The world of cyber insurance is in a state of flux. The reason: ransomware creates huge financial impacts. And how it will change insurance in the future is unclear. The insurance industry is struggling to develop cyber liability insurance offerings. Meanwhile, history is proving to be a poor guide to what comes next.

Welcome to the new normal — where nothing in the cyber insurance business is normal.

How Cyber Insurance Became a Risky Business

The U.S. Government Accountability Office (GAO) published a report on May 20 on the rapid recent change in the insurance industry resulting from recent catastrophic ransomware attacks. These changes paint a picture of unsettling flux in the market, including:

  • The percentage of insurance clients opting for cyber coverage rose. Compare roughly one-quarter (26%) in 2016 to one-half (47%) in 2020.
  • Insurance prices rose between 10% and 30% in just the latter part of 2020.
  • Insurance companies are lowering coverage limits for some industries, such as health care and education.
  • Insurers are spinning cyber coverage out as a separate policy rather than bundling that coverage with broader coverage.
  • Insurance coverage is also hampered by a lack of broadly accepted definitions, according to the GAO report. Terms like ‘cyberterrorism’ remain ambiguous. Even the definition of ‘ransomware’ is less exact than it should be. This leads to potential misunderstandings between insurance companies and their policyholders.

The GAO concluded that “the extent to which cyber insurance will continue to be generally available and affordable remains uncertain”.

Welcome to the World of Ransomware as a Service

“When the going gets weird, the weird turn pro.” And Hunter S. Thompson was right about that.

Ransomware-as-a-service gangs are now running as honest businesses do. They offer thought leadership blogs, tech support, statements of ‘principles’ and other figleaves for their criminal actions. And they tend to reside in countries beyond the reach of the law where their victims reside.

The state-of-the-art in ransomware attacks — the best case for the criminals, the worst case for the victims — goes something like this:

  1. A ransomware gang, or criminals using ransomware as a service, breaches an insurance company and exfiltrates their customer records.
  2. They target the insurance company’s customers. In particular, they seek companies with vulnerabilities they can exploit as well as companies with the most valuable data.
  3. Attackers exfiltrate sensitive company data, then encrypt it in place so the company cannot access it.
  4. They demand a ransom to decrypt. Should the company have good backups and a solid recovery plan, they execute plan B: demand a ransom to not release the data. (Some 77% of ransomware attacks in the first quarter of 2021 were based on threats to release data, rather than encrypt it, according to a Bitdefender report.)
  5. Typically, insurance company negotiators try to minimize the ransom. The attackers try to maximize it and will start releasing company data to pressure the company to pay up quickly.
  6. Once a company has been attacked and squeezed for every penny, the ransomware gangs launch a ransomware attack on the insurance company itself.

Effects on the Insurance Industry

This idea of breaking into the insurance companies themselves was confirmed in an interview conducted by Recorded Future with an alleged member of the REvil ransomware-as-a-service group. They said that not only do they try to attack organizations with ransomware-specific insurance coverage, but they also prefer to break into an insurance company first and then attack their customers (presumably with knowledge of their policies). Only then do they attack the insurance company.

Ransomware criminals have become efficient and ruthless professionals. Global recent ransomware attacks increased an incredible 485% in 2020 over the previous year, according to Bitdefender. Ransomware has increased by 239% since 2018, according to one report. And payments have tripled in the past two years. It’s not uncommon in recent months for ransomware payments to measure in the hundreds of thousands of dollars — or even in millions of dollars.

The cybersecurity firm Emsisoft estimates that in 2020 more than 100 U.S. federal, state and municipal agencies, over 500 health care organizations and around 1,680 educational institutions were struck by ransomware attacks, as well as many thousands of businesses.

Ransomware attacks accounted for 41% of all filed cyber insurance claims in the first half of 2020, according to a report by Coalition. The French insurance company AXA recently announced that they would no longer insure against ransomware attacks. (An attacker hit AXA with a ransomware attack one week later.)

What’s Next?

And there’s where we are. Insurance companies are wondering if they should still provide cyber insurance; businesses are wondering if cyber insurance makes them a target.

The most likely outcome is that the cost of cyber insurance that covers ransomware attacks will become far more expensive and come with strings attached. Companies will need to demonstrate very strong security systems, practices and policies as a precondition for getting insurance.

More from Incident Response

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

A Day in the Life: Working in Cyber Incident Response

As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your "go bag" because you cannot remote in to the breached system. It's all part of the game. Seasoned incident responders can handle this jab: "Why would you want a job like this? Are you crazy?" The truth…