The world of cyber insurance is in a state of flux. The reason: ransomware creates huge financial impacts. And how it will change insurance in the future is unclear. The insurance industry is struggling to develop cyber liability insurance offerings. Meanwhile, history is proving to be a poor guide to what comes next.

Welcome to the new normal — where nothing in the cyber insurance business is normal.

How Cyber Insurance Became a Risky Business

The U.S. Government Accountability Office (GAO) published a report on May 20 on the rapid recent change in the insurance industry resulting from recent catastrophic ransomware attacks. These changes paint a picture of unsettling flux in the market, including:

  • The percentage of insurance clients opting for cyber coverage rose. Compare roughly one-quarter (26%) in 2016 to one-half (47%) in 2020.
  • Insurance prices rose between 10% and 30% in just the latter part of 2020.
  • Insurance companies are lowering coverage limits for some industries, such as health care and education.
  • Insurers are spinning cyber coverage out as a separate policy rather than bundling that coverage with broader coverage.
  • Insurance coverage is also hampered by a lack of broadly accepted definitions, according to the GAO report. Terms like ‘cyberterrorism’ remain ambiguous. Even the definition of ‘ransomware’ is less exact than it should be. This leads to potential misunderstandings between insurance companies and their policyholders.

The GAO concluded that “the extent to which cyber insurance will continue to be generally available and affordable remains uncertain”.

Welcome to the World of Ransomware as a Service

“When the going gets weird, the weird turn pro.” And Hunter S. Thompson was right about that.

Ransomware-as-a-service gangs are now running as honest businesses do. They offer thought leadership blogs, tech support, statements of ‘principles’ and other figleaves for their criminal actions. And they tend to reside in countries beyond the reach of the law where their victims reside.

The state-of-the-art in ransomware attacks — the best case for the criminals, the worst case for the victims — goes something like this:

  1. A ransomware gang, or criminals using ransomware as a service, breaches an insurance company and exfiltrates their customer records.
  2. They target the insurance company’s customers. In particular, they seek companies with vulnerabilities they can exploit as well as companies with the most valuable data.
  3. Attackers exfiltrate sensitive company data, then encrypt it in place so the company cannot access it.
  4. They demand a ransom to decrypt. Should the company have good backups and a solid recovery plan, they execute plan B: demand a ransom to not release the data. (Some 77% of ransomware attacks in the first quarter of 2021 were based on threats to release data, rather than encrypt it, according to a Bitdefender report.)
  5. Typically, insurance company negotiators try to minimize the ransom. The attackers try to maximize it and will start releasing company data to pressure the company to pay up quickly.
  6. Once a company has been attacked and squeezed for every penny, the ransomware gangs launch a ransomware attack on the insurance company itself.

Effects on the Insurance Industry

This idea of breaking into the insurance companies themselves was confirmed in an interview conducted by Recorded Future with an alleged member of the REvil ransomware-as-a-service group. They said that not only do they try to attack organizations with ransomware-specific insurance coverage, but they also prefer to break into an insurance company first and then attack their customers (presumably with knowledge of their policies). Only then do they attack the insurance company.

Ransomware criminals have become efficient and ruthless professionals. Global recent ransomware attacks increased an incredible 485% in 2020 over the previous year, according to Bitdefender. Ransomware has increased by 239% since 2018, according to one report. And payments have tripled in the past two years. It’s not uncommon in recent months for ransomware payments to measure in the hundreds of thousands of dollars — or even in millions of dollars.

The cybersecurity firm Emsisoft estimates that in 2020 more than 100 U.S. federal, state and municipal agencies, over 500 health care organizations and around 1,680 educational institutions were struck by ransomware attacks, as well as many thousands of businesses.

Ransomware attacks accounted for 41% of all filed cyber insurance claims in the first half of 2020, according to a report by Coalition. The French insurance company AXA recently announced that they would no longer insure against ransomware attacks. (An attacker hit AXA with a ransomware attack one week later.)

What’s Next?

And there’s where we are. Insurance companies are wondering if they should still provide cyber insurance; businesses are wondering if cyber insurance makes them a target.

The most likely outcome is that the cost of cyber insurance that covers ransomware attacks will become far more expensive and come with strings attached. Companies will need to demonstrate very strong security systems, practices and policies as a precondition for getting insurance.

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today