Insuring and getting warranty against ransomware?

Cyber insurance can pay ransoms to hackers who lock company data and networks, or it can help offset the cost of responding to data breaches. However, the huge rise in cybercrime has caught both customers and insurers off-guard, making the existing arrangements outdated.

The damages from ransomware and cleanup costs have escalated in recent years: for ex. Mondelez reported a USD 100 million cleanup bill, while for FedEx and Merck, the costs were USD 400 million and USD 670 million.

As a result, the the cyber insurance market has reacted with both a rise in premiums and less less flexibility from insurers in terms of offerings. Premium prices on average rose more than 34% in the fourth quarter of 2021, and some businesses have been seeing increases as a high as 200%, according to an article from WSJ.

However, it appears the second half of 2022 has finally seen some slowdown in premium increases, as insurers get better at evaluating risks and developing new methodologies to assess risks. For example, EDR/XDR technology on endpoints is now becoming an essential requirement for cyber insurance.

As the market matures, coverage against cybercrime will probably become more affordable, but the now stringent requirements will remain, motivating at least some organizations to implement better security practices.

Furthermore, other offerings beyond insurance are appearing on the market: for example, some EDR and MDR (Managed Detection and Response) vendors are now starting to offer bundled breach protection warranty to cover for response expenses.

Although one certainly needs to carefully read the fine print in all the clauses, market-based insurance and warranty schemes are putting the right incentives for more secure organizational IT systems - that's at least one good news from all the ransomware pain inflicted upon companies.