Ransomware Attacks: Can Cyber Insurance Protect Your Organization?

Cyber insurance premiums have increased significantly over the last few years. Just in October 2021, for instance, TechTarget shared how cyber insurance premiums had increased 50%, with some quotes jumping as high as 100%. 

And cyber insurance premiums have increased even more for some policyholders. For instance, Bleeping Computer covered an Illinois school district that witnessed the cost of its policy going from just $6,661 in 2021 to $22,229 only a year later - that’s a whopping increase of 334%.

Ransomware Pushes Cyber Insurance Premiums Higher

Ransomware attacks are a significant factor driving up cyber insurance premiums. Consider how much ransomware attacks grew in number last year. Researchers in a study covered by HelpNet Security documented a 148% increase in the global ransomware attack volume through Q3 2021 at 470 million individual attack attempts. 

Those who conducted the research documented 190.4 million ransomware infections over the third quarter alone, nearly surpassing the 195.7 million ransomware attempts detected in the first three quarters of 2020. The researchers predicted a year-end ransomware total of 714 million attacks, which would mark a 134% year-over-year increase.

There’s also the reality that ransomware attack costs also increased in 2022. The Cost of a Data Breach Study 2021 found that the average ransomware attack costs organizations $4.62 million. This hefty price tag, which exceeded average data breach damages of $4.24 million, included costs driven by escalation, notification, lost business, and other response costs–but it did not account for instances where victims sometimes paid ransomware gangs tens of millions of dollars in ransom.

Ransomware’s Relationship to Cyber Insurance

The majority of cyber insurance claims now involve ransomware, and this single digital threat category accounts for 75% of all cyber insurance claims—up from 55% in 2016. What’s more, CyberScoop shared that “the prospects for the cyber insurance market are grim,” with the ratio of losses to premiums earned at just 73% in the last year. 

Such limited profitability for the providers is likely to drive up cyber insurance premiums even more, resulting in even less overall coverage for organizations, or may drive insurers from the cyber insurance market or from covering ransomware attacks altogether.

That’s already happening. Ransomware threat actors have been observed checking to see if their potential targets have policies that could make them more likely to pay a ransom demand, as noted by Reuters. To prevent attackers from gaming the system, insurers like Lloyd’s of London are discouraging their syndicate members from taking on cyber policy business in 2022. Some are also scaling back their cyber liability policies from as high as $5 million in 2020 to between $1 million and $3 million just a year later.

These developments make the challenges associated with using cyber insurance to pay for ransomware even more salient. In our recent ransomware report, titled Ransomware Attacks and the True Cost to Business, we found that 54% of organizations had purchased a cyber insurance policy covering ransomware in the last two years. Of those, one-fifth said their cyber insurance policy would likely not cover all losses associated with a ransomware attack. 

Nearly half (42%) of those organizations with cyber insurance policies in place when they were victims of a ransomware attack said that their insurer had covered only a portion of their losses. They still needed to pay out of pocket to cover the remaining ransomware recovery costs.

Shift to Ransomware Prevention

This brings us to our central question: is cyber insurance worth it? Ultimately, it can help organizations with some of the costs of ransomware attacks. Still, with premiums rising and coverage falling, organizations can’t count on cyber insurance to cover the total costs of a ransomware attack. They would thus better serve their interests by focusing on preventing a ransomware attack from being successful in the first place.

Organizations can defend themselves at each stage of a ransomware attack. For instance, they can monitor for malicious links or malicious macros attached documents to block suspicious emails in the delivery stage. Executing malicious code allows security teams to detect files attempting to create new registry values and spot suspicious activity on endpoint devices. 

When the ransomware attempts to establish command and control, security teams can block outbound connection attempts to known malicious infrastructure. They can then use threat indicators to tie account compromise and credential access attempts to familiar attack campaigns, investigate network mapping, and discovery attempts launched from unexpected accounts and devices.

Defenders can flag resources attempting to gain access to other network resources they don’t normally interact with and discover attempts to exfiltrate data or encrypt files. Remember, the actual ransomware payload is the tail end of a RansomOps attack. There are weeks or even months of detectable activity before that point that can help disrupt an attack before there is a serious impact on the targeted organization.




Cybereason is dedicated to teaming with Defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern RansomOps attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed