The Cyber Insurance Gap: What Is It, and How Can We Close It?
It’s a potentially perilous situation for many companies: While the costs of suffering a targeted cyberattack or breach continue to climb, their ability to insure themselves against a possible cyber disaster dwindles. A new study by BlackBerry and Corvus Insurance confirms a “cyber insurance gap” is growing, with a majority of businesses in North America either uninsured or underinsured against a rising tide of ransomware attacks and other cyber threats.
As part of the study, BlackBerry and Corvus polled 450 IT and cybersecurity decision makers at businesses across the U.S. and Canada. The results reveal an alarming lack of coverage — along with potential causes — and suggest potential measures to help close the gap.
Clearly, something must be done.
A recent Forrester report estimated that a typical data breach would cost the average organization $2.4 million for investigation and recovery. However, only 55% of survey respondents currently have cyber insurance — and less than 20% have coverage in excess of $600,000, which was the median ransomware demand amount in 2021. This places many businesses in a precarious position – the cybersecurity equivalent of “operating without a net.” The situation is particularly acute for uninsured small and mid-sized businesses (SMBs), who must weigh the soaring costs of cyber insurance premiums against the very real risk of being unable to recover from a successful attack.
Cyber Insurance and Ransomware Attacks
One of the biggest concerns revealed by the research involves ransomware. The study found the following:
And the insurance gap relating to ransomware attacks extends beyond these numbers. More than one-third (37%) of respondents with cyber insurance do not have any coverage for ransomware payment demands, while 43% of those with a policy are not covered for auxiliary costs such as court fees or employee downtime.
Perhaps these factors explain why half of SMB respondents say they are hoping their governments will offer financial assistance to organizations hit by ransomware attacks. This risk is also driving 28% of the IT and cybersecurity decision-makers surveyed to say they "intend to acquire coverage shortly.”
Cyber Insurance and Business Risk
A growing number of cybersecurity and business leaders recognize that cyber risk is business risk. The survey by BlackBerry and Corvus also revealed how cyber insurance, or a lack of it, impacts business practices:
- Three in five respondents (60%) say they would reconsider entering into a partnership or agreement with another business or supplier if the organization did not have comprehensive cyber insurance.
- More than two-thirds (68%) of IT decision-makers are likely to reassess a partner or supplier agreement because of their cybersecurity practices.
Along with these supply chain concerns, the new research reveals that cybersecurity practices, including successful technology implementation, are closely linked to an organization’s ability to keep cyber insurance — or get it in the first place.
EDR Requirements and Cyber Insurance
If you’ve looked for cyber insurance coverage recently — or talked with a peer about it — you probably know cyber insurance premiums are rising quickly, and policies are also becoming more prescriptive. Often, they require your organization to demonstrate key security benchmarks in order to qualify for coverage, or to increase the amount of coverage on an existing policy.
It turns out that well-implemented endpoint detection and response (EDR) software is frequently a key component to obtaining a policy. A significant number of those in the survey learned this “the hard way.”
- 34% of respondents have been previously denied cyber coverage by insurance providers due to not meeting EDR eligibility requirements.
Vincent Weafer, CTO at Corvus Insurance, explains why so many cyber insurance carriers use EDR as a key metric in cyber insurance evaluations.
“Though it might sound counter-intuitive, continuing to adhere to software requirements is one of the best ways to fight the ransomware industry. In our portfolio alone, we’ve seen a 50% reduction in the ratio of ransom demands that end up being paid,” Weafer says. “Better software adoption is a critical element in better positioning organizations to stand up to attackers.”
Shishir Singh, BlackBerry executive vice president and CTO of cybersecurity, points out one of the reasons this requirement is so crucial.
“The cyber underground is increasingly sharing learnings and partnering to make threats as efficient as possible” Singh says, “For uninsured and under-insured organizations, this potentially puts them in extreme jeopardy.”
“It’s vital that businesses strengthen their security posture against these threats by supplementing insurance with a prevention-first software approach that lowers their overall risk.”
Interestingly, the new survey found significant synergy between EDR solutions and cyber insurance. Those with existing cybersecurity insurance were notably more satisfied with the value of their EDR software, and are more confident in its ability to protect their organization.
This is evidence that the cyber insurance gap can be closed, and in so doing, help you increase the security posture of your organization.
Additional details and findings of the study by BlackBerry and Corvus will be on the BlackBerry Blog in the coming weeks.
What should organizations look for in an EDR solution? Consider one that leverages advanced AI, is cloud-enabled, and can be part of a 24x7 service manned by experienced cyber professionals. This can help to cost-effectively augment your team in a world where cyber threats arrive around the clock.
CylanceGUARD® is a managed XDR service that includes CylanceOPTICS® endpoint detection and response (EDR) that works in conjunction with CylancePROTECT®, the BlackBerry® AI-driven endpoint protection platform (EPP).
Research Methodology
BlackBerry commissioned TEAM LEWIS Research to run an online survey of 450 business decision makers for IT / security solutions in the United States and Canada. The fieldwork took place between July 15 and July 22, 2022.