Organisations cannot rely on cyber insurance to cover losses

Ransomware attacks spurred close to half of all the cyber insurance claims filed in North America in the first six months of 2020, but even if a victim’s policy covers ransomware – which is not a given – there is no guarantee that insurers will underwrite the full cost of an incident, and such policies must not be relied upon to do so.

That is according to a newly released report from Cybereason, which examined the consequences and costs of ransomware attacks based on input from more than 1,000 security leaders based in France, Germany, Singapore, Spain, the UAE, the UK and the US.

Cybereason noted the example of the City of New Orleans in Louisiana, which was impacted by a successful ransomware attack in late 2019 that caused the city government more than $7m in losses – and even though New Orleans’ policy covered losses resulting from ransomware attacks, the city recouped only $3m, leaving a multimillion-dollar hole in its finances, with predictable results for city services.

This scenario was further borne out in the responses to Cybereason’s study. Some 54% of the cyber pros who responded said their organisation had bought a cyber insurance policy that covered ransomware in the past two years – versus 24% who bought one that did not. Of those that were subsequently attacked and extorted by a ransomware crew, 42% said their insurer covered only a portion of the losses.

Cybereason said this suggested a major impact to those without insurance, and a significant impact to the business even if they do. The moral of the story is that if your organisation does have cyber insurance, be sure it properly covers ransomware, and of course take every precaution to avoid being hit to begin with. For more on this, see the National Cyber Security Centre’s ransomware mitigation guide.

“Ransomware attacks are a major concern for organisations across the globe, often causing massive business disruptions including the loss of income and valuable human resources as a direct result,” said Lior Div, Cybereason’s co-founder and CEO. “In the case of the recent Colonial Pipeline ransomware attack, disruptions were felt up and down the East Coast of the United States and negatively impacted other businesses that are dependent on Colonial’s operations.

“Paying a ransom demand does not guarantee a successful recovery, does not prevent the attackers from hitting the victim organisation again, and in the end only exacerbates the problem by encouraging more attacks. Getting in front of the threat by adopting a prevention-first strategy for early detection will allow organisations to stop disruptive ransomware before they can hurt the business.”

Div reiterated generally accepted guidance not to pay ransoms to begin with, saying that in the UK specifically, of those who paid off their attackers, 84% suffered a second attack in short order – often at the hands of the same gang.

Also, 43% of those who paid – again based on the UK data – 43% reported that some or all of the data was corrupted during the process.

UK victims tended to report significant impacts to their business performance following an attack, with 47% losing business and 61% losing revenues. Meanwhile, 63% who admitted losing business indicated that their brand and reputation were damaged as a result.

But the impacts do not stop there – 45% of UK victims who lost business said they had also seen an exodus of high-level, c-suite talent, 31% reported they were forced into making layoffs, and 34% said they had been forced to shut down business operations entirely.

Cybereason’s full report is available to download here.