Cybercrime is nothing new under the sun. Just think of ransomware, which is now much more effective at generating profits than ever before. Many companies therefore took out insurance to protect themselves against the major financial consequences, which increased demand to unprecedented levels and made the industry very volatile. Premiums are rising, there are more rules about what is and isn’t insured, and minimum standards for companies that want to insure themselves. Bad news for companies? These developments are actually positive.

Insurance for the digital world

Sometimes people think that cybersecurity is something mysterious. In reality, our physical and digital worlds are much more similar than we think. Thirty years ago, businesses primarily thought of fire and theft insurance to protect their critical assets. Today their risks are more digital. According to the 2024 Veeam Data Protection Trends Report, three out of four organizations experienced at least one ransomware attack last year. One of these four organizations was attacked more than four times.

It is therefore not surprising that more and more companies are taking out cyber insurance. The sector is therefore expected to grow by 24% to an industry value of more than $84 billion by 2030. As more companies purchase and recover insurance, both costs and premiums have steadily increased over the past three years. Of course, insurers want to keep cyber protection profitable. That’s why they are now carrying out a comprehensive risk assessment, introducing minimum security standards and offering lower levels of cover.

Don’t reward criminals

Cyber ​​insurance is a hotly debated topic. The Million Dollar Question: To Pay or Not to Pay? While many claim that insured companies are less likely to pay ransoms, a 2023 report shows that 77% of ransoms were paid by insurance companies. Something insurers are increasingly trying to avoid. The same report shows that 21% of insurance organizations now specifically exclude ransomware from their policies. We also see others specifically excluding ransom payments from their policies. They cover the costs of downtime and damage, but not the costs of extortion.

In my opinion the latter approach is the best. Paying a ransom is not a good idea. And certainly not something insurance is intended for. Ethically it is irresponsible, it fuels crime and above all: it does not solve the problems but creates new ones. Ransomware gangs flag companies that pay so they know they can strike again. Or they share the information with other gangs. Research confirms that 80% of companies that paid ransoms were affected a second time. But even before that happens, recovering ransom payments rarely goes smoothly. It takes a long time to recover using the decryption keys provided by the attackers. An additional ransom is often required for each key. And then you can be happy that the decryption works. One in five companies fails to recover their data even after paying a ransom.

Raise the bar

Fortunately, ransom payments via insurance funds are slowly disappearing. But in the meantime even more has changed. Companies looking to purchase cyber insurance increasingly need to meet minimum security and ransomware resilience requirements. This can be achieved by using encrypted and immutable backups or implementing proven data protection principles such as Least Privilege (granting access only to those who need it) or Four Eyes (requiring that important changes or requests be made by two people). approved) . Some policies also require that organizations have solid plans in place to ensure system availability, including clearly defined recovery processes to prevent downtime due to a ransomware attack. The longer an environment is out of service, the higher the costs of downtime and therefore the insurance costs.

Companies have to sort this out anyway. If there are inadequate data protection and recovery processes in place in addition to insurance, the insurance payout is simply a cover-up. The introduction of minimum standards is good news for companies. Not only will this reduce premium costs in the long term, but the prescribed security principles will also be more valuable for companies than initially thought.

Cyber ​​insurance is not a panacea, but a useful part of a broader cyber resilience strategy. It’s good to have both. If you can only have one, choose resilience. Something that insurers are happy to agree to. Because companies without protection are not profitable for them.

Companies with cyber insurance have evolved and now also have strong cyber resilience. You have a good disaster recovery plan and use insurance only to limit the impact of attacks and the cost of downtime while recovering with immutable backups.

These companies are much more resilient to ransomware than companies that pour insurance money into the problem.

This is a post by Edwin Weijdema, Field CTO and Lead Cybersecurity Technologist at Veeam. Click here to learn more about the company’s solutions.