Ransomware causing cyber insurance to spike
As expected, the pervasive spread of ransomware has presented an increasing threat across all industries. According to Reuters, it has become such a problem that cyber insurance premiums are spiking, some as much as a 25% increase.
It’s interesting to consider all the factors that go into this. No longer do insurance companies have to cover just the ransom costs, if paid. They sometimes have to handle negotiation costs with the cyber thieves. Recovery might be an issue, if the hackers aren’t quite so honest with unlocking the data after the fact. The stronger legal burdens that companies bear under GDPR and CCPA are also taken into account.
These aren’t even all of the possible costs, but we can see how ransomware alone has driven up insurance costs to such degrees. It’s a solid business model for cyber criminals, that much is clear. Targets can include any number of organizations or facilities, and health care is an especially tantalizing lure. Ransoms in the last month of 2019 showed just how lucrative it could be, with some demands reaching millions of dollars. The US Coast Guard was even hit in December: ransomware forced a facility to shut down for over 30 hours.
On the other side, however, smaller entities with few employees may face extreme difficulty with ransoms that don’t even reach $10,000. Brookside ENT and Hearing Services in Michigan, a practice with two doctors and ten office staff, was forced to close when they couldn’t recover files from a ransom that larger groups might consider pocket change. Unfortunately, even these amounts can have insurmountable effects on these small-to-mid sized businesses. Another doctor, Shayla Kasel, had to close her California-based practice after 20 years, after being hit with a ransomware attack and losing access to her servers. The New York Times reported on this case, but generally these smaller stories often go unnoticed; they don’t grab the spotlight in the way an Equifax would.
Solutions to this problem for cyber insurance are still in a nascent stage. Partial insurance could be offered, specifically for ransomware, apart from more general cyber insurance. Companies with a more severe history of data breaches might qualify for this, and their cybersecurity posture and structure would also factor in to the equation.
Clearly, this isn’t an issue that’s going away anytime soon. Not with how profitable ransomware has become for cyber criminals. Insurance policies will have to keep adjusting to account for the ever evolving state of affairs.