There is no doubt about it: ransomware can be devastating. The average recovery cost is reaching nearly $2 million, more than double the amount from just a year ago, according to cybersecurity vendor Sophos’ State of Ransomware 2021 study earlier this year. And that study puts the cost of ransomware at the low end.
IBM, in its Cost of a data breach report, puts the price tag of breach recovery at $4.24 million, although that study covers all data breaches, not just ransomware. To date, ransomware is the top cyber threat this year, according to IBM’s X-Force Threat Intelligence report.
But data recovery isn’t the only cost of a breach. When you add in the impact of corporate valuation on an enterprise, the cost of good will and its impact on the cost of cyber insurance, that initial cost to recover from a malware attack can be far worse than just the cost of remediation.
Canadian Underwriter, a publication for Canadian insurance companies, reported in August that cyber insurance companies were losing money on those policies in 2021. “In cyber liability, total net premiums earned for the second half of 2021 were $94.15 million – $12.15 million from Canadian insurers and $82 million from foreign insurers. But total net claims incurred (not including reinsurers’ share but including adjustment expenses) were $106.26 million ($97.4 million from foreign insurers and $8.86 million from Canadian insurers), for a loss ratio of nearly 113%.”
According to an article in the November 2021 issue of Business Insurance, cyber insurance providers are reducing the amount of coverage they offer for ransomware due to the sharply higher payouts from recent attacks. The article reports that major U.S. and European insurers and syndicates operating in the Lloyd’s of London market increased premiums to cover ransoms, the repair of corporate networks, business interruption losses, and increased public relations costs to repair reputational losses.
But higher premiums are not the only changes. In addition to higher rates, insurers are reducing coverage. Where a common coverage level for Lloyd’s used to be £10 million (approximately $13.50 million at the current conversion rate), it is now reduced to £5 million, the article reported.
Domestically, U.S. coverages also are dropping while rates are rising. According to a recent webcast, U.S. insurer Marsh McLennan Agency is reducing many of its policies to even lower levels — $3 million to $5 million. When one considers that the IBM/Ponemon estimate for an average ransomware attack was more than $4 million, that means today’s basic insurance covers perhaps one attack.
Companies that opt to self-insure against cyberattacks will need to set aside some very substantial assets. Assuming a company gets hit by two ransomware attacks in a single year — certainly not an unusual scenario — one cyber insurance policy alone might not be enough to cover the costs. If you self-insure, you need to consider setting aside enough for multiple successful attacks, and this could end up being millions of dollars not doing much more than generating interest.
Companies that do obtain cyber insurance with low coverage amounts might consider obtaining multiple policies. In a market where getting a single policy is difficult, this could be problematic.
For those executives who think getting hit twice by lightning is not likely, think again. First, ransomware is not lightning. IBM reports that ransomware comprises 23 percent of all cyberattacks. A survey from cybersecurity vendor Cybereason conducted with 1,263 companies noted that 80 percent of victims who submitted a ransom payment experienced another attack soon after, and 46 percent got access to their data but most of it was corrupted. Those are not very good odds.
Second, there are multiple reasons why a company might get attacked again—often by the same attackers. This is because some companies never completely irradicated the initial attack. Restoring a backup might mean restoring the original compromised files.
A well-hidden piece of malware, or perhaps one that itself is benign but calls for an update that contains the malicious code, could lead to a repeat of the attack. Often, attacks reoccur because malicious code made its way to other parts of the corporate network, lying dormant until reactivated. If this code is not identified and cleaned during a forensics examination or regular maintenance, it could attack again.
It also is possible that the network vulnerability that permitted the first attack to occur was never closed, allowing the attackers to reenter a network through the same open door.
For example, if the entry point to the network was through a third-party business partner, that link might still be open. In 2013, a large retailer was compromised when an attacker accessed its network through a third-party industrial service provider. The attack cost the retailer nearly $300 million. Had the retailer employed stronger third-party risk management controls, along with having better trained security analysts, the losses could have been substantially reduced. Hindsight is 20/20.
Today it is possible to ensure that your third-parties are safe by working with a service provider to test the third-party’s networks for vulnerabilities. Such examinations can be enlightening and identify poorly protected partners with access to your corporate network. The challenge, of course, is getting the third party to agree to be tested and to remediate the problems if they are identified.
If the third party refuses to remediate their vulnerabilities, the company that requested the evaluation has two choices: accept the possibility of a punch-through attack from a cyber criminal through that third party, or fire the partner and sign up a replacement who has already evaluated their network and remediated any shortcomings. This exercise is called third-party risk management (TPRM).
Trusting the self-attestations that repairs have been or will be done becomes a business decision for the company relying on their third parties to be safe. Independent verification is always the preferred option, whether that verification comes from a SOC 2 (System and Organization Controls) audit conducted by a licensed CPA, or from an analysis conducted by a firm that specializes in evaluating networks for TPRM vulnerabilities.
Incidentally, if a company is in the market to either obtain or renew their cyber insurance, they likely should get their TPRM evaluations in order. In recent months, cyber insurance brokers and carriers have become stricter about who qualifies for cyber insurance due to far higher than anticipated payouts. A proactive TPRM program is one of the cornerstones for qualifying for even sitting down with some insurers.
Ultimately, protecting a corporate network from ransomware is a multifaceted exercise that includes a combination of stakeholders, including not only the CISO and CIO, but also the general counsel and the chief risk and compliance officers. Ransomware is more than just a technical issue—it is becoming the bane of board members and C-suites worldwide.