Cyber Insurance & Threats — 4 Lessons Learned

Download Ebook


If anything, the last few years have been about preparing for everything. This includes cyber threats, which have risen sharply in the pandemic era1. Nearly four out of five organizations surveyed cybersecurity insurance coverage (up from 34 percent in 2011) to protect themselves from these threats. Here are four lessons learned about threats and cyber insurance in the last few years, to help your organization make informed, cost-effective decisions moving forward.

The FBI cites $3.5 billlion in cyber crime losses reported in 2019

Nearly four out of five organizations surveyed cyber insurance coverage to protect themselves from threats.2


Unavoidable outcome of widespread cyber insurance coverages

It’s unavoidable, as more organizations add cyber insurance coverage, cybercriminals are going to be interested and look for ways to take advantage. Cybercriminals may assume that, if a company they attack is insured, the claim will get paid. Investigators are even seeing scenarios where criminals are compromising companies, obtaining their insurance coverage information as part of their surveying, and then aligning their ransomware terms to the policy details so their demands result in the victim organizations being reimbursed. In doing so, criminals reason this increases the probability of payment, since the victim knows the insurer will ultimately pay for the ransom.

It is up to the client, not the carrier, to ultimately decide if they will pay the ransom. Brian Thornton, CEO of ProWriters, shared that they “have seen a recent reduction in ransom payments — possibly due to companies having better segmentation and backups and not needing to pay the ransom to restore operations. Also, as more cyber criminals are being added to the OFAC list, that would not allow a company or insurer to pay a ransom.”

The goal is to protect all data in your environment, but it is important to put extra emphasis on protecting your cyber insurance policy information.

Learn More

Read about ransomware attacks in our whitepaper: Stop the Spread of Ransomware

Beating ransomware to the “tipping point” helps keep risk (and ideally premiums) manageable

Of course, organizations have layered security controls, but cybersecurity insurance equations focus on what happens when these are inevitably defeated or bypassed. How would you spot an intrusion, and regain the upper hand against laterally moving malware stealing, wiping or ransoming files? The alternative is an attacker making it to the crown jewels of the most sensitive data and software handling the most sensitive crossroads of access control, credentials and system administration. When the latter are compromised, incidents can rapidly cascade out of control putting victims in the uncomfortable position of having to contemplate paying ransoms or moving forward without irreplaceable data.

99% of large scale ransomware events spread through domain controllers

No two organizations are the same, but our experience shows that domain controllers are the crucial high ground to defend and hold.3 Your domain controller acts as the enterprise gatekeeper for security authentication requests to allow network/user account access. In our research, we’ve found that 99 percent of large-scale ransomware events spread through domain controllers. Given this, it clearly makes good business sense to invest in the continuous monitoring, penetration testing and vulnerability scanning of the domain controller environment to thwart these attacks. Such initiatives can lessen the impact of ransomware incidents, reducing risk and improving overall cybersecurity posture.

Learn More

Read about domain controller compromises and the best ways to protect your environment in our whitepaper: The Domain Controller…An Achilles Heel

It’s critical to know exactly what’s covered

In two high-profile lawsuits contesting denial of coverage over the 2017 NotPetya attacks, pharmaceutical giant Merck is seeking $1.3 billion from multiple insurers and multinational food company Mondelez International claims it is owed $100 million from its providers. In both disputes, the insurance providers cite “war and terrorism” exclusions4 to deny the claims under their property policy. Brian emphasizes knowing exactly what is covered and what is not under a policy, “should a company like this have a stand-alone cyber tower, this type of event should be able to be covered, which also places an importance on the brokers and carriers that you work with”.

Fortunately, we’re seeing insurers more often opting to pay out instead of denying claims. But there are plenty of gray areas. For example, if a state actor launches a hack or if an incident appears that way, does that purported linkage constitute an “act of war?”

Enterprise security and risk leaders must completely understand where threats are likely to come from, and make sure the ensuing potential losses are included in policies. Thoroughly understanding cybersecurity coverage and having policies to cover different scenarios is critical to ensure exclusions don’t preclude an event from being covered.

  • $18 billion

    in losses from 100 largest cyber incidents in last 5 years (Cyentia5)

Enlisting a cybersecurity partner is an overlooked step crucial for helping companies both buy the right coverage and providing the fact base for claims

Partnering with cybersecurity experts that provide digital forensics and incident response (DFIR) services can help you swiftly contain incidents and conclusively restore systems after an attack. By engaging with a DFIRprovider in advance of a breach, the provider’s team will be familiar with your  organization and have an understanding of your network in the event of a cyber incident.

There is also the option of enlisting a managed detection and response (MDR) provider to reduce the likelihood of a breach. Advanced MDR providers monitor networks 24/7, find suspicious activity, and launch effective mitigation measures if an incident occurs. This decreases dwell time, the number of  days, weeks, or even months that a threat can hide within a network and compromise data.

With both types of cybersecurity partnerships in place, companies can both reduce incidents and  demonstrate to insurance providers that they are taking responsible steps to pursue comprehensive defense strategies. In turn, these companies greatly lower their risk profiles, which can ultimately help in reducing premiums. If a compromise occurs, the insurance provider will be more likely to cover the incident based on the necessary precautions that the company has taken. Additionally, the cybersecurity  partner will serve as a trusted representative, working with the insurance provider to accelerate the recovery process. This leads to far better results than  starting from scratch in the heat of a breach, which is critical.

  • 2020 saw a 56-day median dwell time.

About Pondurance

Pondurance delivers world-class managed detection and response services to industries facing today’s most pressing and dynamic cybersecurity challenges including ransomware, complex compliance requirements and digital transformation accelerated by a distributed workforce.

By combining our advanced platform with our experienced team of analysts we continuously hunt, investigate, validate and contain threats so your own team can focus on what matters most.

Pondurance experts include seasoned security operations analysts, digital forensics and incident response professionals and compliance and security strategists who provide always-on services to customers seeking broader visibility, faster response and containment and more unified risk management for their organizations.