Ransomware, also called cyberextortion, has been on the rise, especially as businesses have moved more operations to the digital world during the pandemic. Cybercriminals have seized on an opportunity to hold businesses hostage, and with attacks increasing in frequency due to the high levels of success of ransomware, businesses are seeking financial protection from ransomware coverage.
What is ransomware?
Ransomware is a method of cyberextortion and type of malware that enables a cybercriminal to lock down a victim’s device, data, or network, holding it hostage until the victim can pay a ransom.
Ransomware can spread through a variety of methods, including malicious websites, links, emails, attachments, or infected drives. Once a device is infected, ransomware can spread to others and prevent your company from operating, with potentially devastating effects on your business. Payments for ransomware are often requested in the form of bitcoin or other hard-to-trace digital currency.
Ransomware often comes in two main forms:
- Encryption ransomware: Encrypts your files so that they cannot be read, holding them hostage until you pay a ransom fee and can unlock them.
- Lock-screen ransomware: Shuts down access to your computer system or electronic device by locking you out.
Some examples of recent ransomware attacks include the attack on the Colonial Pipeline Company, which caused spikes in fuel prices in the U.S. and resulted in a $4.4 million ransom payment, and the attack on JBS Foods, one of the largest meat producers in the world, which resulted in an $11 million ransom payment.
While these examples illustrate the large-scale impact ransomware can have on multi-national corporations, ransomware attacks have also been hitting small and midsize businesses. According to a 2021 survey of small businesses, 11.3% of small businesses experienced a ransomware attack, and this number only continues to grow.
Much of the growth in ransomware has come from the advent of ransomware-as-a-service (RaaS), which allows anyone, even those without technical expertise, to launch a ransomware attack by paying for the service.
What is ransomware insurance and what does it cover?
Ransomware insurance is a type of cyber insurance coverage that can cover financial losses, including ransom fees and business interruption costs, stemming from a ransomware attack.
Ransomware coverage is often included within cyber liability insurance policies, but as there is no standard cyber or ransomware policy, coverage varies widely depending on the insurer.
Example:
- In 2019, a cyberattack using the Ryuk ransomware fetched more than $1 million from Florida government authorities alone—Lake City officials authorized payment of about $500,000, while Riviera Beach officials gave the green light to a $600,000 ransom. The ransomware was initially downloaded by an employee via an infected email attachment, which then spread the malware to multiple systems, locking them down and placing ransom notes in each affected file folder. In the end, the majority of the ransom payment was covered by the city governments’ insurers.
As ransomware attacks continue to mount, some insurers have taken steps to account for the increased risk, including increasing premiums on cyber policies, introducing sublimits or coinsurance requirements, implementing more restrictive language on ransomware payouts, removing coverage for ransomware altogether, and creating standalone ransomware-only coverage products.
Ransomware coverage, when included in a cyber policy, may often have a much lower sublimit. For example, a $1 million cyber liability policy might have a ransomware coverage sublimit of as low as $25,000 unless modified by an endorsement. This does, however, highly depend on the policy. Some insurers that specialize in cyber coverage have refrained from adding in a ransomware sublimit.
Get a quote on Cyber Insurance
Depending on your provider, ransomware insurance may cover:
- The ransom fee demanded by hackers
- Crisis management and investigation costs
- Interruption to your business
- Hardware replacement
- Data restoration or recreation
- Damage to your business’s reputation
- Hiring negotiators to handle hackers
- Costs associated with shoring up your computer system
Keep in mind that not all policies are the same and that the cyber market is constantly evolving. As of yet, there is no clear standard in cyber or ransomware coverage, and new products and coverages are emerging constantly as ransomware attacks continue to change as well. Be sure to check with your insurer on the exact details of any ransomware policy.
Do I need ransomware insurance?
Of course, not every business has the incentive to obtain ransomware insurance. You may find that the cost of this coverage outstrips your resources or simply feel that you are well equipped to absorb this risk.
If you run a small or medium-sized business, you may assume that you are less at risk for a ransomware attack than a larger corporate entity. As times change, however, you’re increasingly being proven wrong. Multiple studies have shown that smaller businesses are often at far greater risk than larger enterprises, given fewer resources to spend on security measures and training to prevent cyberattacks, meaning higher vulnerability and easy prey for cybercriminals.
Businesses in professional services, health care, government, and retail are often most at risk.
Example:
- Officials in Licking County, Ohio weren’t prepared for the major ransomware attack that hit in January 2017, affecting everything from data systems to phones. County services were massively affected for the next two weeks as officials, having decided not to pay the ransomware demand, sifted through systems deleting bad code. Later, officials in nearby Franklin County decided to take out a cyber insurance policy with specific stipulations for extortion.
These days, the need for ransomware insurance may have less to do with your size and more to do with your willingness to remain vigilant against online invaders.
What factors should I consider when choosing a policy?
As you’re considering the advantages and disadvantages of ransomware insurance, there are a few major aspects you’ll want to research.
Definition of Extortion
It’s crucial to know what your insurer defines as extortion, given that this is a primary factor in determining specific coverage.
Example:
- Your food service company is one of several hit by a particular ransomware attack. Though your files have been locked down by hackers, a lack of a specific ransom note could indicate to your insurer a lack of demand for payment and thus influence the decision to deny coverage on this basis. This can happen when hackers hit businesses not to necessarily extort money but to exploit data that they find on affected systems.
Industry
Consider whether you’re in an industry that is particularly hard-hit by cyberattacks. Anyone—including government entities, private businesses, and individual entrepreneurs—can be victimized by hackers, but one fast-growing target is health care organizations. Businesses with sensitive data or information on patients or customers, including protected health information (PHI) and personal identifiable information (PII), are at high risk.
Example:
- The first recorded ransomware attack took place in December 1989, when the PC Cyborg (AIDS) trojan horse hit the health care industry through infected floppy disks purporting to offer fresh information on the AIDS virus. However, it instead encrypted files and masked directories, rendering computer resources inaccessible. Today, the health care industry remains a major target for ransomware attacks.
Payment Terms
Something else to consider is a policy’s payment terms regarding ransoms. Keep in mind that since most policies mandate written consent from the insurer before a victim can pay a ransom, you might experience a delay in getting your business back up and running. It’s also important to know that while an estimated 45 percent of businesses complied with ransom demands in 2018, just over half of those actually received access to their files. There is no guarantee that a cybercriminal will fulfill the terms of a ransom agreement.
Also, know that many insurers set sublimits for ransomware coverage, meaning that resources are not unlimited when providing payouts. When it comes to deductibles, review your policy carefully to ensure that it takes into account the possibility of multiple attacks within the same policy year.
What are the key exclusions of ransomware insurance?
Like any other type of coverage, ransomware insurance carries certain exclusions. While these vary among policies, this is a sampling of common ones:
- Failure to Follow. Also known as Failure to Maintain, this exclusion stems from perceived negligence with regard to security. If you haven’t set up your own systems to proactively guard against these attacks, your insurer may refuse coverage. Avoiding this means a watchful eye on your technology departments as well as a careful review of any policy under consideration.
- Scope of Coverage. As noted earlier, careful review of any policy you are considering is essential as insurers may define “extortion” differently and also have varying payment terms.
Compare Cyber Insurance Quotes
There are a variety of insurers and brokers in the market, and it may be difficult sorting through all of the options. AdvisorSmith analyzed a variety of cyber policies and determined the best cyber insurance companies for small businesses. To determine the best cyber insurers, AdvisorSmith considered a number of factors, including financial strength ratings from AM Best and Standard & Poor’s, customer satisfaction data from several J.D. Power studies, complaint ratings from the National Association of Insurance Commissioners, available features and options, and availability of information and ease of use of the insurers’ websites.
» Read our full review of the best cyber insurance companies.
| Rank | Company | AdvisorSmith Rating |
|---|---|---|
| 1 | Hiscox | 4.9 / 5.0 |
| 2 | Chubb | 4.8 / 5.0 |
| 3 | The Hartford | 4.7 / 5.0 |
| 4 | AIG | 4.7 / 5.0 |
| 5 | CNA | 4.6 / 5.0 |
| 6 | Arch | 4.5 / 5.0 |
| 7 | Hanover | 4.5 / 5.0 |
| 8 | Intact | 4.4 / 5.0 |
| 9 | Beazley | 4.3 / 5.0 |
| 10 | Axis | 4.3 / 5.0 |
Final Word
Ransomware attacks are continuing to evolve, making it challenging to stay vigilant against them as they change in the name of foiling you and your systems. However, education and preventative measures are both key in the fight against these attacks. It’s crucial that you educate yourself as to what you’re up against here as well as any specific vulnerabilities that your business may feature.
As you weigh the pluses and minuses of ransomware insurance, there are several steps you can take to ensure your business’s basic cybersafety and to increase the chance that your insurer will pay down the line should an attack occur. Three major ones: use backups should you need to restore your data, deploy a reputable cybersecurity system, and train your employees on email security. Keeping these systems up to date is a major chink in the hacker’s armor and with cybercriminals getting savvier all the time, you may need all the help you can get.
Expert Commentary
AdvisorSmith spoke with the following experts to provide critical insight on cyber insurance for business owners.
David Eargle
- Assistant Professor
- University of Colorado Boulder, Leeds School of Business
Denise Kinsey
- Assistant Professor, Information and Decision Sciences
- California State University, San Bernardino
Q. Should small businesses be concerned about cyber risk?
George: Absolutely. Small businesses are as susceptible to attacks as larger organizations. In fact, smaller businesses tend to be easier targets as they often do not have the resources to focus on cybersecurity. Typically, it is the high-value, high stake attacks of large organizations that are covered in the media. But it is only a matter of scale, an attack on a small organization can have an equally devastating reputational and costly impact on the business.
Denise: Absolutely! Big business hacks appear in the news because of the large number of victims, scope of the attack, name recognition, or amount of the loss. Hackers often do not discriminate when launching an attack, meaning they do not necessarily target a specific company. Instead, they may target a known vulnerability in an operating system or protocol which means every organization or individual that has that vulnerability on their computer is a potential target and at risk. As they often do not have a large, dedicated IT department and budget to ensure patching is up-to-date and the network is secure, a small business may be more susceptible to such an attack than a large organization.
David: Cybersecurity threats depend on specific attacker motivations. For purely financially motivated ransomware attackers, the size of an organization isn’t as important as is the organization’s reliance on its digital assets and on its willingness and ability to pay to restore services.
For example, ransomware operators have been known to target school districts right at the start of the school year—where resources to protect systems are often low due to limited funding, but where systems are badly needed to maintain operations, and therefore willingness to pay the ransom is high.
When victims have cybersecurity insurance, they do have the resources to pay the ransoms, and attackers know this, making them juicy targets. Therefore, small organizations can be just as susceptible to attacks as are larger ones. Organizations should identify their own business contexts and their risk profiles against specific attacker motivations such as those of ransomware operators.
Q. How can a business effectively organize and manage cyber risk?
George: There is an overwhelming amount of available information, methods, tools, and techniques on how to implement security which can often become paralyzing. The best course of action is to start by following the standard (ISO/IEC 27001:2013) for implementing organizational information security. Understandably, not every organization will be interested or able to pursue the official ISO certification. However, the standard’s requirements alone can serve as a helpful roadmap to implement suitable best practices.
Denise: Yes, risk can be identified, quantified, and managed. The process of risk management includes risk identification (what risks exist to my organization because of my industry, my computer network, personnel, and business-specific circumstance); risk elimination (remove the risk entirely if possible—such as upgrading computers from a vulnerable operating system to a more secure operating system); risk minimization (minimizing risk such as ensuring available patches are tested and then deployed on the network); risk mitigation (sharing the burden through insurance coverage, contracts, and legal agreements); and finally, risk management for any residual risk that exists.
The process is similar for every business but what is found at each step of the processes varies by industry, size of the business, legal compliance and governance requirements, employee buy-in to the process, and awareness to the cyber environment in which they operate.
David: Organizations can follow the NIST cybersecurity framework functions to manage cybersecurity risk. They can (1) Identify the organization’s business context, assets, and threats; (2) Protect those assets with safeguards; (3) Detect active attacks on those assets; (4) Respond to detected threats by containing them; and (5) Recover, by restoring assets or services impacted by the contained threats.
An organization with immature cybersecurity risk management processes will predominantly be reactive to threats, whereas a mature organization will proactively continually monitor and assess threats and mitigations. Each organization should deliberately decide for each of its assets which level of maturity makes the most business sense—it’s not necessarily irrational to have immature plans for a given asset.
Q. Where do you see the cyber insurance market trending, and what are the main insurability challenges?
George: In the coming years, I expect cybersecurity insurance to become an implicit operating requirement for businesses of all sizes. Today, the increasing reliance on information and computing assets is such that an attack can cause a business significant reputational damage and catastrophic financial losses.
Insurability is a hard problem to solve. On the one hand, many of the security terms we see associated with security incidents are not well defined or covered by existing laws. This is a challenge in determining how insurable events should be covered. Cyberterrorism is a good example of a not well-defined term. For instance, does a ransomware attack by a foreign entity that is keeping hostage the medical records of current patients fall under existing blackmail laws, or does it constitute cyberterrorism?
Another practical challenge is related to the creation of insurance products, specifically determining what and how much to cover. While cybersecurity attacks seem frequent, quantifying the actual costs, lost business, reputational damage, and remediation costs is hard. Combined with a general inherent reluctance of organizations to admit being compromised, there is very little historical data on the overall actual costs of an attack.
Denise: I’m not an insurance professional, but publicizing an organization has ransomware insurance may make it more vulnerable to attack as a hacker recognizes the organization’s position and willingness to pay in the event of a ransom. The vehicle for payment (usually untraceable cryptocurrency) is already available, reducing the time from ransom demand to payment which may also reduce the time to trace such a hack. Ransoms are often small enough that an organization will pay and still be able to continue operations (or employ insurance).
Jurisdiction has been one of the largest hindrances in pursuit of ransomware hackers. The attacks often originate outside of our geographic and legal borders, from countries that are not inclined to assist in apprehension of the accused. If a hacker is able to gain access to a system or network and lock it down (encrypt it) so legitimate users are not able to access it, that person is often skilled enough to cover their tracks on the network and avoid capture by law enforcement.
Remember, an attack here could have been perpetuated from anywhere—another country, another state, or the next desk over. Protecting a network is not just about having insurance to protect against a ransomware attack. It requires a culture of cyber awareness, network security, access control, application of least privilege, with network monitoring and investigation into anomalies or changes.
David: Cyberinsurance providers will likely seek effective ways to measure an insuree’s assets’ cybersecurity risk profile, and set rates accordingly. Assuming businesses acting rationally, this should motivate organizations to do whatever is necessary to avoid increases to their premiums. To the degree that insurance providers demand that insurees have effective cybersecurity risk management processes, this should lead to an overall increase in organizations’ cybersecurity risk management maturity.