How Useful Is Cyber Insurance When Preparing for a Ransomware Attack?

Some Vendors Offer Warranties Along with Cyber Insurance Policies

Cyber insurance is a growing trend and, in many cases, an operational requirement. However, some healthcare organizations don’t have the resources to self-insure. For smaller organizations, there are still ways to reduce the cost of cyber insurance premiums. Tony Roberts, senior solutions engineer at CDW, notes that some third-party security providers, such as Rubrik, offer warranties that insurance companies recognize as extra assurance of an organization’s data protection strategy.

In April, Rubrik made two groundbreaking announcements about its ransomware warranties. In a press release, Rubrik noted, “With the rapid growth of cyberattacks, organizations share the same concern: ‘If we get hit by ransomware, can we recover?’”

The company’s response was to increase the value of warranty it offers as part of its cyber insurance policies. “Rubrik is confident in our data security solution and committed to a shared responsibility between customers and software vendors,” the release notes. “As such, we are putting more skin in the game by doubling our warranty to $10 million.”

In addition, Rubrik issued a separate press release to announce its partnership with Zscaler to offer a double extortion ransomware solution. “Rubrik’s integration with Zscaler Data Loss Prevention proactively identifies sensitive business data across enterprise, cloud and SaaS environments so that specific data protections can be implemented easily to prevent data loss,” the release noted. 

Read more in the CDW white paper “How to Increase Your Ransomware Recovery Capability.”

Some Larger Organizations Can Self-Insure Against Ransomware

While cyber insurance can help to defray the costs of a ransomware attack, it also can be a beacon to cybercriminals, indicating a willingness to pay the ransom the criminals intend to demand. In some cases, organizations might want to consider self-insuring to protect themselves in the event of a ransomware attack.

“Self-insurance basically becomes a line item in the budget,” explains Jason Cray, data protection strategist at CDW. “They budget and say, ‘We already pay X amount on premiums to an insurance company to have insurance. Instead of doing that, we’re going to take that money, budget it and essentially put it into a savings account that is overseen by a third party.’”

Some Cyber Insurance Companies Are Tightening Their Payout Policies

According to Heidi Shey, principal analyst at Forrester, “Cyber insurance is only one component of a bigger enterprise cybersecurity risk management program. However, the cyber insurance market has been on a roller coaster, with skyrocketing premiums, changes in coverage and a demand for policies that outweighs available supply.” After years of affordable and readily available policies, she says, “the ubiquity of cyber insurance combined with the rise in cyberattacks has changed the power dynamic in favor of the insurers.”

Cray says he has picked up on similar shifts in the cyber insurance market. He and Roberts have both noticed new limitations on cyber insurance policies during their work with CDW customers.

“The insurance premiums are just going through the roof, if you can even get them,” Roberts says. Plus, “insurance companies now are defining in their contracts that they’re not going to cover an attack if it comes from a specific nation-state.”

DISCOVER: A four-phase approach to procuring cyber liability insurance.

Cray agrees, citing insurance companies’ use of overly complicated paperwork. Insurance applications used to pose 20 to 30 questions, Cray says, but those forms now routinely include more than 400 questions worded in conflicting or confusing ways that make them nearly impossible for applicants to answer.

Regarding questions about an organization’s immutable storage, Cray says, applicants might wonder, “‘Do I answer yes? My answer is yes.’” And then the insurer comes in and says, ‘Well, no, you didn’t have it across your entire environment, so we’re not going to pay.’” Of course, if applicants answer no to the question, their rates will certainly go up — if the insurance company doesn’t completely refuse to insure them. “That’s the reality of what clients are facing today,” Cray says.

“It’s getting super difficult to get it, to maintain it and then to adhere to it,” Roberts says of cyber insurance. Even when trying diligently to comply with the terms of a policy, organizations run the risk of an insurance company picking apart a policy and ultimately saying, “‘Well, you weren’t doing this one thing, so we’re not going to pay out.’”

“I think organizations have to take a look at that from a risk perspective,” Roberts says.

Source link

This post originally appeared on TechToday.