Recently researchers at Zscaler claimed that a ransomware gang received $75 million, reportedly the largest ransom payment made by a cyberattack victim since records began. An undisclosed Fortune 50 company paid this record-breaking figure to the Dark Angels ransomware group. This payment almost doubles the previous record of $40 million, which was paid in 2021 by insurance giant CNA Financial after the company was locked out of its network by cybercriminals using Phoenix Locker ransomware.
The question for any company is - what would you pay and what does it cost to defend yourself? It’s important to look at the data to assess the cost of a cybersecurity breach. Recent numbers from Security Intelligence indicate that “For 13 consecutive years, the United States has held the title for the highest average data breach cost. In 2013, the average total organizational cost of a breach in the U.S. was $5.4 million. But in 2023, the total per breach in the U.S. swelled to $9.48 million, a whopping 75.5% increase. The Middle East was in second place with a cost per breach of $8.07 million. In third place, Canada had a cost of $5.13 million per breach.”
The numbers show that for the last 13 years the healthcare industry has held the top spot for the cost of a data breach. According to Security Intelligence, recent estimates show that healthcare organizations spent $10.93 million per breach on average. For most of the reporting periods, financial and pharmaceuticals have held second and third place in the cost per industry.
Cybersecurity breaches are astronomically expensive, but the other key issue is the recovery time after an attack. Mitnick Security reports that, “According to IBM, it takes, on average, 277 days to identify and contain a data breach. Regardless, the results are devastating. In fact, for every hour of downtime, companies will suffer $100,000, on average.”
Reinforcing cybersecurity defenses and ensuring an adequate, well-trained professional workforce is a first line of defense, but in anticipation of the escalating trend of increased cyberattacks, many companies are buying cybersecurity insurance policies in the hopes of avoiding huge ransomware payments. What is the cost of these policies and what kind of coverage do they provide? According to Travasecurity, cyber insurance is meant to provide organizations with financial security against the adverse effects that a cyberattack may cause. Insurance might cover direct financial loss from a security breach and the services necessary to recover, like recovery of stolen data, lost income if business is halted, and other possible associated fines and fees.
Cyber insurance comes in many different forms from many different companies; many enterprises believe it is a worthy investment because the costs of a potential breach are so high. There is cyber insurance for individuals, which typically focuses on protection against identity theft. There is cyber insurance for small businesses, and enterprises which either includes first-party coverage, third-party coverage, or both. First-party insurance provides compensation directly to the insured individual or business. Third-party coverage is liability protection to another party when the insured person or business is liable for damages. Third-party coverage can cover compensation to another party as well as the cost of lawsuits and other legal fees.
Covered costs can be significant, including anything from notification systems for affected customers to forensic services for data recovery. Policies also might cover court costs and other legal fees, like claims and settlements for liability. Finally, cyber insurance can cover customer reparations, including public relations services, customer notification systems, and even credit monitoring for the affected customers. So, having these costs covered is a major cyber insurance benefit.
According to some estimates, cyber insurance for small to mid-sized companies can be fairly inexpensive, ranging anywhere from $250–$5,000 a year, for $250,000 and up coverage per occurrence. Of course, the details are critical and things like deductibles and the difference between what is and what is not covered in cyber liability insurance will depend on the company and the policy. As with any insurance it pays to shop and check reviews and reputation.
The cost of cyber-insurance premiums typically lags behind changes in the threat landscape. In 2020 and 2021, according to a January 2024 article in Dark Reading, ransomware and other disruptive attacks surged, leading to significant costs for the insurance industry. When attacks went up in frequency, premium fees rose in cost, more than doubling year-over-year by the fourth quarter of 2021, according to risk management consultancy Marsh. Throughout 2022 and 2023, however, rate increases slowed and even declined in the second and third quarters of 2023, according to the latest quarterly Global Insurance Market Index report. "Improvements in cybersecurity controls have led to a higher proportion of insureds not paying ransoms, [even though] they may still incur breach response expenses and business income losses to which cyber policies respond," Marsh stated in the report.
Despite its growing pains, the cyber-insurance industry continues to expand, with the value of Direct Written Premiums (DWPs) growing to $5.1 billion in 2023, an increase of 62% year-over-year, according to FitchRatings. While all insurers have tightened up their policies — clarifying the hostile/warlike act exclusions, for example — competition to satisfy businesses' risk needs has only grown, resulting in a softening of prices for coverage, says Shawn Ram, head of insurance for cyber-insurance firm Coalition.
For large enterprises, cyber insurance is widely seen as the cost of doing business while cyber-insurance underwriting for smaller companies continues to be an area of potential growth. In 2022, the total dollar value of cyber-insurance premiums — including both standalone and packaged policies — surged to $7.2 billion, according to risk-rating agency A. M. Best, which noted that the number of direct premiums for cyber-insurance had tripled in three years.
According to a recent July 2024 report in Dark Reading, the market pendulum has swung in the other direction, meaning prices for insurance are actually falling. Much of the decline is the result of a more competitive marketplace; in the last two years, more insurance companies have started to offer coverage for cybersecurity incidents such as ransomware attacks and data breaches. According to a new report from London-based Howden Insurance, the lower rates are also partly tied to better cyber hygiene overall among a growing number of insured organizations.
According to a report by Munich Re, the cyber insurance market is maturing, even as a significant proportion of cyber risks remain uninsured. Their report highlights the increasing demand for cyber insurance, driven by the rapid advancement of technology such as artificial intelligence and cloud technology, and the growing dependence on IT, IoT, and digital services across global industries. Despite these industry developments, 87% of global decision makers believe their companies are not adequately protected against cyberattacks, indicating a gap in the level of protection offered by the insurance industry, per the report.
The past year has, in fact, seen a surge in cyberattacks, with annual ransom crypto payments doubling to $1.1 billion in 2023 from $567 million in 2022. The manufacturing sector was the most susceptible to ransomware attacks, with 67% of respondents in this sector facing such attacks. Business and professional services, retail and health care all followed with 61% of each sector facing ransomware attacks.
Looking ahead, Munich Re predicts that artificial intelligence will shape the threat landscape in 2024 and beyond. AI is expected to automate and personalize cyberattacks, making them cheaper and faster to distribute. However, AI will also augment the efforts of cyber defenders, improving detection and response capabilities.
The global cyber insurance market, currently worth $14 billion, is expected to double to $29 billion by 2027, due in part to the escalating frequency of cyber-attacks. The cyber insurance market has nearly tripled in size over the past five years, largely due to the commitment of reinsurers and the emerging interest from capital markets in cyber risks. Despite this, only a fraction of the risks has been insured so far. Large corporations still account for the majority of premiums, while small and medium-sized enterprises (SMEs) largely bear their cyber risks independently.
How can businesses or organizations lower their cyber risk? A 2023 article from Forbes, referencing information from the Ponemon Institute, indicates that cybersecurity risk can be reduced from 60% to as low as 10% with a good training program.
The article cites five specific steps companies or organizations can take to improve their individual situations. First, there must be “buy-in” at the top; in other words, everyone at the executive level should understand and agree that cybersecurity risk is not just an IT problem. Second, the threat landscape for the company must be adequately assessed and all risks known and named. Third, you need to get a sense of your employees’ risk. What percentage of your employees click on phishing emails or other malicious links. Have you had a business email compromise attack and wired money to the wrong bank? Do you have an insider threat problem? Fourth, you need to view your employees as your first line of defense. The attackers, the criminal gangs, and APT groups are the problem; your employees need to be engaged as part of your defense. Fifth, there must be investment in a good cybersecurity training program. Your cybersecurity training program should adapt to the evolving threats to your environment. It should have continuous learning built in and adapt to your staff as they learn more and progress. Your staff should be able to see the progress they have made, so they know they are improving.
At CYRIN we know that training is critical to keeping and maintaining best practices when it comes to cybersecurity. Training or lack of it will have consequences. Government, education, industry, basically all parties to the situation can become part of the solution.
We continue to work with our industry partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface.
For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.
In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits.
The best time to plan and prepare is before the attack. Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!