Top 7 Questions Cyber Insurance Companies Will Ask Applicants Seeking Risk Protection from Ransomware and Top 5 Best Practices to Qualify

With the recent high-profile cases of ransomware hitting the news cycle like Colonial Pipeline, JBS and others, it appears ransomware is not going away anytime soon and may just be in its infancy. Ransomware is a lucrative business model for cybercriminals with ransom demands that can reach into the millions of dollars as was the case with Colonial ($4.4 M) and JBS ($11.0). Ransomware-as-a-Service (RaaS) is making the barriers of entry extremely low, so we can expect to see more bad actors entering the business and more attacks across every industry.

The sense of urgency is ratcheting up as the C-suite is clearly focused on cybersecurity. I was speaking to one customer about deploying offsite/offline backup tapes as an air gap who said “Cybersecurity is the top focus for us in the next six weeks. We need to act fast”. In addition to shoring up cybersecurity plans, or putting key components in place, the notion of acquiring cyber insurance is cropping up and no doubt is also on the C-suite agenda.

So what is Cyber Insurance?

Cyber insurance, also referred to as cyber-liability insurance, seeks to help companies recover and mitigate the damage from cyberattacks such as ransomware, data destruction or theft, extortion demands, denial of service attacks, etc. This class of insurance has been around since the early 1990s and is rapidly evolving and growing in terms of revenue for insurance companies. One report I came across pegged the market for this type of insurance at $3.15 B in 2019 and is expected to rise to over $20 B by 2025. According to another report, about a third of all large U.S. companies carry cyber insurance.

Typical corporate insurance policies for general liability and property damage most likely don’t cover cybercrime, so cyber insurance has become a stand-alone offering specifically suited for cybercrime protection. Depending on the policy, below are just a handful of items that typically may be covered:

• Incident response costs related to restoring systems to pre-existing conditions
• Recovery cost of data or software that has been deleted or corrupted
• The cost of cyber extortion including the negotiation and execution of ransom payments
• Lost profits due to IT system downtime
• Financial theft or fraud arising from the cyber attack
• Physical asset damage
• Data privacy liability

Cyber Insurance Premiums

The premiums paid for cyber insurance policies depend on the risk factors for a company. For example, financial institutions were always considered high-risk targets but these days any company that relies on technology and data to do business is at risk. So that pretty much includes everyone. If you are delivering gasoline or meat products, so much the better for the hackers to leverage consumer unrest.

One challenge facing insurance companies in setting premiums is the lack of actuarial data due to underreporting of incidents by companies reluctant to admit to being a victim of cybercrime. This has led to a sparse database for estimating risk. The federal government faces a similar challenge. In a recent White House Executive Order on improving the nation’s cybersecurity, incident reporting and information sharing will become mandatory for federal agencies. This will help connect the dots to more effectively fight cybercriminals and should help the insurance industry.

Qualifying For Cyber Insurance

It is critical to understand that cyber insurance does not simply transfer risk from the insured party to the insurance company. A policy does not replace the need for good cybersecurity infrastructure and policies. In fact, engaging an insurance company to get cyber insurance will require demonstrating that best practices are in place to defend your company from cybercrime. According to a recent CSO Online article, the top 7 questions applicants will be asked are:

1. Do you perform regular backups and store them in a secure off-site location?
2. Do you limit remote access to all computer systems by using two-factor authentication?
3. How many PII (Personally Identifiable Information) records are held on your network?
4. Do you provide periodic anti-fraud training to employees?
5. Are processes in place to request changes to bank account details including account number, telephone numbers, or contact information?
6. Are you using Office 365 and its Advanced Threat Protection?
7. Can users access email through a web application on a non-corporate device?

In other words, companies need to have their cybercrime prevention best practices in place or an insurance policy might be denied or simply cost-prohibitive. It is also interesting to note that state and federal government agencies actually support cyber insurance by providing risk frameworks recognizing that a robust cyber insurance market will improve cybersecurity by identifying gaps in client security plans and providing a financial incentive to fill those gaps.

One additional point is that having a good cyber insurance policy in place may not result in total peace of mind for the C suite. If the bad guys know that a company has cyber insurance, it may just prompt an attack knowing resources are in place to cover ransom payments.  This reminds us that the FBI recommends that ransom payments should be avoided to discourage future attacks.

FBI’s Top 5 Best Practices for Ransomware Protection

Nevertheless, engaging an insurance company to help recover from potential cyber-attacks is probably a good idea. Before doing so, here is a quick review of the FBI’s 5 best practices to minimize ransomware risks that align with cyber insurance company expectations:

• Backup your data, system images, and configurations, test your backups, and keep backups offline
• Utilize multi-factor authentication
• Update and patch systems
• Make sure your security solutions are up to date
• Review and exercise your incident response plan

Both the insurance company expectations and FBI recommendation include offline/offsite backups. This can be easily and cost-effectively achieved with today’s modern tape formats.

In the case of the customer I spoke to, they want to air gap around 900 TB of critical data. That would be just 75 LTO-8 cartridges at 12.0 TB native, or just 30 cartridges if data compression is used. With tape’s TCO advantage and low energy consumption profile, long-term data protection is achievable and will keep the insurance company confident in your cybersecurity strategy.