More evidence that insurers are making it harder for organizations to get cybersecurity coverage came in a new report on ransomware today from Sophos.
Fifty-four per cent of the 5,600 IT professionals in mid-sized organizations across 31 countries surveyed earlier this year said the level of cybersecurity they needed to qualify for coverage is now higher than it was in 2021.
Almost half of the respondents said cyber insurance policies are now more complex than they were in the past. In fact 37 per cent said the process for getting coverage takes longer, and it’s more expensive to get coverage.
The good news is this likely raises the cybersecurity maturity of firms that can get coverage. Ninety-seven per cent of respondents made changes to their cyber defense to improve their cyber insurance position.
The bad news is it’s getting harder to find insurers offering cyber coverage. Forty per cent of respondents said fewer companies are offering cyber insurance.
The numbers come from Sophos’ annual State of Ransomware report.
Related content: Canadian healthcare provider’s unpatched Exchange server exploited twice by ransomware gangs
Over four in five respondents said their firm’s cyber insurance covered ransomware-related costs. However, 34 per cent of them said their policies include certain exclusions/exceptions that limit some payments.
For those with ransomware coverage, 98 per cent that were hit said the policy paid out in the most significant attack – up from 95 per cent in 2019.
There was, however, an increase in payment of cleanup costs and a decrease in ransom payments by insurers. Seventy-seven per cent of respondents reported that their insurer paid cleanup costs (such as costs incurred to get the organization up and running again). That was up from 67 per cent in 2019.
But among the firms that agreed to pay a ransom, only 40 per cent reported that the insurer paid that cost. That was down from 44 per cent in 2019.
The rate of ransom payout rates varied considerably by sector. The highest rates were reported in lower education (K-12/primary/secondary) –53 per cent — while the lowest was in manufacturing (30 per cent).
The report argues the sectors with the lowest rate of ransom payment (manufacturing and finance) are also the ones able to recover fastest from an incident. That, the report says, emphasizes the importance of disaster recovery planning and preparation.
“It’s worth remembering that while cyber insurance will help get you back to your previous state,” the report adds, “it doesn’t cover ‘betterment’ i.e., when you need to invest in better technologies and services to address weaknesses that led to the attack.”
Two-thirds of respondents said their organizations were hit by ransomware last year, up from 37 per cent in 2020. Of those victimized, attackers succeeded in encrypting data in 65 per cent of attacks, an increase on the 54 per cent encryption rate reported in 2020.
“Organizations have got better at dealing with the aftermath of a [ransomware] attack,” says the report, noting “virtually everyone now gets some encrypted data back, and nearly three quarters are able to use backups to restore data.”
At the same time, the proportion of encrypted data restored after paying the ransom dropped last year, down to 61 per cent on average — despite this a near threefold increase in the percentage of victims paying ransoms of US$1 million or more.
To be better prepared to fight ransomware the report says IT leaders should:
- ensure high-quality defenses at all points in your environment. Review your security controls and make sure they continue to meet your needs;
- proactively hunt for threats so you can stop adversaries before they can execute their attack. If you don’t have the time or skills in house, outsource to an MDR specialist;
- harden your environment by searching for and closing down security gaps: unpatched devices, unprotected machines, open RDP ports, etc.; Extended Detection and Response (XDR) is ideal for this purpose.
- prepare for the worst. Know what to do if a cyber incident occurs and who you need to contact;
- make backups, and practice restoring from them. Your goal is to get back up and running quickly, with minimum disruption.