Black Hat Many organizations are increasingly unprepared to deal with the skyrocketing costs of a ransomware attacks, at a time when the number of incidents and the payments demanded by cybercriminals are rising rapidly.
A report by security software and services provider BlackBerry and Corvus Insurance this week found that only 19 percent of the 450 IT and security decision-makers in the US and Canada surveyed said their companies have cyber insurance coverage of more than $600,000, while 59 percent are banking on the government bailing them out of attacks linked to nation-states.
In addition, only 55 percent of companies have any insurance at all. BlackBerry officials are discussing details of the report at this week’s Black Hat 2022 conference in Las Vegas.
This comes at a time when security shop Sophos reports that the average ransom paid by organizations jumped almost five times, to $812,360.
It found that 11 percent of ransomware victims last year said they paid ransoms of $1 million or more – a 4 percent increase over 2020 – and that the percentage of those that pay less than $100,000 dropped from 34 percent two years ago to 21 percent in 2021.
At the same time, Sophos researchers this week said it is becoming more commonplace for organizations to be hit with two or more cyberattacks, sometimes just days or weeks apart.
Meanwhile, Palo Alto Network’s Unit 42 threat intelligence group wrote in a recent report that in the first five months of this year the average ransomware payment hit $925,162, a 71 percent increase over 2021. That doesn’t count other related costs, from remediation expenses to service downtime.
Walking the tightrope
“It’s a potentially perilous situation for many companies,” Gary Davis, chief cybersecurity advocate at BlackBerry, wrote in a blog post. “While the costs of suffering a targeted cyberattack or breach continue to climb, their ability to insure themselves against a possible cyber disaster dwindles.”
Davis pointed to a Forrester report that found a typical data breach would cost the average organization $2.4 million, which includes the investigation and recovery.
With relatively few businesses having insurance, and the bulk of those that do having less than needed to cover the costs, “this places many businesses in a precarious position – the cybersecurity equivalent of ‘operating without a net,” he wrote.
“The situation is particularly acute for uninsured small and mid-sized businesses (SMBs), who must weigh the soaring costs of cyber insurance premiums against the very real risk of being unable to recover from a successful attack.”
The challenge is even greater when focusing on ransomware. About 37 percent of respondents with cyber insurance don’t have coverage for ransomware payment demands and 43 percent are not covered for ancillary costs, including court fees or employee downtime. Among the respondents, 28 percent said they plan to get coverage “shortly.”
Another factor is the rising cost of insurance premiums fueled by such large-scale attacks as the one last year on Colonial Pipeline – which paid the $5 million ransom – and JBS Foods, which paid $11 million. Insurance companies are looking to reduce their exposure to such costly losses.
In a report, the US Government Accountability Office (GAO) found that more organizations are taking cyber insurance coverage – rising from 26 percent in 2016 to 47 percent in 2020 – while insurance companies between 2016 and 2019 saw the costs of cyberattacks almost doubling. That has driven an almost 12 percent increase in cyber insurance premiums between the fourth quarter 2018 and Q4 2020.
“The cost of cyber insurance is based in part on the frequency, severity, and cost of cyberattacks, all of which have been increasing,” GAO Managing Director Dan Garcia-Diaz wrote in a blog post. “The uncertainty about future threats also plays a role, and insurers have become more selective about who and what gets covered.”
Some insurers are reducing coverage limits or increasing premiums for higher-risk organizations and industries, such as academic institutions, healthcare organizations, and the public sectors, Garcia-Diaz wrote.
Improving the security posture is key to not only find and keep cyber insurance, but also to do business with organizations that are increasingly security-conscious, the report found. The BlackBerry survey found that 60 percent of respondents said they would reconsider partnering or dealing with a business or supplier if they lacked comprehensive cyber insurance and 68 percent of IT leaders said they likely would reassess a partner or supplier based on their cybersecurity practices.
“Along with these supply chain concerns, the new research reveals that cybersecurity practices, including successful technology implementation, are closely linked to an organization’s ability to keep cyber insurance — or get it in the first place,” Davis wrote. ®