Skip to main content

Rethinking cyber insurance

(Image credit: Shutterstock / Rabbit_Photo)

The 2021 annual UK Cyber Security Breaches survey showed the risk of cyber breaches over the past year is potentially higher than ever, which should come as no surprise due to the rise of hybrid and home working and its impact on IT security. As a result, there has been a corresponding increase in UK businesses taking out a cybersecurity insurance policy: 43 percent, up from 32 percent last year. 

Last year, cyber-attacks cost companies an average of £8,460, whereas an insurance policy may cost a few hundred pounds each year. Looking at these figures from a financial perspective, it would make sense to take out a policy. However, it’s not as straightforward as it seems. There are sustainability and ethical questions around cyber insurance, specifically regarding ransomware, as well as other considerations.

Sustainability issues 

According to James Dalton, Director of General Insurance Policy at the Association of British Insurers (ABI), cyber insurance is “becoming as essential to 21st-century commerce as fire, employer liability or motor insurance was in the 20th century.” 

As with any other industry, insurance companies exist to make a profit. A 2019 study by the ABI found 99 percent of claims on cyber insurance policies had been paid, one of the highest claims acceptance rates across insurance sectors.  Undoubtedly, as uptake of cyber insurance grows, insurance companies will be paying out on more and more claims. Not such a lucrative practice.

Unlike other sectors – such as property insurance – which rely on centuries of experience, cyber insurance is still in its infancy; the first cyber liability policy was offered in 1999 by Lloyd’s of London.  And that means a lack of data.  This can make it challenging to accurately price the risk and ensure businesses are getting appropriate coverage. As a result, policy limits may need to be enforced to ensure insurance companies can continue to afford to provide this cover. 

With the cost of cyber-attacks rising each year, we may soon reach a time when insurance companies can no longer cover the costs of an attack without risking their own profitability.

Ethical considerations 

Just as with other types of insurance, businesses that suffer a cyber attack want insurance to provide a pay-out to help manage the damage so they can move on quickly. Insurance companies will generally pay out on ransomware and other cyber attacks to help their clients do so. 

However, when it comes to cyber insurance, there are additional factors to consider. Cybercriminals have been attacking insurance companies to obtain lists of cyber insurance policyholders; they then target these companies – possibly because they feel they are doing less ‘harm’ to the business if it won’t impact them financially, or because they know insured companies are more likely to payout. This is certainly the case with cybercriminals attacking businesses in the medical or care sector. As a result, cyber insurance could be encouraging even more criminal behavior. 

But the financial cost of recovery isn’t the only threat to a business after a cyber attack. The impact on reputation and share value cannot be ignored. These are issues that insurance cannot help with and, if cybercriminals continue in this manner, will become more prevalent over time.

Paying the ransom 

Cyber insurance policies cover several issues including phishing, malware, and hacking. But it is ransomware that has come to the fore in recent months.

Ransomware is a specific type of cyber attack in which criminals obtain information illegally from a business and hold it for ransom, threatening to either leak or delete the data unless a ransom is paid. Insurers are more likely to approve paying a ransom if it will minimize costs in the long run and get the company back up and running as quickly as possible.  Insurance companies are further incentivized to pay up because they usually also need to pay for costs such as employee overtime to recover files and loss of profit due to downtime. 

Businesses in sectors such as healthcare and utility providers are especially motivated to get up and running to limit the impact on people who rely on their services. However, there’s no guarantee that companies will be able to restore operations quickly, and indeed there may be a bigger issue in doing so. 

Research shows that paying the ransom may be contributing to cyberattacks: A 2019 ProPublica investigation found that cyber insurance companies in the US are paying the fee even if alternatives to rescuing files are available. This encourages criminals to ask for more and more money. It’s a vicious cycle in which criminals feel more emboldened to carry out attacks, and businesses feel even more at risk and frightened into buying policies to avoid being on the hook for ransom amounts which have skyrocketed into the millions: DarkSide, one of the more prolific ransomware gangs, has made at least $90m since August 2020 in ransom payments from fewer than 50 victims. 

In fact, Fabian Woser, CTO for anti-virus provider Emsisoft, said “cyber insurance is what’s keeping ransomware alive today.”

Ensuring security 

The unfortunate reality of illegal behavior is that many criminals go for the easiest targets. Investing in cyber insurance is a clear sign that you recognize the importance of cybersecurity, but that alone isn’t enough.

Just as home insurance providers will not pay out if your house floods because a tap was left running, you must build up your own cyber defenses. A cyber insurance pay-out should be a last resort, something that kicks in only if you have done everything you can to protect your organization but still suffered an attack. 

Most types of insurance cover incidents where the owner is likely to be at fault and can therefore take actions to prevent an incident – for example, nearly 70 percent of house fires are caused by human factors such as negligent use of equipment or careless behavior. Aside from accidental data breaches, cyber insurance covers incidents that arise almost exclusively from external actions. While a business cannot prevent a cyber attack, it can take action to limit its impact.

Looking ahead 

Given how heavily businesses rely on technology, companies must assume a cyber attack is imminent: it’s not a case of “if” they’ll suffer an attack, but “when.” They must build up their security defenses in preparation to limit the fallout. When it comes to cybersecurity, defense – regardless of cyber insurance cover – is truly the best offense.  

Cyber insurance is an easy solution for the short-term but brings with it risks of increasing criminal behavior and, potentially, is an unsustainable business model. Additionally, with hackers starting to specifically go after companies that have a policy in place, cyber insurance is almost becoming a “welcome mat” of sorts for criminals. 

The Ransomware Task Force (RTF), a global coalition of cyber experts, is urging governments to act, but there’s no easy answer as to how: RTF has so far made nearly 50 recommendations to reduce cybercrime, but can’t agree on how to manage ransom payments. 

One solution is for cyber insurance providers is to instead cover the costs of working with experts to recover data and maintain operations, without paying any money to the criminals – however, that raises other questions, such as how to keep businesses operating while the recovery work is underway.

Cyber insurance isn’t perfect, but there may be no suitable alternative just yet. In the meantime, companies must continue to upgrade their own security and proactively build up their defenses to deter criminals as best they can.

Jude McCorry , CEO, Scottish Business Resilience Centre

Jude McCorry is CEO of the Scottish Business Resilience Centre and chair of the CyberScotland Partnership.