Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Only 55% of Businesses Have Cyberinsurance

September 14, 2022

CPO Magazine reported on September 7 that a new study from BlackBerry and Corvus Insurance found that there is a chronic shortage of cyberinsurance for businesses. 80% of businesses do not have enough coverage to meet the current median ransomware demands.

The survey included 450 IT and cybersecurity decision makers at firms located in the US and Canada. They average ransomware payment is millions of dollars, and the median cost of investigation and recovery is $2.4 million.

Only 55% of the organizations surveyed have any cyber insurance at all. Of those that are insured, just under 20% have more than $600,000 in coverage; not enough to pay the usual ransomware payment, with nothing to pay for remediation.

Small and medium-sized businesses are severely impacted. They often do not have enough funds to cover premiums – a cyber attack could threaten their survival. Only 14% of small businesses with under 1,500 employees are carrying $600,000 or more in cyberinsurance coverage. 37% of those have no coverage for ransomware payments, and 43% have no coverage for auxiliary remediation costs such as downtime and legal fees.

The study notes that, in addition to increasing costs and tightening of terms and covered events, cyberinsurance companies are increasingly asking customers to meet key security benchmarks. Many cannot meet those requirements, often because of the budget to do so. Some businesses do not realize that insurers primarily want to see well-implemented endpoint detection and response (EDR) software. They may not learn about this until they receive a denial of coverage letter. 34% of the survey respondents were denied for just this reason.

If businesses do not have cyberinsurance, how do they expect to pay a ransom or get their systems back in order? The majority (59%) say that they expect the government to bail them out, at least if the attack is linked to a nation-state. The government has rolled out the “StopRansomware.gov” website to centralize recovery resources and more quickly provide crisis assistance to organizations, but recovery assistance funds are limited and depend on qualifying criteria.

The survey comes as Lloyd’s of London recently announced that its network of insurers will no longer cover damages caused by nation-state hacking. This may well spread to other cyberinsurance companies, especially if that move holds up to the court challenges which are sure to come.

This leaves underinsured organizations hoping that the government increases its aid to victims of ransomware. That may not work out well, given economic and budget realities and the likelihood of more victims needing more and more assistance. Gary Davis, senior director of cybersecurity at BlackBerry, expressed serious concern at the number of organizations placing their faith in government aid; BlackBerry’s suggestion is that firms with IT budget problems look to a cybersecurity managed service provider (MSP) that at least meets the minimum standards required by cyberinsurance policies.

John Gunn, CEO of Token, believes it is imperative that organizations carry adequate cyberinsurance even if it is difficult to put into place: “The report underscores the fact that an “Ostrich-approach” is no longer viable in an era of hyper-aggressive ransomware attacks. Every organization, and especially SMBs, are at increasing risk every day. Since most attacks start with compromised user credentials, insurance is the smartest place to start in establishing proper defenses.”

I believe government help is very unlikely to materialize – and that law firms and other companies must budget for better cybersecurity as well as insurance. Good cybersecurity doesn’t have to be ridiculously expensive – there ARE good budget-friendly choices for small firms. If you have a good managed cybersecurity provider, the provider can help you find what you need.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology