The still-unfolding breach of identity and access management vendor Okta by ransomware hacking group LAPSUS$ punctuates a string of widely publicized attacks in recent years. Studies have found that ransomware attacks are on the rise, with governments and healthcare organizations seeing some of the sharpest increases. The average ransoms have increased as well, up more than 170% from 2019 to 2020. As these attacks increase and ransom amounts grow, many organizations have become more reliant on cybersecurity insurance to safeguard against hackers. Industry observers have tracked an increase in the cost of cybersecurity insurance premiums as insurance providers’ loss ratios continue to increase. Governments around the world are also scrambling to stay ahead of hackers and encouraging businesses to harden their defenses against ransomware.
We have seen the topic of cybersecurity insurance emerge as a prominent theme in our ETR Insights interviews with IT decision makers over the past several months as well. To better understand the cybersecurity insurance landscape and its impact on the enterprise IT market, we pulled together data from a flash survey at a recent security conference, the perspectives of three prominent academic researchers with expertise on the topic, and relevant commentary from IT decision makers in our ETR Insights interview series.
Results from March 30 Flash Survey
The ETR Insights team attended the March 30 FutureCon conference in Baltimore, an information security-focused event. Thirty-eight people – about 30% of conference attendees – completed a flash survey on the topic of cybersecurity insurance during the event. In line with expectations, the majority of participants (N=17) reported an increase in cybersecurity insurance premiums over the past two years, with 14 participants stating they were unsure whether premiums had increased or decreased and seven indicating premiums had stayed the same (see Figure 1).
Most of the participants indicating an increase in insurance premiums said the increases were relatively minor at 25% or less (see Figure 2). This tempers reports from recent industry press coverage that suggests premiums have doubled or more. Compliance and regulations, ransomware, and having remote workers were cited as the three most common factors responsible for an increase in cybersecurity insurance needs (see Figure 3).
Participants reported that cybersecurity insurance providers most often require multifactor authentication (MFA)/identity access and vulnerability management in order to obtain coverage. Endpoint detection response (EDR) and antivirus (A/V) software are also commonly required by insurance providers (see Figure 4).
Finally, there has been some debate in the popular and trade press about whether payouts to hacking groups are fueling a rise in ransomware attacks. So, we asked the conference attendees whether they agreed or disagreed with the statement that “the increase in cyber insurance providers paying out ransom is increasing the overall frequency of attacks.” The majority of respondents (N=21) indicated they agreed with that statement to some degree, with five stating they strongly agreed (see Figure 5).
On the whole, survey participants said cybersecurity insurance premiums had increased modestly in recent years, and most agreed that ransom payouts could be pointed to as a reason for an increase in the frequency of attacks. Their cybersecurity insurance coverage needs have increased due to a number of reasons, the leading factors being compliance and regulation, ransomware, and remote staffing. They reported the most common cybersecurity strategies and tactics required by insurance providers are MFA/identity access and vulnerability management.
Expert Commentary from Prominent Academics
Three senior academic researchers with expertise in cybersecurity provided commentary for this report: Dr. Mingyan Liu, Dr. Jason R. C. Nurse, and Dr. Josephine Wolff. Dr. Liu is a Professor and the Peter and Evelyn Fuss Chair of Electrical and Computer Engineering at the University of Michigan and the author of the book Embracing Risk: Cyber Insurance as an Incentive Mechanism for Cybersecurity (Morgan & Claypool Publishers, 2021). Dr. Nurse is an Associate Professor in Cybersecurity at the University of Kent, a Visiting Academic at the University of Oxford, and co-author of “Cyber Insurance and the Cyber Security Challenge.” Dr. Wolff is an Associate Professor of Cybersecurity Policy in the Fletcher School of Law and Diplomacy at Tufts University and the author of the forthcoming book Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks (MIT Press, 2022). What follows are their responses to interview questions.
Q: Do you think ransom payouts by insurance providers are encouraging more attacks?
Liu: Ransom payment does in general factor into an attacker’s expectation, so in that sense it could serve as an encouragement for future attacks. However, I am not sure it makes any difference (to the attacker) who pays. Is the insurance provider paying worse than the victim paying? I don’t know if one is better or worse than the other, unless you are saying the insurance providers are more willing to pay and more willing to pay a higher amount. I don’t know if there is evidence of this. Or, is it the case that unless a victim has insurance it is more likely to refuse to pay? Again, I don’t know if there is evidence of this. Short of such evidence I don’t know if there is any difference. In principle, I would argue that insurance providers are actually in a position to behave in a more disciplined fashion than a victim might in dealing with attackers (they are a few steps removed from the data being held hostage), so the involvement of an insurance provider could very well serve as a meaningful deterrent to attackers (i.e., an attacker may prefer to deal with the victim rather than the insurance company); this is especially true if the industry could collectively develop and adopt a set of standards for dealing with such situations.
Nurse: It’s an interesting point, but I think it oversimplifies the problem. We know that some insurers pay out on ransoms, but the reality is that some companies also pay out even if they do not have cyber insurance. It’s the paying of ransoms that arguably results in more ransomware attacks. Placing the blame on insurers may not be the best way to regard the reality of what’s happening now. In many ways, insurers also are the only means by which some companies will be able to continue (regardless of if they pay the ransom), and they provide support for a range of services (e.g., incident response, PR, breach counsel).
Wolff: There’s no doubt that making payments to criminals encourages them to continue carrying out similar crimes both because it reinforces that this is a profitable crime model for them and it directly provides them with the funds needed to develop and distribute more ransomware.
Q: Are insurance providers dictating certain enterprise IT strategies and tools through coverage requirements?
Liu: I believe this is where the industry is headed, but it is a slow process. There are certainly many cybersecurity products and tools that the insurance industry is promoting to their clients, and the utilization of some of these tools is taken into account in determining premiums. But I think this is more concentrated at the high end of the spectrum for very large policies. For the vast majority of policies out there, the insurance providers are playing mostly a passive role.
Nurse: While this is a good proposition, I don’t think the market is there yet. Insurers certainly have some influence on the security controls and technologies that companies implement but until the market hardens and matures to the extent that (1) there are less insurers therefore insurers have more power to make demands of clients, and (2) the market penetration for insurance is much higher, I think this will be limited.
Wolff: Yes and no. Insurers are definitely looking at their policyholders’ technologies and strategies and trying to encourage or even require certain behaviors (like MFA, for instance), but there’s still tremendous variation in how carriers do that and there’s no consistent set of best practices or minimum standard requirements that appears to be being implemented in any widespread or significant way.
Q: Will we see more government interventions as attacks increase?
Liu: I don’t see the government intervening in the insurance industry, unless there emerges strong evidence that the way insurance policies are designed or issued is causing more attacks; if this were the case then one would think the industry would respond with changes faster than the government can intervene, as more attacks obviously hurt their profit. I do think in the case of ransomware attacks we could see more collaboration between the insurance provider and law enforcement agencies.
Nurse: The cyber insurance industry is still rapidly changing and adapting. In the UK in particular, we’ve seen a move by Lloyd’s market towards exclusions related to some cyber operations which does demonstrate some further intervention/maturity. The US Senate has also recently passed legislation to force reporting of certain cyber incidents including ransomware; this almost certainly will involve insurers as they look to support organisations in reporting. Regarding policy interventions targeting the insurance industry specifically, I’m not sure what we may see in this space. Of course, the big question is whether any major government will ban insurers from paying ransoms.
Wolff: So far, regulators seem quite wary of intervening in the cyber insurance industry, and the primary regulatory interventions around cyberattacks so far seem to focus on requiring more reporting of such attacks and/or ransom payments.
Q: Will the publicity surrounding the recent Okta hack have an impact on the cybersecurity insurance market?
Liu: We have had a string of such widely publicized breaches over the years, one bigger than the other (starting with Target circa 2013-14, JP Morgan Chase, Equifax, T-Mobile, and so on). I think the industry is accumulating experience, and each incident is an opportunity to refine future policy terms matched with the cybersecurity reality.
Nurse: It’s too early to tell. Currently, there is a lot in the media and every day there’s more information emerging. At the very least this shows the real challenge around data breaches today and the long tail of their impact. The extent to which this breach will impact the insurance market is also to be seen. I do believe that with each new breach, and the various harms and costs associated, companies will begin to look more towards cyber insurance to help cover the first- and third-party costs.
Wolff: I’d be surprised if this had a significant impact on the insurance market, but I suppose that could depend a little on what LAPSUS$ does with the information they’ve stolen.
Cybersecurity Insurance Commentary from ETR Insights Interviews
Since summer of 2021, the topic of cybersecurity insurance has been mentioned several times in our regular ETR Insights interviews and panel discussions, especially with Chief Information Security Officers and IT managers with security oversight in their portfolios. Below are relevant excerpts from six ETR Insights interviews, where these IT leaders discuss rising premiums and attacks, the importance of EDR and access management, and the role remote work plays in cybersecurity insurance coverage.
“There’s an increase overall in cybersecurity specs. That’s driven by a few things. I think one is the increasing number of people that are remote. The other thing, I think, is related to requirements that are being introduced during the course by cyber liability insurance coverage and demanding that specific controls many of us have, or need to have, are in place. …
“Unlike most other insurance that all of us procure – whether that’s property casualty, life insurance, medical insurance – cyber is probably the one instance where actuarial tables haven’t existed before and that help define what the potential losses are, associated with what the cost needs to be to procure the insurance. As a result, some of the claims over the last several years – and specifically as related to ransomware – have been maybe unexpected or greater than anticipated. I think most of my peers have known this has been moving this direction for quite some time. But the cyber liability carriers are requiring now that specific security controls are in place in order to be able to obtain coverage. Most of the controls required are related to basic hygiene. They’re requiring things like: you can patch effectively all of your systems; that you can apply critical patches quickly; that your network is segmented appropriately. When you ask about spend as related to vendors, I think vendors that are associated with some of these critical or core controls are the ones that are very well positioned. …
“I haven’t seen so far any specific vendors identified as being required or preferred by the insurance carriers. They’re so far identifying requirements that must be met. Of course, the requirements can be met in multiple ways: by purchasing a solution from a vendor or by applying mitigating controls. Many of the requirements likely could be met with open source as opposed to a purchase. Different organizations are going to make different decisions. …
“I think the privileged access management – that market that CyberArk plays in – that’s one of the areas of control that fits into that basic security hygiene area. That is something that’s being pushed on by everyone, including the cyber liability providers. I don’t think there’s any getting away from that. Limiting who has access; assuring that there’s multifactor on all of those user accounts; and managing and controlling them. There are other ways to do it, of course, including using jump boxes and such. But the privileged access management is not going away. …
“I’m seeing a lot of the cyber liability asking about EDR. I would argue that that’s partially a marketing term. Some vendors who don’t call themselves EDR meet some of the same requirements as some that do. I think traditional antivirus, where you’re just looking at the signature – those are certainly on the downturn. One of the biggest, I think, and most important things is the ability [to have] that single pane of glass. Having that endpoint solution that’s sending information back to a SIEM – that information correlates with other parts of the security infrastructure, other log events, so that you’re getting data that’s actionable. I think that requirement is one of the primary reasons that we’re seeing a shift there.”
- CISO, Large Healthcare Enterprise | ETR Insights 293 | April 4, 2022
“Cybersecurity is a very important topic, particularly in the last few years. We have seen it both from the technology side as well as from the insurance side – the interest in cybersecurity protection. … We have seen the increase in the information security related premiums, because the scale and scope of cyberattacks has increased, and the impact as well.”
- Head of Infrastructure & Information Security, Large Financial Services Enterprise | ETR Insights 287 | February 7, 2022
“The whole space of privileged access management and controlling that sensitive access is becoming a more pressing issue. Again, in the cyber insurance industry, it’s become almost an essential control. It was always a best practice, but now it’s going to become an essential. That space is definitely going to continue to intensify over the next few years.”
- CISO, Global Hospitality Organization | ETR Insights 286 | February 4, 2022
“Well some of it [our increasing IT spend on security] is driven from a compliance standpoint, that we need to have the right security or else we won't be covered from things like cyber insurance. … [Cybersecurity insurance providers are] almost driving that compliance conversation these days. They want to make sure that they're not taking on anyone that's going to get hacked, so they want to make sure that you've got certain basics in place like multi-factor authentication, like upgraded firewalls, like a secure Web gateway and so on. And if you don't have it then maybe they'll insure you, but maybe the premiums will be higher.”
- Director of IT, Midsize Retail/Consumer Enterprise | ETR Insights 283 | January 27, 2022
“[Due to] the increase in ransomware attacks and the payment of ransoms, the availability of cyber insurance at an affordable price is going down. Basically, if you’re renewing, you’re getting about half the coverage at twice the price. And what that means is probably even more money pumped into cybersecurity programs. Because if you can’t essentially move or transfer the risk to a third party, then you have to improve your security posture. That’s really the only other option, so I think that’s going to drive even more spending in the cybersecurity space over the next couple of years.”
- VP & CISO, Large Tech Enterprise | ETR Insights 277 | November 29, 2021
“One [area we’re trying to improve] is on the endpoint. Since we have quite a lot of work-from-home people, we try to enhance our endpoint security. The endpoint security is not just the traditional antivirus. Recently, we contacted a cybersecurity insurance company. And one of the criteria for them to provide a quote for us is we need to have an EDR within our environment. If we don’t install EDR, they don’t even want to provide a quote. But we don’t have EDR, so that’s the area we need to enhance - improve our endpoint security.”
- Director of IT, Large Industrials Enterprise | ETR Insights 259 | July 27, 2021
Contact the ETR Insights Team to Discuss all the Details from this Report or Request Your Own Custom Research
Want to see more industry leading research on macro trends, industry analysis, and deep vendor-specific evaluations? Start your Free Trial today.
Enterprise Technology Research (ETR) is a technology market research firm that leverages proprietary data from our targeted IT decision maker (ITDM) community to bring you actionable insights about spending intentions and industry trends. Since 2010, we have worked diligently at achieving one goal: eliminating the need for opinions in enterprise research, which are often formed from incomplete, biased, and statistically insignificant data. Our community of ITDMs represents $1+ trillion in annual IT spend and is positioned to provide best-in-class customer/evaluator perspectives. ETR’s proprietary data and insights from this community empower institutional investors, technology companies, and ITDMs to navigate the complex enterprise technology landscape amid an expanding marketplace. Discover what ETR can do for you at www.etr.ai