DUBAI — The threat of cyber-attacks is nothing new, but ransomware has become far more effective at generating revenue than ever before. This shift has pushed businesses toward insurance as a form of protection from the substantial financial impact of these attacks. As demand has surged to unprecedented levels, the market has become highly volatile. Premiums are on the rise, there are stricter rules about what is and isn’t covered, and minimum standards have been introduced for businesses seeking insurance. While this may seem like troubling news for companies, many should ultimately view these developments positively.
Insurance for the Digital World
Cybersecurity is sometimes perceived as a mysterious shadow realm. Yet, the reality is that the physical and digital worlds are far more similar than many realize. Thirty years ago, businesses eager to protect their critical assets would first think of fire and theft insurance. Nowadays, the risks are predominantly digital. According to the Veeam Data Protection Trends Report 2024, three out of four organizations experienced at least one ransomware attack in the past year, with one out of those four being attacked more than four times within that period.
It’s no surprise that cyber insurance has become an increasingly popular choice for many organizations—predicted to grow by 24% to a $84.62 billion industry by 2030. However, as more businesses purchase and claim insurance, its cost has also steadily increased, with premiums rising for the last three years. This is not the only change from insurers striving to keep cyber protection profitable; more thorough risk assessments, the introduction of minimum security standards, and reduced coverage have all become common practices in recent years.
Don’t Feed the Criminals
Cyber insurance has recently become a contentious issue, largely due to the million-dollar question regarding ransomware: to pay or not to pay? While many dispute the idea that insured companies are more likely to pay ransoms, a 2023 report on victims found that 77% of ransoms were paid by insurance. Nevertheless, many insurers are attempting to curb this trend. The same report revealed that for 21% of organizations, ransomware is now explicitly excluded from their policies. Moreover, some have specifically excluded ransom payments from their policies—they’ll cover the cost of downtime and damage but not extortion costs.
In my opinion, this last approach is the most prudent. Paying ransoms isn’t just ethically questionable and a catalyst for further crime; it also fails to solve the immediate problem and often leads to new challenges. First, ransomware gangs often ‘mark’ companies that pay, making them targets for future attacks or sharing this information with other criminals. One study discovered that 80% of businesses that paid a ransom suffered a second attack. Yet, even before considering these repercussions, relying on ransom payments for recovery is fraught with difficulties. Decryption, using keys provided by the attackers, typically takes a long time, a delay that some groups exploit by charging additional fees to expedite the process. Furthermore, one in five businesses that pay a ransom remains unable to recover their data.
Raising Standards
Thankfully, the practice of paying ransoms through insurance is gradually declining. But this isn’t the only evolving aspect. Companies seeking cyber insurance are now often required to meet minimum security and ransomware resilience standards. This includes utilizing encrypted and immutable backups and adhering to best practice data protection principles, such as the principle of least privilege (granting access only to those who need it) or the four-eyes principle (requiring significant changes or requests to be approved by two individuals). Additionally, some policies mandate that businesses have comprehensive plans to ensure system availability, encompassing well-defined disaster recovery processes to mitigate downtime in the event of a ransomware attack. After all, the longer a system is down, the greater the cost of downtime and, consequently, the higher the insurance claim.
Enterprises should already have robust data protection and recovery processes in place. Relying solely on insurance, alongside weak data protection and recovery processes, means insurance payouts merely mask underlying issues. The introduction of minimum standards represents positive news for businesses. Not only is it likely to drive down premium costs in the long term, but the security principles these standards enforce will prove more beneficial to businesses than the insurance itself initially seemed. Cyber insurance is not a panacea but can serve as a valuable component of a broader cyber resilience strategy. Both are advantageous to have, but given the choice between one or the other, resilience should be the priority every time. Fortunately, insurers concur, as businesses lacking protection are becoming too risky to insure.
This is the rationale behind Veeam’s recent launch of its Cyber Secure Program. While the program includes financial protection of up to $5 million for data recovery expenses, more importantly, it encompasses seven-phase onboarding support to ensure adherence to best practices and the deployment of solutions that meet the highest security standards. Coupled with a 24-hour ransomware recovery SWAT team to ensure efficient response and recovery, businesses are highly unlikely to need financial insurance. However, it remains available for peace of mind.
Cyber insurance, especially concerning ransomware, is evolving towards a scenario in which insured businesses exhibit strong cyber resilience, have well-defined disaster recovery plans, and rely on insurance merely to mitigate the impact of attacks and the costs associated with downtime while they recover through immutable backups. This future scenario presents a landscape far more resilient to ransomware than one in which businesses attempt to solve their problems with insurance money.
Edwin Weijdema is Field CTO & Lead Cybersecurity Technologist at Veeam.
The opinions expressed are those of the author and may not reflect the editorial policy or an official position held by TRENDS.