Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

Underwriting ransomware: Our unique approach and what it means for our customers

Featured Image for Underwriting ransomware: Our unique approach and what it means for our customers

In the early days, when the cyber insurance market was relatively new, it experienced years of rapid expansion and relatively low losses. But towards the end of 2019, the industry experienced an increase in the frequency and severity of cyber claims which continued into 2020. This led to increased underwriting scrutiny and increased premiums. The main culprit? Ransomware attacks. Shawn Ram, Head of Insurance at Coalition, explained it best in his most recent article about the hardening cyber insurance market.

“While the threats of business email compromise, social engineering, and funds transfer fraud are still very much present, the cyber insurance community agrees that the hardening of the market is primarily being driven by ransomware attacks,” he wrote. “Hackers are getting more specific about who they target, the amount of the ransom they hope to collect, the complexity of the attacks, and the sophisticated ransomware variants they use to execute them.”

Despite changing market conditions, Coalition has experienced lower claims frequency and loss ratio compared to other carriers. Why is that? Our innovative approach to underwriting, which has helped us navigate and succeed despite the current state of the market.

Our unique approach to underwriting risk

Frost & Sullivan recently awarded Coalition the 2021 North American Technology Innovation Leadership Award for cyber insurance. Our differentiated underwriting capabilities and unique risk management offerings have established us as an industry leader in the cyber insurance market. Until recently, most carriers covered ransomware and covered it at full limits. Now that ransomware attacks are frequent and more severe, some carriers have started applying coinsurance and sublimits on a widespread basis.

We’ve chosen not to do that. We take an intelligence-driven approach to underwriting companies based on their specific exposures and the technologies they use — such as RDP, VDI, ConnectWise, Kaseya, Webroot, Exchange, and many more. We look for the use of riskier remote connection technologies and unpatched vulnerabilities that we know attackers are targeting. We also look for other signs of compromise that are visible on the parts of the customer’s network exposed to the internet or communicating with compromised hosts.

We also encourage clients to adopt tools and practices to mitigate the possibility or severity of ransomware attacks. Here are a few things to consider.

Have robust backups in place:

  • Perform regular backups of critical data and software, preferably that are disconnected and inaccessible from your primary network

  • Test restoring from backups regularly

  • Restoring your network from uninfected backups is often the fastest and least expensive way to restore your operations after a ransomware attack.  By keeping disconnected backups and testing them regularly, you greatly improve the chances that this approach will work if you are attacked. Use MFA and keep complete logs:

  • Use Multi-factor Authentication (MFA) for VPN and other remote connections to your network (e.g. by Managed Service Providers and other vendors). Also consider using the usually free MFA options available in email systems like Office 365 and GSuite — see this article for more details. Many attackers' initial access to networks comes from stolen log-on credentials. This can involve direct access to critical network components. It can also be done by moving across the network, or sending malicious attachments or links from trusted senders, after gaining access to one or more email accounts. Requiring MFA will reduce the chances that such attacks can succeed.

  • Maintain inbound and outbound firewall configurations that include retaining logs for at least 60 days. Having complete logs will allow us to more quickly diagnose what led to the compromise and remediate an attack should it occur.

We underwrite differently. We underwrite based on our detailed assessment of an applicant’s technology, as opposed to a cookie-cutter requirement that certain industries or company sizes fall into requiring coinsurance or sublimits.

We also have practices in-house that play to our strengths: detecting remote access, email security, and employee training.

We help organizations overcome ransomware

Ransomware is a global epidemic and one of the most dangerous security threats facing organizations large and small. Ransomware attacks are often devastating and have the potential to inflict serious operational and financial harm to an organization, including total interruption of computer systems and permanent loss of data. Let’s go over a ransomware incident faced by a real Coalition policyholder

Real-world ransomware claim example

An IT professional at a large manufacturing company booted up their computer one morning when they noticed a series of mass file changes on their network — a clear sign of a ransomware attack. Due to the attack, all production was at a standstill. Our client contacted Coalition, we brought in counsel, and counsel reached out to Coalition’s CIR (Claims Incident Response) team. Within 90 minutes, we were discussing the steps we needed to take next to diagnose, eradicate the threat, remediate the systems, and get their business up and running again.

We deployed an endpoint detection and response (EDR) tool, preserved all data we could, changed all passwords, and got a copy of the ransomware note: a request for $2,000,000.

We discovered a fairly new ransomware variant that had high ransom demands and in all cases, the malicious actor threatened to publish stolen data if they were not paid. Even though they were across the country from Coalition’s offices, we had a remote employee nearby who lived just 40 minutes from their main office. We got them on-site quickly to physically assess the machines and take a forensic image.

We worked tirelessly over a 5-day period to image various systems, move them to a new, clean network, give legal advice, provide security recommendations going forward, and work with counsel to negotiate the ransom.

While they did end up paying the ransom, we got it down from $2 million to $200,000. That’s a difference of $1.8 million dollars — an amount that could cripple any business.

Our additional support and services

The value of our coverage is more than just a ransom payment. We also offer tools and services to help you from the beginning of a suspected incident all the way until your organization is back up and running again. While we are successful at pricing risk and underwriting ransomware, there are other ways we support our policyholders before, during, and after an incident.

  • Proactive support: We provide leading endpoint detection and response (EDR) software solutions to prevent ransomware.

  • Malware notifications: If we detect that an insured's machines are being targeted by malware threats, we proactively notify them to get ahead of a potential attack.

  • Swift response: We have a hands-on in-house team of experts to help negotiate ransom payments and respond immediately to support rebuilding crucial systems.

Protect yourself from ransomware with Coalition

I’m proud of the underwriting process we’ve built at Coalition. We’re a technology-enabled insurance company specifically created to protect and insure businesses against cyber risk. Our proactive approach works. Coalition policyholders experience half as many claims as the market average — fewer claims mean more businesses safe from cyber threats.

If you take cyber risk seriously and want to follow simple steps to better protect your organization from malicious actors, download the 2021 Coalition Cybersecurity Guide.