Free DownloadWhat is ransomware? How it works and how to remove it
Ransomware is malware that locks and encrypts a victim's data, files, devices or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment. A ransomware attack can shut down a business for days, even weeks and -- even when the company pays the ransom -- there's no guarantee it will ever get its assets back, or that it won't be attacked again. This guide covers the history and basics of ransomware, identifies the most common targets and offers expert instructions on how to prevent an attack. Or, if the worst happens, how to recognize an attack's taken place and remove the ransomware as swiftly as possible.
Most businesses have a form of cyber insurance, either through cyber liability and data breach endorsements in traditional business policies or through standalone cyber policies.
Cyber insurance provides a way to protect against risks and financial losses from data breaches and other cyber-related threats. Interest in cyber insurance surged as every organization confronted the rising threat of ransomware attacks. In 2019 and 2020 especially, businesses pursued coverage as a risk transfer strategy.
The surge in interest -- and in claims -- did not go smoothly. By 2021, insurance carriers, according to the NAIC, reported an average loss ratio of 66.4%. As a result, some carriers left the market, while others revised their product offerings -- often charging more for reduced coverage.
In 2024, reports indicated that nearly 40% of cyber insurance claims were denied.
Companies in industries that process and store large volumes of sensitive data, such as financial services, healthcare and retail, can expect to pay higher premiums for cyber insurance due to their elevated risk profiles. Other factors that influence cyber insurance costs include the size and revenue of the business, quality of security measures and prior claims. Some carriers now offer lower-priced products tailored specifically for small and midsize businesses.
Organizations face many challenges while finding cyber insurance, from silent cyber and policy exclusions to vendor selection and misrepresentation of security requirements.
So how should a business find cyber insurance? Let's look at some tips for getting started.
Start the process early
It is going to take time. Many companies start to evaluate cyber insurance needs and security requirements at least four to six months prior to the insurance application process or renewal. According to Forrester, CISOs said they needed up to six months to complete initial insurance questionnaires and to provide brokers with follow-up information about their organization's security procedures.
Assess your organization's exposure to cyber-risk
One company's priorities will be different from the next. Determine what most concerns your organization: a data breach, a ransomware attack, loss of funds due to large financial transactions or third-party cyber-related claims. If a cyberattack causes business interruption, how long would it take to restore operations? In the case of a ransomware event, what types of losses are organizations similar to yours suffering and how large are the claims that insurers pay?
New products feature parametrically triggered policies for cyber insurance, said Dan Burke, senior vice president of the national cyber practice at Woodruff Sawyer, a brokerage and consultancy. Companies that rely on third-party cloud platforms to operate their business can pre-agree with an insurance carrier on the value of potential losses on an hourly basis in the event of a cloud outage. If an outage occurs and causes a covered loss, the duration is independently tracked by a third party, and the insurer pays out the predetermined dollar amount based on the length of the outage.
Do a cost-risk analysis
The office of the CFO collaborates with the company's general counsel on risk management, compliance and policy language during the underwriting of cyber insurance policies. The CFO and the chief risk officer (CRO) should engage with the CIO, CISO and head of IT to understand the organization's cybersecurity risks and security posture. Ask the key questions, such as: Are multifactor authentication (MFA) controls in place for servers, email and endpoints across the organization? What are the plans for improving security over the next 12 months? Is the company in compliance with NIST and other cybersecurity frameworks?
Clients often ask Burke about the appropriate level of coverage. "That should be calculated using data analytics as much as possible, historical claims examples, and modeling, and should attempt to quantify the organization's cyber-risk," Burke said. Some companies might be willing to take on more risk, while others want to offload as much as possible.
Put the insurance agent or broker to work
Should your organization partner with a trusted insurance agent from the insurer to bind coverage and issue a policy? Or should you work with a broker with access to multiple options through relationships with both traditional insurers and boutique cyber insurance firms?
A broker, who is typically paid a commission by the insurance company, cannot issue insurance. A broker can assist with negotiations and the application or renewal process. Be sure you are consulting with the cybersecurity expert at the insurer or brokerage -- someone with sufficient technical knowledge to understand your organization's cyber-risk issues and the specific scenarios for which you need coverage.
Review your coverage options
How much coverage does your company need, and what should your cyber insurance cover?
First-party coverage refers to losses to your business, including business interruption, incident response, data recovery, reputational harm and more. Third-party coverage protects the organization against claims -- and in some cases, lawsuits -- by others, including regulatory fines, privacy liability, contractual violations and media liability. Silent or non-affirmative cyber exposure refers to cyber-related losses coverage as part of packaged policies; it is unstated what is covered and what isn't.
Either way, read the fine print. Pay attention to general terms such as cyberincident or security incident, as well as subdefinitions such as privacy events or interruption events with their respective subtypes, said Timothy Zeilman, vice president and global cyber product owner at HSB. Get as much clarity as possible on the policy's use of specific terminology and what that means in terms of coverage. "That is one of the key things when reading a cyber policy," Zeilman said. "It is not all in the coverage granted. A lot of the key information is in the definitions."
The breadth of the definition of computer system is another important concept, Zeilman said. "Does it only cover the insured's on-premises, owned and operated infrastructure? Or does it extend to cloud providers and other third parties that process or store information for the insured -- or even beyond that?"
The U.S. Federal Trade Commission recommends a business look for duty to defend wording. Scrutinize this language to evaluate whether the cyber insurer's policy will protect your organization in the case of a lawsuit or regulatory investigation.
Pay less with a low-risk profile
As you review cyber insurers and their products, use a checklist to make sure your organization meets the insurers' requirements. Insurance companies want to see that a business has a sound security program in place with respect to the following:
Security controls. These will include MFA, endpoint detection and response (EDR), regular vulnerability scans and patching, offline backups and testing.
Governance and processes. Key elements to this will be an incident response plan, security awareness training, a designated CISO, third-party risk management and SOC 2 compliance.
Technology and documentation. These will involve an inventory of critical systems and data assets, logs and SIEM data, business continuity and disaster recovery plans, and documentation of previous security incidents.
An insurance agent or broker might request that the company use a third-party provider, such as Security Scorecard or NetDiligence Quiet Audit, to evaluate security controls, vulnerability management and incident response plans to develop a cyber-risk assessment. Some insurers also have product-specific partnerships with vendors and managed security service providers. Before signing up with an insurer that offers bundled services through vendor partnerships, Forrester advises that you understand exactly how your organization's security information will be used and shared.
Invest in security controls recommended by insurers
Cyber insurers look for MFA for all admin and remote systems, privilege access management, email filtering and web security, EDR, vulnerability and patch management, logging and security monitoring, data encryption, tested backups, incident response plans and security awareness training for employees. According to an Advisen Cyber Claim Report released in 2023, 44% of cyber insurance claims are denied because businesses didn't meet all of their security requirements.
Corporate directors and officers are often covered by an organization's directors and officers (D&O) liability insurance and indemnification clauses, but that's not always true of CISOs.
Consider extending coverage to CISOs
Corporate directors and officers are often covered by an organization's directors and officers (D&O) liability insurance and indemnification clauses, but that's not always true of CISOs. A CISO plays a key role in public disclosure of material breach incidents and cybersecurity risk management practices required by the SEC in annual 10-K filings. Some companies are addressing this gap in corporate liability protection by adding CISOs to their D&O policies, Burke said.
Say no to strictly off-the-shelf insurance products
While some of these products offer a good place to start, protection against cybersecurity risks generally requires policy negotiations to meet the insured's specific needs.
Watch out for silent cyber loopholes
The lack of pricing and specific language in some commercial policies, such as property, general liability, tech errors and omissions, and D&O, can create uncertainty regarding cyber coverage. For instance, what happens if a software update contains faulty code that crashes key operational systems, or a data breach puts company executives at risk amid shareholder lawsuits? Ensure the policy clearly defines what is covered, what is not -- including sublimits, exclusions and any preexisting conditions that might invalidate claims. In July 2019, Lloyd's of London issued a mandate requiring brokers and insurers in its global syndicate to explicitly define affirmative cyber coverage and exclusions in all insurance policies, effective January 1, 2020. If a traditional business policy covers liability from a cyberevent, how does that interact with or affect a standalone cyber insurance policy?
Compare policies for coverage limits and exclusions
Pay close attention to sublimits on ransomware and business interruption coverage. Approximately 30% of data breach claims are either not paid or only partially paid by insurers due to exclusions in cyber insurance policies. Many cyber insurance policies also include an eight- to 12-hour time-based deductible following a breach incident.
Not surprisingly, insurers are most concerned about systemic or catastrophic events. Many cyber insurance policies do not cover damages from nation-state-sponsored cyberattacks or advanced persistent threats.
This so-called war exclusion ended up in litigation after NotPetya malware attacks in 2017 crippled Windows-based systems in Ukraine and spread across networks in Germany, France, the U.S. and other countries. Some affected companies, such as Merck and Mondelez, suffered hundreds of millions in losses. Merck filed a $1.4 billion damages claim, and its insurers invoked the war exclusion after the U.S. and U.K. governments alleged that Russia was behind the attack. The companies reached a confidential settlement in January 2024. Lloyd's of London required its global syndicate to exclude nation-state-sponsored attacks -- which can be carried out by hackers, criminal organizations or nation-state actors --from standalone cyber insurance policies starting in March 2023.
Avoid mistakes on insurance applications
It's essential to have someone with technical expertise alongside the CFO to review the accuracy of insurance questionnaires for policy applications and renewals. During underwriting, confirm that security controls -- such as MFA, data storage and backups -- are implemented as described in the policy application. Closely involve the company's IT and security teams to ensure a clear and accurate understanding of your security posture.
When International Control Services fell victim to multiple ransomware attacks in a two-year period, its cyber insurer, Travelers, denied the second claim and declared ICS's $1 million cyber insurance policy null and void. Travelers then sued ICS, alleging the company's policy application contained misrepresentations about its use of MFA.
Get to know the preferred panel of experts
In addition to loss adjusters and forensic accountants, some cyber insurance carriers require that the claimant use their ransomware incident response firms. It's important to understand who is on these panels of experts and whether the insurer requires the policyholder to use its services. According to Forrester, 69% of companies with cyber insurance, either standalone or part of packaged policies, were required to use the carrier's panel of providers and at their negotiated rates. These panels consist of digital forensics (62%), incident response (61%), ransomware negotiation and payments (60%), and legal counsel (55%).
When an insurance claim is made, what happens if you use your own experts, rather than the ones provided by the insurer? These terms need to be negotiated upfront at the time of underwriting.
Kathleen Richards is a freelance journalist and industry veteran. She's a former features editor for TechTarget's Information Security magazine.
