A recent article in the Financial Times highlighted the continued emergence of ransomware and the targeting of large financial institutions, an issue illustrated by the devastating attack on Travelex and the growth of cyber insurance as a mitigation measure for companies.
Large insurers point to the significant increase in the sums attackers are demanding and disputing the claim that having cyber insurance to cover such incidents makes companies more of a target.
Lost in the discussion over ransomware and cyber insurance is one of the most pressing issues—the growing gap between the cost of the operational disruption caused by the attack and the cyber insurance coverage. Regardless of the size of the ransomware demand, the overall severity and duration of the financial impact results not from the demand, but rather from the disruption itself. Cases such as Norsk Hydro and Pitney Bowes have clearly demonstrated how costly these disruptions can be to the balance sheet.
While management teams increasingly claim that insurance will cover “most” of the cost of a successful ransomware attack, data increasingly illustrates a growing gap. Norsk Hydro reported approximately $19 million in cyber insurance compensation in 2019, while it incurred $71 million in damages after its March 2019 cyberattack. This is in the context of what the company described as “robust” cyber insurance coverage. This doesn’t begin to address the value losses that mount in the aftermath of such attacks. Mondelez underperformed by 10 percent in the year following its NotPetya breach, equivalent to $6.8 billion.
Partially to blame for this gap is one key ingredient that is missing in the cyber insurance market—the ability to accurately price cyber risk like insurance companies price other insured risks. Until accurate risk pricing is adopted by the market, the prevalence of the gap will grow for more impacted companies.