly doubled between 2017 and 2018, and they received more cyber insurance claims in 2018 than in 2016 and 2017 combined. The COVID-19 pandemic has only escalated the problem. The United States Federal Bureau of Investigation (FBI) recently reported that the number of complaints about cyberattacks to their Cyber Division is up to as many as 4,000 a day, representing a 400% increase from what they were seeing pre-coronavirus.
Another issue is the debate over how to respond to a ransomware attack. Ransomware payment demands from attackers have increased, and cyber liability insurers often negotiate with these attackers and pay some form of ransom in the hopes to restore systems and data quickly. From the standpoint of the insurer, this risk can be worth it as the cost to restore the systems and data often far exceeds the cost of the ransom payment (if data can even be restored). It is also in the best interest of the attacker to keep their word, so that ransomware demands continue to be taken seriously and payments continue to come in. However, some cybersecurity experts argue that the practice of paying these ransoms only serves to further incentivize the attackers to continue their actions. In hopes of discouraging ransomware attackers, the FBI does not advocate paying ransoms. In a 2019 statement, the FBI said, “Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers”.
Cyber liability insurers have been thrust into an awkward predicament; the purpose of their insurance is to respond to the cyberattack a quick, effective manner. They have run the numbers and on average, paying the ransom is the faster and less costly solution for them. Michael Lee, the city spokesman for Lake City, Florida, which was the victim of a ransomware attack in 2019 put it well when he said, “The insurer is the one who is going to get hit with most of this if it continues… It’s kind of hard to argue with them because they know the cost-benefit of [paying ransoms]. I have a hard time saying it’s the right decision, but maybe it makes sense with a certain perspective”. If all insurers were to stop paying the ransoms all together, the incentive would be dramatically reduced for attackers and ransomware attacks might become a thing of the past (for the most part). Unfortunately, although a transition such as that would benefit consumers across the globe, it would not necessarily be in the best interest of the insurers. If every insurer came out today and said they are not paying ransoms anymore, how many organizations would drop their cyber liability insurance? If we created a world where ransomware no longer was a common occurrence, how many organizations would still consider signing up for a cyber liability insurance policy?
Unfortunately, as the frequency and scale of cyberattacks continues to increase, cyber liability insurers continue to face higher costs to resolve these issues. These higher costs are being passed down to consumers in the form of increases to premiums, even for those with no prior claims. It is not all bad news though! Consumers can often receive better cyber liability insurance rates by proving to the insurer that they have up to date security and privacy controls in place and are compliant with various industry regulations and frameworks. Even if discounts are not available, it will always benefit organizations to know what they have for data, know where it resides, and know who has access to it. Compass IT Compliance has spent the past decade serving as an independent assessor, helping organization create or enhance their controls and attesting to the security measures organizations have in place. Contact us today to learn more!