Cyber insurance is inspiring the threats it’s supposed to protect against

Easy payouts encourage ransomware attacks. Organizations need better and smarter cybersecurity, not just more cyber insurance.

Originally published in the Forbes Tech Council

Gidi Cohen · Forbes Councils Member

Easy payouts encourage ransomware attacks.

During the pandemic, sophisticated threat actors exploited the comparative ease of obtaining cyber insurance payouts to ransom businesses, in some cases holding critical infrastructure hostage and putting lives at risk. Insurers enabled Colonial Pipeline and JBS Meats to collectively pay hackers $15 million to release their seized networks. Unfortunately, those funds didn’t just reward cybercriminals; the payouts funded and encouraged subsequent attacks.

Some of the vulnerabilities exploited were relatively new, such as the “software/server supply chain” used in the hack involving SolarWinds, all in the name of extorting multiple ransom payments. Other weaknesses were unaddressed and latent, such as exploiting known passwords on circulating lists or targeting vulnerabilities spawned by permitting work-from-home devices to access enterprise networks.

Unfortunately, the problem has become so severe that some insurance firms are already curtailing ransomware insurance payouts, while others are creating more stringent requirements for companies seeking coverage. And now, rather than accepting passive assurance that applicants possess adequate cybersecurity, insurers are actively requiring companies to verify their security posture.

Today’s cyber insurance norms are not sustainable in a world of growing threats.

Recent research by the threat intelligence division of Skybox Security indicates the cyber threat boom is continuing. Ransomware has grown by nearly 20% year over year, and 27% of reported malware incidents in 2020 involved ransomware attacks. Although cyber insurance was supposed to reduce the financial burden associated with cyber threats, the reality is that these quick, easy ransom payments have increased the incentives for threat actors — setting the stage for a whole new generation of financially-motivated ransomware attacks.

In addition to motive, cyber insurance has also facilitated a dangerous sense of complacency within enterprises. While it’s tempting to say we need to change the economics, this pattern of ransoms and payouts is not sustainable and will only become more severe and widespread.
In the foreseeable future, cyber insurance companies will likely mimic healthcare insurers by mandating so many exclusions, co-pays and deductibles that cyber insurance policies will barely be worth purchasing. As insurers set caps or walk away entirely, businesses and consumers will be left to absorb massive losses.

Organizations need better and smarter cybersecurity, not just more cyber insurance.

What really needs to change is the “insurance is cheaper than protection” mindset that is enabling companies to be ransomed. Recent research by Skybox Security uncovered that over one-third of respondents believed cyber insurance alone was a sufficient solution. That’s an inaccurate assumption since insurance doesn’t compensate organizations for lost business, which averages $1.59 million per data breach.

To change the paradigm, organizations must move away from reactive — detect and respond security, which focuses on addressing breaches after they happen. The future is proactive security — preventing breaches from ever occurring.

How can leaders start proactive cybersecurity transformation in 2022?

(1) Realize that advancing to a new cybersecurity playbook is an iterative journey. A critical first step is identifying your company’s current cybersecurity maturity level. Then, it is possible to develop a realistic road map.

(2) Assess whether your security team is set for success. Have you implemented defined roles, responsibilities and processes? Do you have the data at your fingertips to drive strategic change and tactical improvements?

(3) Understand that very few organizations are currently at the final, optimized maturity level. Optimized maturity level means the state of cybersecurity management where you can see, understand and improve your security posture of the attack surface in a risk-based approach, on a continuous basis.

Organizations need to proactively and continuously assess the strength of their cybersecurity controls, processes and compliance programs. To reduce exposure risk, they need to implement an organization-wide common approach to optimize security planning, deployment and remediation processes. These strong cyber hygiene and proactive security posture management practices not only help shield from cyber threats but will enable cyber insurance policyholders to continue to qualify for coverage in an increasingly dangerous world.

An ounce of prevention equals a pound of cure.

Shedding old reactive behaviors is the only smart way to secure a business in the digital era. Being proactive about security costs a lot less than trying to triage a company’s security program after an attack, at which point the damage and repair expenses can be overwhelming and, sometimes, even fatal.

Unlike insurance by itself, proactive security makes successful attacks less likely, starving threat actors of the dollars they’re seeking. Moreover, an organization can leverage proactive security planning to balance security investments and affordable insurance pricing.

Removing financial incentives to mount attacks will be a crucial factor in decreasing the likelihood of future ransomware attacks. Until and unless that happens, proactive security measures would be the only universal solution to protect the world against serious ransomware disruptions.