Cyber insurance, retainers provide help after a hit

By Karen Hanna  

$550,000. Either pay up, or your machines go down. What’s your move? 

Along with possibly having to navigate ransom discussions with criminals, companies hit by a cyberattack can experience a cascade of problems, from downtime to the anxiety of losing private data and the frantic efforts to recover it. Among experts that can help them — if they have been previously retained— are outside firms offering contracts for incident-response (IR) and cyber insurance. 

But, according to cybersecurity experts, those agreements aren’t in lieu of monitoring or a safety plan; they’re available only to make the worst-case scenario a bit more survivable. 

“When you get to the point where you go, ‘There’s nothing more I can do, or I just simply don’t have the money to,’ that’s when you start looking at ways to transfer that risk through cyber insurance or warranties or services that can help you out, or incident-response retainers,” said Christopher Fielder, field CTO at Arctic Wolf, a security operations platform. 

Negotiating with cyberterrorists 

At just above $500,000, initial ransomware demands made of manufacturers are a little less than the median of $600,000 across all industries, according to the “2025 Threat Report," published by Arctic Wolf.   

But even that amount is not a lot, compared to the record set last year by a Fortune 500 company that paid $75 million to get its IT systems back on track so it could resume business. 

In a survey earlier this year of 1,200 IT and security decision makers at companies in the U.S. and abroad, 23 percent of respondents told Arctic Wolf their organization experienced at least one “significant” ransomware attack over a recent 12-month span ending in September. 

Of businesses in about a dozen economic sectors, manufacturing was the most-targeted by ransomware, accounting for 18.6 percent of the scheme’s victims.  

Fielder urged companies to have a retainer, so they can resume business as quickly as possible in the event of an attack. According to the trends report, 88 percent of respondents have a retainer.  

“Have an incident response, an IR retainer. That is somebody that you’re going to put out a little bit of money up front, but you’re going to say, ‘I have somebody that I can call to where, if there is an incident, if I do get hit, if the stuff hits the fan and I need to respond, I have somebody I can call, serious professionals that can come in and help me get out of trouble.’ You know, you wouldn’t fight a fire by yourself. You would call the fire department. You’re not going to fight this. You’re going to call somebody, and they’re going to come in and they’re going to help you get out of trouble,” he said.  

Cleaning up from an attack is not a job for the inexperienced, cautioned Jesse Varsalone, an associate professor of cybersecurity at the University of Maryland Global Campus. 

Nor is it something to handle in-house. 

“Getting a company that knows how to deal with it, and not a rookie team ... would be the first thing to do,” he said. 

Such contracts — including those offered by Arctic Wolf — typically offer access to trained negotiators who can bargain for better terms from ransomware criminals.  

While they have few compunctions about the law, hackers have their own business concerns. According to the Arctic Wolf report, “Most ransomware groups and affiliates model themselves after legitimate businesses; accordingly, they recognize that their success depends in large part upon their reputation. If a threat actor’s actions lead to a reputation of not delivering on their promises — by failing to deliver a decryption key or releasing data after a ransom is paid — then that undermines the entire extortion business model." 

And, during negotiations, they’ve proved they’re willing to play ball.  

In its report, covering a 12-month period ending in September, Arctic Wolf said its negotiators were able to reduce ransom demands by 64 percent, while navigating the legal and other issues that accompany such talks.  

And, compared to the 76 percent of ransomware victims who reported in the company’s survey they’d paid up, only 30 percent of victims covered by Arctic Wolf IR retainers took that route.  

“What’s behind this stark difference?” the report asks. “Lacking visibility into the incidents reflected in the survey, we can’t say for sure. However, we believe it’s fair to say that an organization acting on their own almost certainly lacks the experience to understand all the options available and may succumb to pressure from the perpetrators to act quickly — but calling in a professional IR team can unlock more options.”  

Cybersecurity expert Patrick Curtin said the decision to pay is a painful one. 

He’s worked with a manufacturing company in Minnesota that once made the decision to pay a ransom. At that time, it didn’t have an IR retainer; the experience led it to Field Effect, the cybersecurity-services firm where Curtin is the director of technical sales. 

Sometimes, he said, companies just have no choice. 

“It’s a tough ethical decision because when you are paying a ransom, you are giving criminals money. That's only making them stronger. So, it's a terrible position to be in,” Curtin said. “Typically, when people pay the ransom, it’s because they feel they don’t have any other choice, like, ‘They got my backups. I’m completely dead in the water. I can’t rebuild from here. I’m going to pay the $200,000 or the $2 million and hope things work out.’ ” 

But Curtin offered a caution: “Paying the ransom doesn’t guarantee that you’re actually going to get things back either. Things go wrong.” 

For the attackers, the payout is a powerful motivator.  

“Cyber criminals are almost universally financially motivated. There have been cases of teenagers doing this stuff for the kicks, notoriety. But normally it’s all about Bitcoin,” he said. 

Damage indemnity 

Cyber insurance represents another option for companies plotting out ways to cope in case of cyber catastrophe. 

For Curtin and Fielder, who both work for firms that offer more far-reaching services, cyber insurance wouldn’t be a first choice.  

Not that insurers are indiscriminately selling plans anymore, anyway. 

“They’ve learned, they got stung. Now, they’re only going to give you cyber insurance if you’ve got a bunch of safeguards in place, including the kind of services we offer,” Curtin said.  

But, for plan owners, cyber insurance can help cushion losses. 

According to the Arctic Wolf survey, 57 percent of ransomware victims reported they had received at least some funds from their insurance provider or another outside entity. 

Given the cost and probability of an attack, Curtin recommended that manufacturers invest in multiple avenues of protection.  

“The insurers have become smarter. It’s harder to get. It’s a good thing to have, but if your choice is investing in defenses or investing in cyber insurance, you’ve got to invest in the defenses first,” he said.