Businesses seek cybersecurity insurance to mitigate ransomware-related losses, but cyberinsurance may not be a panacea. Insurers can deny a claim if companies fail to take steps to ensure they have adequate defenses in place.
Cyber insurance is often insufficient – Telus report
Forty percent of Canadian businesses said they have cybersecurity insurance that covers a ransomware attack, according to a recent study by Telus. The study further indicates that organizations that have experienced attacks in the last 12 months are more likely to have cyber insurance.
Yet the study also found that cyber insurance doesn’t always pay. He notes that eight percent of companies have not received any payment at all, and that nine percent were still awaiting payment. Additionally, although 79% of companies that filed a claim received payment, the coverage of 28% of these companies was fall.
Extract from the study downloadable from www.telus.com/RansomwareStudy. (Registration required)
Fewer insurers offering cyber coverage and coverage harder to get
Cybersecurity coverage may also be harder to obtain for many companies, according to a report featured in Computer World Canada this week. Most, if not all, companies that provide cybersecurity insurance experience losses. Canadian Underwriter reported that in the first eight months of 2021, companies took in $96 million in premiums but received claims for $106 million. Inevitably, losses like this would lead to higher premiums, more scrutiny of claims and, in some cases, refusals to insure businesses perceived to be high risk.
Nearly half of the respondents in a study cited in the Computer World Canada According to the article, cyber insurance policies are now more complex than they were in the past, 37% noted that it takes longer to get coverage, and for those who can get it , it’s more expensive.
The good news is that increased oversight from insurers could force companies to take cybersecurity more seriously. Ninety-seven percent of respondents said they had made improvements to their cyber defenses to improve their cyber insurance posture.
The bad news is that it remains more difficult to find insurers offering cyber cover. Forty percent of respondents said fewer companies offer cyber insurance.
Excerpt from an article by ITWorldCanada
Are companies making it too easy for ransomware attackers?
Despite the increase in ransomware attacks and known costs, a report this week noted that vulnerabilities dating back to 2018 are still being exploited by threat actors. The report comes from cyber intelligence agencies in Canada and its Five Eyes allies.
The report lists the top 15 vulnerabilities used to gain access to IT systems in organizations that have not patched their software.
Of those 15, one dates back to 2018 (CVE-2018-13379), a path traversal vulnerability that affects security appliances running FortiOS and Fortinet’s FortiProxy; one dates back to 2019 (CVE-2019-11510), a vulnerability that allows arbitrary file reading in Pulse Secure’s Pulse Connect Secure VPN; and two date back to 2020 (one is the Zero Logon vulnerability for Windows, while the other is for Microsoft Exchange).
Many of the remaining vulnerabilities identified by the report have been known for months. Further, according to the report, “their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors.”
Patching is just one of the basic steps to make it harder for ransomware attackers to gain access. The previously cited Telus study contains a comprehensive list of ransomware defenses that should be in place. Failure to follow these basic steps can make it difficult to obtain cybersecurity insurance and could invalidate existing coverage. Companies should read their policies carefully to ensure that they take all necessary steps to ensure that their coverage remains in force.
Excerpt from the article by Computer World Canada