The world of cyber insurance is in a state of flux. The reason: ransomware creates huge financial impacts. And how it will change insurance in the future is unclear. The insurance industry is struggling to develop cyber liability insurance offerings. Meanwhile, history is proving to be a poor guide to what comes next.

Welcome to the new normal — where nothing in the cyber insurance business is normal.

How Cyber Insurance Became a Risky Business

The U.S. Government Accountability Office (GAO) published a report on May 20 on the rapid recent change in the insurance industry resulting from recent catastrophic ransomware attacks. These changes paint a picture of unsettling flux in the market, including:

  • The percentage of insurance clients opting for cyber coverage rose. Compare roughly one-quarter (26%) in 2016 to one-half (47%) in 2020.
  • Insurance prices rose between 10% and 30% in just the latter part of 2020.
  • Insurance companies are lowering coverage limits for some industries, such as health care and education.
  • Insurers are spinning cyber coverage out as a separate policy rather than bundling that coverage with broader coverage.
  • Insurance coverage is also hampered by a lack of broadly accepted definitions, according to the GAO report. Terms like ‘cyberterrorism’ remain ambiguous. Even the definition of ‘ransomware’ is less exact than it should be. This leads to potential misunderstandings between insurance companies and their policyholders.

The GAO concluded that “the extent to which cyber insurance will continue to be generally available and affordable remains uncertain”.

Welcome to the World of Ransomware as a Service

“When the going gets weird, the weird turn pro.” And Hunter S. Thompson was right about that.

Ransomware-as-a-service gangs are now running as honest businesses do. They offer thought leadership blogs, tech support, statements of ‘principles’ and other figleaves for their criminal actions. And they tend to reside in countries beyond the reach of the law where their victims reside.

The state-of-the-art in ransomware attacks — the best case for the criminals, the worst case for the victims — goes something like this:

  1. A ransomware gang, or criminals using ransomware as a service, breaches an insurance company and exfiltrates their customer records.
  2. They target the insurance company’s customers. In particular, they seek companies with vulnerabilities they can exploit as well as companies with the most valuable data.
  3. Attackers exfiltrate sensitive company data, then encrypt it in place so the company cannot access it.
  4. They demand a ransom to decrypt. Should the company have good backups and a solid recovery plan, they execute plan B: demand a ransom to not release the data. (Some 77% of ransomware attacks in the first quarter of 2021 were based on threats to release data, rather than encrypt it, according to a Bitdefender report.)
  5. Typically, insurance company negotiators try to minimize the ransom. The attackers try to maximize it and will start releasing company data to pressure the company to pay up quickly.
  6. Once a company has been attacked and squeezed for every penny, the ransomware gangs launch a ransomware attack on the insurance company itself.

Effects on the Insurance Industry

This idea of breaking into the insurance companies themselves was confirmed in an interview conducted by Recorded Future with an alleged member of the REvil ransomware-as-a-service group. They said that not only do they try to attack organizations with ransomware-specific insurance coverage, but they also prefer to break into an insurance company first and then attack their customers (presumably with knowledge of their policies). Only then do they attack the insurance company.

Ransomware criminals have become efficient and ruthless professionals. Global recent ransomware attacks increased an incredible 485% in 2020 over the previous year, according to Bitdefender. Ransomware has increased by 239% since 2018, according to one report. And payments have tripled in the past two years. It’s not uncommon in recent months for ransomware payments to measure in the hundreds of thousands of dollars — or even in millions of dollars.

The cybersecurity firm Emsisoft estimates that in 2020 more than 100 U.S. federal, state and municipal agencies, over 500 health care organizations and around 1,680 educational institutions were struck by ransomware attacks, as well as many thousands of businesses.

Ransomware attacks accounted for 41% of all filed cyber insurance claims in the first half of 2020, according to a report by Coalition. The French insurance company AXA recently announced that they would no longer insure against ransomware attacks. (An attacker hit AXA with a ransomware attack one week later.)

What’s Next?

And there’s where we are. Insurance companies are wondering if they should still provide cyber insurance; businesses are wondering if cyber insurance makes them a target.

The most likely outcome is that the cost of cyber insurance that covers ransomware attacks will become far more expensive and come with strings attached. Companies will need to demonstrate very strong security systems, practices and policies as a precondition for getting insurance.

More from Incident Response

SOCs Spend 32% of the Day On Incidents That Pose No Threat

4 min read - When it comes to the first line of defense for any company, its Security Operations Center (SOC) is an essential component. A SOC is a dedicated team of professionals who monitor networks and systems for potential threats, provide analysis of detected issues and take the necessary actions to remediate any risks they uncover. Unfortunately, SOC members spend nearly one-third (32%) of their day investigating incidents that don't actually pose a real threat to the business according to a new report…

4 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read