The “Cyber Insurance Gap” Is Threatening Most Companies

A new study by BlackBerry and Corvus Insurance confirms a “cyber insurance gap” is growing, with a majority of businesses in North America either uninsured or underinsured against a rising tide of ransomware attacks and other cyber threats.

  • Only 19% of all businesses surveyed have ransomware coverage limits above the median ransomware demand amount ($600,000)
  • Among SMBs with fewer than 1,500 employees, only 14% have a coverage limit in excess of $600,000
  • 37% of respondents with cyber insurance do not have any coverage for ransomware payment demands
  • 43% of those with a policy are not covered for auxiliary costs such as court fees or employee downtime
  • 60% say they would reconsider entering into a partnership or agreement with another business or supplier if the organization did not have comprehensive cyber insurance
  • Endpoint detection and response (EDR) software is frequently a key component to obtaining a policy
  • 34% of respondents have been previously denied cyber coverage by insurance providers due to not meeting EDR eligibility requirements
Subscribe
Notify of
guest
2 Expert Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Shawn.surber
Shawn.surber , VP of Solutions Architecture and Strategy
InfoSec Expert
August 16, 2022 1:00 pm

Unfortunately, these findings aren’t surprising, from rising premiums to the proliferation of ransomware-as-a-service, insurance more is growing more complicated for a number of reasons. 

For starters, most organizations already have a difficult enough time determining what a ransomware event would cost, much less the insurance needed. Likewise, policy providers have similar blind spots as to the actual cost of a successful attack which makes payouts hard to calibrate.

Costs vary significantly and are difficult to project not because of the maturity of a cybersecurity program, but instead hinge upon how mature their operational disaster recovery and business continuity plans are.

Solutions like EDR can lead to a false sense of security because once a threat is detected, it might already be too late. What this means is that organizations need to focus on visibility and control over their environment before a ransomware attack, rather than after. This requires close integration between operations and security teams as well as consolidation of their tools so they’re operating from the same source of truth, the actual state of the endpoints and devices on their network. 

Ultimately cyber insurance might require a business to undergo a “physical” much like someone would do for a life insurance policy, to verify the current state of their cybersecurity posture and the corresponding insurance needed to protect their interest. The ideal scenario would be for cyber insurers to be able to actively poll their customer networks to determine vulnerabilities as new threats are discovered to help ensure their environments are continuously protected.

Last edited 3 months ago by shawn.surber
John Gunn
John Gunn , CEO
InfoSec Expert
August 16, 2022 12:54 pm

The report underscores the fact that an “Ostrich-approach” is no longer viable in an era of hyper-aggressive ransomware attacks. Every organization, and especially SMBs, are at increasing risk every day. Since most attacks start with compromised user credentials, insurance is the smartest place to start in establishing proper defenses.

Last edited 3 months ago by John Gunn
2
0
Would love your thoughts, please comment.x
()
x