Majority of firms lack cyber insurance

The average business ransom paid is now above $800,000

Image:
The average business ransom paid is now above $800,000

Cost, lack of transparency and increasing software requirements are big challenges when it comes to finding an insurer

Businesses are slowly losing the capacity to insure themselves against a possible cyber attack, but the amounts demanded by criminals keep rising.

That is according to a new analysis from Blackberry and Cyber MGA Corvus, which warns of a widening 'cyber insurance gap' in North America.

Based on a survey of 450 IT leaders at companies in the US and Canada, the study found that a majority of firms in the region are either uninsured or underinsured against the rising wave of ransomware attacks.

Only 55% of survey respondents claimed to have cyber insurance at the moment.

In addition, just 19% of companies said they had a coverage limit above $600,000 - the median ransomware demand for 2021.

SMEs are particularly under pressure. Only 14% of companies with fewer than 1,500 workers have a coverage limit over $600,000.

More over half (59%) of small firms anticipate that the government will pay for damages when future attacks are connected to other nation-states.

Many companies complained that their cybersecurity protections were not appropriately adapted to their present needs.

More than one-third (37%) of respondents who have purchased cyber insurance don't have coverage for ransomware payment demands, while 43% don't have coverage for ancillary expenses like court costs or lost productivity.

Twenty-eight percent of respondents said they intended to get coverage 'shortly.'

In April, cybersecurity company Sophos reported an almost five-fold increase in the average business ransom paid, reaching $812,360.

It discovered that 11% of ransomware victims in 2021 reported paying ransoms of $1 million or more, a 4% rise over 2020. The percentage of victims who paid less than $100,000 fell from 34% in 2018 to 21% in 2021.

The average ransomware payment in the first five months of 2022 was $925,162, according to research by Palo Alto Network's Unit 42 threat intelligence department. That is a 71% increase over 2021.

According to a Forrester survey, 63% of firms had breaches in the last year - a 4% increase from the year before. The Forrester report concluded that the total cost of an average data breach would reach $2.4 million, including the cost of the investigation and recovery.

Cost is a key consideration when choosing cyber insurance. More than half (57%) of respondents said the current cost of premiums is a challenge, as is insurance firms' lack of transparency over what is covered (49%). For example, many no longer cover payments made to ransomware attackers.

According to the report, insurance brokers' increasing software demands have made it more difficult to get cyber insurance.

Thirty-four percent respondents said they have been denied cyber insurance due to lack of compliance with certain EDR software requirements.

Corvus claims that ransom payments may be declining as a result of those requirements.

"Though it might sound counterintuitive, continuing to adhere to software requirements is one of the best ways to fight the ransomware industry," said Vincent Weafer, CTO at Corvus.

"In our portfolio alone, we've seen a 50% reduction in the ratio of ransom demands that end up being paid. Better software adoption is a critical element in better positioning organizations to stand up to attackers."