The world of cyber insurance is in a state of flux. The reason: ransomware creates huge financial impacts. And how it will change insurance in the future is unclear. The insurance industry is struggling to develop cyber liability insurance offerings. Meanwhile, history is proving to be a poor guide to what comes next.
Welcome to the new normal — where nothing in the cyber insurance business is normal.
How Cyber Insurance Became a Risky Business
The U.S. Government Accountability Office (GAO) published a report on May 20 on the rapid recent change in the insurance industry resulting from recent catastrophic ransomware attacks. These changes paint a picture of unsettling flux in the market, including:
- The percentage of insurance clients opting for cyber coverage rose. Compare roughly one-quarter (26%) in 2016 to one-half (47%) in 2020.
- Insurance prices rose between 10% and 30% in just the latter part of 2020.
- Insurance companies are lowering coverage limits for some industries, such as health care and education.
- Insurers are spinning cyber coverage out as a separate policy rather than bundling that coverage with broader coverage.
- Insurance coverage is also hampered by a lack of broadly accepted definitions, according to the GAO report. Terms like ‘cyberterrorism’ remain ambiguous. Even the definition of ‘ransomware’ is less exact than it should be. This leads to potential misunderstandings between insurance companies and their policyholders.
The GAO concluded that “the extent to which cyber insurance will continue to be generally available and affordable remains uncertain”.
Welcome to the World of Ransomware as a Service
“When the going gets weird, the weird turn pro.” And Hunter S. Thompson was right about that.
Ransomware-as-a-service gangs are now running as honest businesses do. They offer thought leadership blogs, tech support, statements of ‘principles’ and other figleaves for their criminal actions. And they tend to reside in countries beyond the reach of the law where their victims reside.
The state-of-the-art in ransomware attacks — the best case for the criminals, the worst case for the victims — goes something like this:
- A ransomware gang, or criminals using ransomware as a service, breaches an insurance company and exfiltrates their customer records.
- They target the insurance company’s customers. In particular, they seek companies with vulnerabilities they can exploit as well as companies with the most valuable data.
- Attackers exfiltrate sensitive company data, then encrypt it in place so the company cannot access it.
- They demand a ransom to decrypt. Should the company have good backups and a solid recovery plan, they execute plan B: demand a ransom to not release the data. (Some 77% of ransomware attacks in the first quarter of 2021 were based on threats to release data, rather than encrypt it, according to a Bitdefender report.)
- Typically, insurance company negotiators try to minimize the ransom. The attackers try to maximize it and will start releasing company data to pressure the company to pay up quickly.
- Once a company has been attacked and squeezed for every penny, the ransomware gangs launch a ransomware attack on the insurance company itself.
Effects on the Insurance Industry
This idea of breaking into the insurance companies themselves was confirmed in an interview conducted by Recorded Future with an alleged member of the REvil ransomware-as-a-service group. They said that not only do they try to attack organizations with ransomware-specific insurance coverage, but they also prefer to break into an insurance company first and then attack their customers (presumably with knowledge of their policies). Only then do they attack the insurance company.
Ransomware criminals have become efficient and ruthless professionals. Global recent ransomware attacks increased an incredible 485% in 2020 over the previous year, according to Bitdefender. Ransomware has increased by 239% since 2018, according to one report. And payments have tripled in the past two years. It’s not uncommon in recent months for ransomware payments to measure in the hundreds of thousands of dollars — or even in millions of dollars.
The cybersecurity firm Emsisoft estimates that in 2020 more than 100 U.S. federal, state and municipal agencies, over 500 health care organizations and around 1,680 educational institutions were struck by ransomware attacks, as well as many thousands of businesses.
Ransomware attacks accounted for 41% of all filed cyber insurance claims in the first half of 2020, according to a report by Coalition. The French insurance company AXA recently announced that they would no longer insure against ransomware attacks. (An attacker hit AXA with a ransomware attack one week later.)
What’s Next?
And there’s where we are. Insurance companies are wondering if they should still provide cyber insurance; businesses are wondering if cyber insurance makes them a target.
The most likely outcome is that the cost of cyber insurance that covers ransomware attacks will become far more expensive and come with strings attached. Companies will need to demonstrate very strong security systems, practices and policies as a precondition for getting insurance.