A Cyber Insurance Broker Grilling

Insurance exasperating ransomware? An immature sector? Savings instead of insurance? Dan Raywood grills Assured’s head cyber broker, Ed Ventham, about the state of cyber insurance

An increasing number of organisations are asking for ransom payments to be excluded from their cyber insurance cover. This is being witnessed first-hand by Ed Ventham, cyber broker and co-founder at Assured. The dominant reason for this decision is an ethical aversion, which comes, on average, with a 25% reduction of the premium cost.

With this in mind, is it fair to say that the cyber insurance industry is exasperating the ransomware market? This is a claim which is frequently touted. Ed (excuse the first-name term lack of formality, but Ventham seems overly formal!) argues not. Including ransom payments in a policy is a choice. It’s an important fact often overlooked, he says. “Cyber insurance is fundamentally there to protect your organisation against cyber risk and for anything you cannot recover from.”

There’s also the fact that, according to the DCMS Cyber Security Breaches Survey, only 43% of businesses report being insured against cybersecurity risks in some way, a figure consistent with 2021’s number and an increase on 32% in 2020. With these statistics in mind, Ed claims it is “a bit unfair to claim that we [the insurance industry] are paying ransoms left, right and centre given that 57% of businesses have no cyber insurance protection.”

The cost of the ransom itself is only part of the cost of a ransomware attack. According to 2022 research by IBM, the average ransomware cost for those who opted not to pay the ransom payment was £4.14m ($5.12m), while for those who did pay, the average cost was £3.63m ($4.49m). That’s a 13.1% difference.

The clean-up costs from a ransomware attack, including the expense of forensic investigations, downtime and credit monitoring, all contribute to a much greater cost. Let’s take the example of chip company Applied Materials, which calculates the total cost of the ransomware attack that hit its supply chain to be £203m ($250m).

“Most of the insurance payment will be spent cleaning up afterwards,” explains Ed. “Most conversations about cyber insurance start with a potential client saying, ‘we’re worried about ransomware’”.

According to Ed, ransomware is the single most significant cause of cyber insurance payout claims in the cyber market.

Let’s get the facts right

“There needs to be a differentiation between those looking for straight-forward, all-encompassing cybersecurity insurance and those who don’t want to pay a ransom but that care about protection for everything that happens in the remediation.” That is why Assured was founded, explains Ed candidly. “We’re a specialist, we live and breathe cyber, and so we can diligently match organisations with the right policy, which means, of course, one that will actually pay out.”

Ed disputes the common belief that cyber insurance is a young industry, arguing that it has been around for as long as cybersecurity. “People often think it’s young and immature, but it’s as old as the cybersecurity industry,” he corrects.

Despite its surprising longevity, many still fail to consider cyber insurance as one of the layers of cybersecurity’s essential defences. While some add it to the checklist alongside firewalls, anti-malware, intrusion detection and other traditional security layers, some still label it as an added extra or luxury purchase.  Ed recalls a headline from 2019 claiming cyber insurance is no longer a luxury purchase; it is a necessity. “If it were ever considered a luxury, I would absolutely say it isn’t anymore,” he says.

The decision to purchase cyber insurance by no means guarantees securing it. “A business has to reach and demonstrate a certain level of security. The insurance policy protects an organisation if security fails,” he explains.

For ransomware protection, for example, businesses must prove how they secure their email and how privileged accounts are secured. They must also demonstrate that back-ups are put in place and regularly tested, reveal the cadence of patching, and disclose what training is put in place for employees and how many privileged and service accounts they have. “If a business wants to have cyber insurance, they have to meet this threshold,” explains Ed.

“Including ransom payments in a policy is a choice”

Often, the insurer has to take the answers at face value. “They have to have good faith in the transparency of the potential client and trust that they’ll keep to their word. The client has a duty to be honest,” says Ed.

Just keep patching

Ed says most insurers will create a premium based on a point in time, but as with cybersecurity certifications, “you need to maintain it; you cannot just get to a certain level and stop.” He claims there are stipulations for insurers to enforce that security measures are kept, and assessors need to ensure that vulnerabilities are patched and any new threats can be dealt with. “Previously, that was not happening, but now it should be mandatory; it certainly is for us,” he says.

Ed says he has witnessed payment claims where the customer had not patched in time, but as they had a valid reason for why the patch did not happen, the insurance payout was still approved. “People view insurance as just a product, but ultimately, a human will pay the claim. So if you demonstrate good practice despite an error, it comes down to the person believing you did the right thing.”

During the Covid-19 pandemic, the demand for cyber insurance rocketed; not quite at the rate of loo roll and pasta shells, but the increase was nevertheless notable. “Both take-up and premiums increased, mainly down to the immediate move to remote working employees,” recalls Ed. “The world was forced to be digital, and suddenly everyone had to grow up regarding securing their network remotely.”

Piggy bank insurance

Ed contemplates the reality that some “extraordinarily large businesses” don’t feel the need to take out cyber insurance coverage, instead relying on money in the bank to cover a cash loss, believing they do not need the financial support from a policy.

The DCMS Cyber Security Breaches Survey found that 28% of large businesses had a specific cyber insurance policy. At the same time, other respondents reported that any shade of cyber coverage they had was a bolt-on to a wider insurance policy, a strategy Ed does not endorse. He adds that the beauty of an exclusive cyber policy is “the breach response council that comes with the policy. Policyholders can outsource that duty when there is an incident and don’t have to worry about handling the response from within their team.”

Ed anticipates that there will be a continued maturing of the conversation around cyber insurance as businesses get better at understanding their cyber risk. After all, if cyber insurance is reaching a level where businesses see it as not just viable but a desirable option  ̶  and not just cover for a ransomware payment  ̶  then there’s just the matter of achieving a security baseline to contend with. With that box ticked, an organisation can acquire protection and cover as a final backstop in the event of a cyber incident that can not be recovered from.