A new study has found that an alarming number of businesses are finding it hard to maintain enough cyber insurance to cover potential losses, as premiums soar and insurers trim coverage from policies. 80% of businesses would not be able to cover the median ransomware payment if they were hit today, let alone be made whole on recovery costs.
In tight insurance market, businesses hope the government will help with ransomware payments
Since the Covid-19 pandemic started, cyber crime has soared and so has the average ransomware payments. Businesses in some countries are now looking at a usual demand of millions of dollars to placate their attackers, and potentially multiple times that to clean up all of the damage afterward. And though the pandemic is winding down, cyber crime and ransomware activity is not.
Since 2021, the cyber insurance market has tightened considerably due to this major spike in crime and costs. In the absence of being able to carry adequate insurance, 59% of the survey respondents say they are simply hoping for government help if they are forced to make ransomware payments.
This may not be a case of irresponsibility so much as it is a total lack of options, as some insurers opt to drop coverage for ransomware payments or for any costs that can be tied to a nation-state advanced persistent threat (APT) group.
Majority of businesses can no longer afford or obtain complete coverage, heightening importance of cyber defenses
45% of the organizations surveyed are not carrying any cyber insurance at all. A little over 80% have no more than $600,000 in coverage, which would likely only cover part of a ransomware payment before being exhausted. 37% of those that do have cyber insurance have a policy that does not cover ransomware payments, and 43% do not have coverage for the range of expected cleanup costs. The survey included over 400 firms located throughout the US and Canada.
More companies are expecting their business partners to have cyber insurance than are actually carrying cyber insurance themselves: only 55% have it in at least some basic form, but 60% say they would reconsider a business relationship if their partner was not fully covered. The numbers indicate that IT decision makers generally do not have perspective on how big and endemic this problem is across all types of industry.
Businesses are being tripped up not just by coverage costs and available options, but by their own defenses. Cyber insurance outfits are increasingly asking clients to demonstrate their security posture and readiness; 34% report being denied coverage because they did not have adequate endpoint defenses in place (from the perspective of the insurer). The study suggests that the best option for organizations strapped for IT funds may be to engage a managed service provider that can offer both adequate defensive capability and demonstrate they meet the minimum standards of one of the insurers that is being considered.