Skip to content

Search the site
Sign In Subscribe
ransomwarecyberresiliencebackupscyber insuranceOpinion

How the cyber insurance industry has shaped the ransomware landscape

"More organisations have cyber insurance; fewer are claiming; more are recovering themselves."

 and  James Watts
5 min read

The growth and development of ransomware has been shaped by several major trends. 

It had existed for a long time (the first attack was in 1989) but when cryptocurrencies and ‘untraceable’ payments came along in the 2010’s its popularity as an attack method exploded, writes James Watts, Managing Director at Databarracks.

International relations have been another major factor. Attackers and victims typically live in different countries so dealing with the criminals requires cross-border law enforcement collaboration. The US and Russia were starting to work together to address gangs based in Russia before the Ukraine war put an end to that cooperation.

But, in the relatively short period since ransomware really arrived just over ten years ago, one of the biggest factors has been the influence of cyber insurance. The affect has not always been positive, but our recent research has shown that it is making organisations much more resilient.

The impact of cyber insurance

If ransomware is a new phenomenon, so too is cyber insurance. I remember speaking to an insurance company just over ten years ago. They’d just started offering cyber insurance policies but at that point, they were yet to receive a claim.

Things quickly changed. As ransomware attacks rocketed, organisations eagerly took out cyber polices to protect themselves. It was a good time to be selling cyber insurance. Ransomware attacks changed too. In the early 2010’s the most common ransomware our customers faced were low-cost, mass-market type attacks like CryptoLocker. The ransom was just a few hundred dollars. 

The ‘ransomware’ market quickly matured. ‘Ransomware as a Service’ emerged as a product, offering would-be cyber criminals without the skills to develop malware themselves the chance to buy an off-the-shelf kit. Attacks became more targeted – focussing on industries with weaker cyber defences and a higher impact of downtime. Manufacturing, healthcare and government became the easy wins.

To pay or not to pay

Victims had a choice. Pay the ransom, often hundreds of thousands or millions of pounds, usually by claiming on their cyber insurance policy, or attempt to recover themselves. In some cases when backups were absent or didn’t work there was simply no option but to pay. In others, the victim had to weigh the cost of the ransom vs the cost of their own recovery. That can quickly stack up. There are the direct costs like cyber forensic experts, IT consultancies and overtime for your own teams. Then there are the business costs like lost income, fines from regulators and reputational damage. 

Most organisations chose to pay the ransom. 

See also: Single ransomware attack has $2.45 billion impact – with "direct response" costs hitting $776 million

The problem was that paying the ransom fed into the vicious cycle of more attacks and more payouts. 

That was bad news for all, but the pain was felt acutely by the cyber insurers. Suddenly, that fast-selling product was coming back to bite them and exposing them to massive losses.

The problem was, they weren’t addressing the root cause. The had been no change to businesses to make them more secure and better prepared to respond to an attack and refuse the ransom. They were just better prepared to pay the ransom.

Insurers did the two things they always do in this situation. They increased the price of the product and they raised their requirements to obtain cover. 

Just as when you take out home insurance, you answer questions about your locks and doors and windows, you now need to answer far more about your IT security for cyber cover.

Cyber insurance questionnaires that had been simple and superficial, now delved into:

  • Segregation of production and backup data
  • Encryption of backups
  • Last date of disaster recovery testing
  • Have you suffered a ransomware attack 
  • What is your annual budget for IT and cyber security
  • How quickly do you deploy critical updates, and do you use any software beyond end of life?

Insurers needed to know that the company applying for cover is secure and able to respond to a cyber-attack. They want customers who are unlikely to make a claim. And if they do claim, they want lower value claims because the customer has the capability to respond and bring themselves back online quickly, limiting their costs.

The other change insurance companies made is that they began discouraging payments.

These changes in cyber insurance had a macro effect. It drove changes in behaviour from organisations, making them improve both preventative security and their ability to respond. 

Suddenly, everyone wanted immutable backups, segregation of operations and frequent DR testing. 

The result was rapid and significant.

In our Data Health Check survey in 2022 – the most common response to ransomware was to pay the ransom. The number who recovered themselves from backups was just 34%. This year, in 2024, that jumped to 54%.

Read this: Ransomware earns scumbags $1 billion in 2023

In that same 2-year period, the number of organisations with cyber insurance increased from 51% - 66%.

But, despite that growth, the number who actually claimed on the policy fell by a third.

Put simply, more organisations have cyber insurance. Fewer are claiming. More are recovering themselves.

The result

If you look at each attack in isolation, it is easy to make the case for paying the ransom as the cheaper and easier option. Less downtime, less reputational damage (if no-one finds out) and lower overall cost. But the ransomware problem can’t be improved in isolation, we need to address the system. 

Organisations needed to be discouraged from paying out and encouraged to improve their response. Outright bans on payment are frequently discussed by regulators but they are usually abandoned (outside preventing payments to known terrorist organisations). It is hard to set a rule that would inevitably lead to businesses failing and job-losses.

When an insurance company wants to determine a reasonable price for a policy, in most cases it can look at years (or decades) of actuarial data. The world of cyber risk however changed so rapidly they forced to react and respond in real-time.

Cyber insurance has succeeded where regulation has mostly failed. For us, it has been the most significant positive factor in improving ransomware response and cyber resilience.

Related

Latest