Given this situation, one would think that cybersecurity insurance would be on the minds of business owners and risk managers. However, according to a recent survey of 405 information technology and cybersecurity decision makers at US and Canadian companies conducted by BlackBerry and Corvus Insurance, cyber insurance is conspicuously lacking.
According to the survey, 55% of respondents had cyber insurance, but only 19% had ransomware coverage limits exceeding the median ransomware demand amount ($600,000). More than one-third (37%) of respondents with cyber insurance did not have cyber insurance coverage for ransomware payment demands, and 43% are not covered for auxiliary costs such as court fees or employee downtime. Only 14% of small and midsized businesses with fewer than 1,500 employees had a cyber insurance coverage limit greater than $600,000.
Furthermore, 28% of respondents stated that they "plan to obtain coverage soon." However, 34% of respondents who tried to obtain this coverage were denied due to their inability to meet the carriers’ endpoint detection and response eligibility requirements.
"The cyber underground is increasingly sharing learnings and collaborating to make threats as efficient as possible," Shishir Singh, BlackBerry executive vice president and chief technology officer for cybersecurity, said. "This potentially puts uninsured and under-insured organizations in grave danger." Businesses must strengthen their security posture in the face of these threats by supplementing insurance with a prevention-first software approach that reduces their overall risk."
The issue of cyber insurance has become so pressing that the United States Government Accountability Office (GAO) recommended in June that the Departments of Homeland Security (DHS) and Treasury determine whether a federal "backstop" was required for cyber insurance policies that offered protection against attacks on critical infrastructure. This backstop would be similar to the government's crop failure insurance programs, and it would fill a void left by the absence of an active private sector market for this type of coverage.
"Although federal agencies do not have a comprehensive inventory of cybersecurity incidents, several key federal and industry sources show (1) an increase in most types of cyberattacks across the United States — including those affecting critical infrastructure, and (2) significant and increasing costs for cyberattacks," according to the GAO report, which also stated that "future cyber incidents could result in systemic risks for the United States."
Because Congress has yet to take the lead on this issue, the GAO stated that it would be incumbent on the Executive Branch departments to provide "federal assistance (that) would help ensure that any response balanced and appropriately safeguarded public and private interests." Neither DHS nor the Treasury have publicly responded to the GAO report's recommendations as of yet.