Ransomware Insurance: Prescriptive and Restrictive

Insurers are drafting more restrictive and prescriptive insurance policy requirements designed to reduce the number of claims and better protect themselves and the companies they insure. In some cases, claims are being denied outright because they’re tied to acts of war.

Insurance is complicated and becoming less beneficial to the companies buying it. Before qualifying for cyber insurance, including ransomware protection, companies must complete elaborate questionnaires confirming minimum essential cybersecurity protections are in place. Insurance underwriters, flooded with ransomware claims and hemorrhaging money, are pushing back, holding companies accountable to their questionnaire responses and many times denying claims.

Perhaps it’s time companies focus more on proactive preventative measures instead of counting on a reactive cyber insurance payout.

Ransomware Insurance

Ransomware attacks are notoriously difficult to protect against with technical tools. Like other catastrophic events, insurers stepped in to offer an insurance product to cover some of the damages resulting from a ransomware attack.

Depending on the ransomware policy, you may be covered for loss of income from business interruption, the costs of recovering your systems, data, and networks, and possibly the cost of paying an extortion demand (ransom).

The exact payout and terms will be defined in your coverage policy document. This policy document outlines attack circumstances that are excluded from coverage (act of war) and requirements for minimum essential security measures (offline backups, awareness training) necessary for you to make a successful claim.

Policy Restrictions and Prescriptions

From CyberHoot’s perspective, don’t think of policy restrictions (or exclusions) as loopholes in insurance policy coverage. Instead, think of them as best practices or minimum essential cybersecurity prescriptions you need to follow to a) avoid a ransomware event, and b) ensure you have coverage if you are still hit despite following all the best practices called out in the cyber insurance policy.

Minimum Essential Cyber Security Prescriptions

For example, your policy will require you to implement a backup strategy for all your data (follow CyberHoot’s 3-2-1 backup strategy for efficacy). Your policy may require you to remove administrative rights from the end-user operating windows computers. Finally, your policy may prescribe end-user awareness training to spot and avoid phishing attacks and social engineering attacks. There are many other prescriptions in some insurance policies; read the fine print to learn what they are and consider hiring a cybersecurity professional such as a virtual CISO to help you build a robust cybersecurity program.

These are all reasonable minimum essential prevention measures required in any basic cybersecurity program and both prescribed by cyber insurance while also yielding an out for insurance providers to pay claims if you say you do them, but in fact, don’t.

Insurance Notification Clause

Similarly, you will probably find a notification clause in your contract that requires you to notify your insurer about the attack within a minimum timeframe. Make sure you have an incident response process (also part of most vCISO services) documented that includes a provision for Insurance notifications.

War-Related Exemption

Another common exclusion is war-related, where insurers retain the right to refuse to pay out on a claim if the damage was a result of war or war-like actions. Given the current world climate, insurers are seeking protection from some attacks using the War-Related exemption.

When one nation-state turns on another, cyberwarfare can be used to inflict damage outside of the usual realm of war. Cyberwarfare can be indiscriminate, the parties affected are not necessarily government organizations, it could be a business that’s caught in the crossfire.

Insurers have a valid reason to try and exclude this massive level of exposure. However, there are a couple of problems. Defining a war is the first issue, when does an act of aggression qualify as a war-related activity? Another difficulty is attribution because cyber attackers generally try their best to disguise themselves, it is uncommon for an attacker to openly declare their involvement in an attack.

When an organization suffers from a ransomware attack, how does the insurer, or the claimant, prove that a specific organization was behind an attack, and what the motivation for the attack was? Finding hard proof behind attribution is nearly impossible under most circumstances. In such circumstances, claimants and insurers turn to the court system to rule.

the Courts must sometimes Decide Claims

Claims under ransomware insurance run the gamut from a single bitcoin ransom to demands in the millions. These costs don’t include damages to reputation, down-time, fines, or legal fees. Insurance companies will hold you accountable to the prescriptions and restrictions for claims whether ransomware or otherwise. If they find your company hasn’t done what you said you would do, they are likely to refuse your claim. That is why so many claims are contested in court. Here cases can last months or even years; costing everyone even more money.

What Does This Mean For Your SMB or MSP?

It means that you shouldn’t be relying on Cyber (or Ransomware) Insurance as your primary defense. Cybersecurity insurance definitely has a role to play, however, depending on the premiums and level of coverage it should be considered the last line of defense. CyberHoot’s first recommendation is to beef up your own internal efforts to protect your IT assets from attack remains your first line of defense and your best bet. 

Any Cyber-related Insurance Policy will have minimum essential requirements or conditions you must meet to ensure your policy pays out. As mentioned earlier these are things like security awareness training, reliable 3-2-1 backups, system patching, and more. The following minimum essential insurance prescriptions will help your business prevent a breach and help improve your chances of being covered if catastrophe does strike.

To learn even more about what Cyber Insurance offers, what it covers, and what you need to do, please also visit our articles: Cyber Insurance Part 1: Why It’s Needed and Cyber Insurance Part 2: What You Need to Know. 

CyberHoot’s take-aware message here is to prepare your company by building a proactive cybersecurity program, using a seasoned industry professional called a vCISO, and investing in your technical and administrative controls to prevent a breach. Your Cyber Insurance policy requires these measures anyway, and they will help you proactively prevent an event and reactively recover with an insurance payout if disaster strikes (unless it’s proven to be an act of war).

CyberHoot’s Minimum Essential Cybersecurity Recommendations

The following recommendations will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections) or prohibiting their use entirely.
6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

Each of these recommendations, except cyber-insurance, is built into CyberHoot’s product and virtual Chief Information Security Officer services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.