Ransomware attacks and cybercriminal gangs continue to make headlines as they create the highest severity and most frequent losses for insurance carriers. Unlawful hackers take control of systems and try to force companies to pay huge amounts to unlock them.
Episode 6 of our SON OF A BREACH! podcast series takes a closer look at the growth of ransomware, the exorbitant payouts, and tips for understanding the complexities of cybersecurity insurance and getting the right coverage for your business.
Joining host and CRITICALSTART Chief Technology Officer Randy Watkins is insurance risk management expert Doug Jones, senior vice president and principal at RHSB Insurance.
A third-generation insurance broker, Jones began developing his expertise in insurance risk management more than 30 years ago. Having focused on technology-oriented risk and cybersecurity insurance for more than 20 years, he says ransomware falls outside of traditional risk modeling.
“Bad actors are more sophisticated, so we’re seeing a big change in the market trying to absorb all these losses,” he says. “That’s changed the way (insurance underwriters) look at risk, and it’s largely driven by ransomware.”
Jones says ransomware has forced carriers to be much more discriminating and thorough in their underwriting process.
“That’s where we’re starting to see a change in underwriting,” he says. “There’s different applications required now that haven’t been done in the past. And some brokers are now offering additional things to try to help companies put them in a better light for pricing with insurance carriers.” Jones says these include vulnerability scans, security assessments, and penetration tests.
Because of the complexities of cybersecurity insurance, he says every carrier offers something different. “Be sure you’re dealing with someone who can help you navigate that landscape,” he advises. “Don’t just look at buying an off-the-shelf product.”
Q&A on Ransomware and Insurance with Doug Jones
The following is an abbreviated Q&A based on Watkins’ conversations with Jones in Episode 6 of our SON OF A BREACH! podcast series. Be sure to tune in to the entire conversation.
Watkins: Cybersecurity insurance has really been gaining popularity over the last six years or so, as organizations look to exercise their options and transfer the risk. What are the underlying principles of cyber liability insurance?
Jones: A cyber liability policy is actually a combined policy that has both third-party liability and what we refer to as first-party coverage. The liability coverage is when a third-party is making a demand against you. First-party coverages I like simply defining as additional expenses as the result of a cyber incident, and that can include notification, crisis management, PR, forensics, legal costs, extortion, business interruption, data restoration – all those additional expenses that you can incur as the result of a cyber incident.
Watkins: The number one threat facing a lot of organizations right now, or that they’re purchasing the liability or cybersecurity insurance for, is ransomware. Is ransomware, something that’s natively covered, or does it have to be stated in the policy as an additional add-on for ransomware?
Jones: It is not automatically included in the policy. Highest frequency and severity losses are with ransomware. It’s typically included in a policy, but not always. So when you see, oh, I’ve got ransomware, you also need to look at what’s the retention on that? Does it have a sub limit? Right now, we’re seeing insurance carriers offer coinsurance on that. So your coverage may be more limited than what you think.
Watkins: If a company is already going through and either performing security assessments, or they’re considering these assessments in line with cybersecurity insurance, are those things that help lower the premium or help expediate the process of getting the cybersecurity insurance put in place?
Jones: Absolutely. Where that was many times overlooked in the past, especially for average risk, now they’re being required to look at that. Almost every carrier right now has a separate ransomware application, and they’re asking a lot more security questions around this. And some of the main things they’re looking at are multi-factor authentication. Backups are really important. You know, are they off site? Are you segmenting it? Are they encrypted? Employee training is being required? Endpoint detection and response is something really important that carriers are looking at. And remote desktop protocol is a big thing. If you don’t have a good answer to these questions, you’re being put in the bad group, so to speak, and you’re losing market leverage, because the majority of cyber insurance carriers will not even consider underwriting your risk.
Watkins: I know a lot of folks don’t know where to start in terms of, hey, we would like to get cybersecurity insurance coverage, or renewal is coming around and we want to shop it just like car insurance. So where can people start, and where can they learn more about the services provided by RHSB and yourself?
Jones: First of all, know that this is a complex insurance product where every single carrier offers something different. So be sure that you’re dealing with someone that can help you navigate that landscape. Don’t just look at buying an off-the shelf-product. We’re happy to help anyone and feel free to reach out to me. My email address is [email protected]. People can reach out to me directly, I’m happy to help.
CRITICALSTART® and MOBILESOC® are federally registered trademarks owned by Critical Start. Critical Start also claims trademark rights in the following: Cyber Operations Risk & Response™ platform, and Trusted Behavior Registry®. Any unauthorized use is expressly prohibited.