Ransomware Insurance Cover Set to Die Out – What’s Going On With Cyber-Insurance? – Part 1

Cyber-insurance is changing. In fact, it’s arguable that cyber-insurance is becoming both increasingly necessary and increasingly meaningless at one and the same time. No less an insurer than Lloyds of London – a benchmark of “We’ll insure anything for the right price” culture for hundred of years – has announced it will no longer be able to offer insurance against State-sponsored cyberattacks from 2023 onward.

We sat down with Matt Middleton-Leal from Qualys, a firm that specializes in cloud security and cyber-solutions, to find out exactly what’s going on with cyber-insurance – and why a company’s cybersecurity coverage may not be all it imagines it is.

THQ:

What’s actually going on with cyber-insurance just now?

MM-L:

If you read some of the websites of the insurers right now, they’re very non-specific on what they are and aren’t doing. You wouldn’t necessarily imagine there was any change out there in the marketplace or see any difference. But then if you flip that over and look at the actual reality of what’s happening in the world, we all know that the threat landscape has accelerated dramatically, and specifically around ransomware. And that’s really the one that’s got everyone’s spooked. And the fact that even before Lloyds made its announcement last month, insurers were carving ransomware out of policies fundamentally changes that kind of backstop cover that organizations thought they had. So that for me is singularly accelerated the whole problem.

Bye Bye, Ransomware Protection!

THQ:

So cyber-insurance will be… insurance for everything but ransomware…and State-sponsored attacks? Surely at that point, if you’re a company, you’ve got to ask what exactly you’re paying a lot of money for?

MM-L:

Yeah, it’s a question that will come up more and more. I think the thing to look at as well is the actual actions that the ransomware is now undertaking, because it’s not just locking people’s machines anymore. It’s now also destroying data. It’s now also filtering data off and holding it ransom. And, frankly, who knows whether you’re getting it back or not, or you’re getting back the only copy? So there are multiple facets to that. And then if you overlay the Lloyd’s announcement, most of these attacks are read as State-sponsored attacks in some way, shape or form. So yes, you have to ask what you’ve paid for.

War and Cyberwar

THQ:

We were going to ask – the Lloyds announcement covers attacks that are part of a war. Does that extend to any attacks sponsored by a state that happens to be involved in a war? Is the whole cyberthreat landscape labelled as “part of the war” if it comes from State-sponsored Russian hackers, just because Russia happens to be at war right now?

MM-L:

It’s one of those classic cases of “Read the small print in your policy.“ My understanding is that the lifecycle is, for example, most companies that have signed up for cyber-insurance tend to have done it in the last six years, which is three policies.

So they’re probably all coming up on a renewal premium sometime soon. And I think that’s where the problem comes, when they’re going to renew. There are a lot of policies being renewed at the moment, and I think people are coming unstuck. What I find really interesting is that I’ve got friends in the insurance industry, and they tell you “Bottom line, the reality is that we will insure anything, if you pay us enough money. Risk management is our job.” These people are some of the best risk managers in the world, and their livelihood depends on that skill.

And yet, they’re not covering ransomware.

The Silence…

THQ:

That has to tell you something. Presumably, that makes for a very jittery environment – a case of when it hits, and what its impact will be?

MM-L:

Yes, and no-one’s saying it directly. No-one’s saying “This is why we’re having this conversation,” but the undercurrent is absolutely there. You make a comment, and it’s nods and smiles and whatever. It’s all very hush hush. But two of the largest growing areas for us at the moment are our asset management and patch management capabilities.

Now frankly, I was working on and selling these 15 years ago, but a lot of organizations still have no control over their asset-base. They have no understanding of how secure their assets are, because they don’t know where most of those assets are.

Yes, they know their core ones, that’s the easy stuff. But it leaves you with the old 80/20 problem, where they used to say “We know 80% of our risk profile, we’re probably OK.” The fact is that the assets they don’t know about is what are being used as a beachhead for these attacks. So we’re seeing this big push, with companies saying “How can we get a complete mapping of our enterprise assets, both internally and externally?”

And that kind of external attack surface monitoring is what attackers are looking at, because it’s where their likely pay-off is. And then the absolute fundamental thing for companies is, once they know a) where their assets are, and b) that they’ve been compromised, they need to be able to fix it faster. So I think FedRAMP plus, in the US, for example, now says that you have to patch your systems in seven days. Even Cyber Central’s pass says you’ve got a patch within 14 days for vulnerabilities of severity six and above.

And everyone knows there are businesses out there that haven’t been patched for years.

Show Me the Security!

So if I’m the insurer, one of the first questions I’m going to ask is, if you really want me to pay out, show me you’ve got control over your estate. And if your answer is “I’ve got control over 80% of it,” guess what? Your premium’s going up.

THQ:

So if you don’t have control over 100% of your assets, your premium is going up, but for instance, insurers are carving ransomware out of their policies. So you’re going to be paying more…for significantly less?

MM-L: Yeah. Then it becomes a bit of a drag race between the insurers – who’s going to give a little bit extra to try and win more market share? But I think that if the biggest risk out of the business is ransomware, and right now, that’s carved out of the policy, so as a CISOs, going to my board of directors, I’m going to have to come up with something pretty smart and pretty compelling. Because my risk profile has just changed dramatically…

In Part 2 of this article, we’ll cover what companies need to know, and what they need to do, to get maximum cyber-insurance coverage for minimum expense in the upcoming post-ransomware-cover era.