The current threat from ransomware attacks has grown exponentially exposing major flaws in our cybersecurity infrastructure and readiness while plaguing businesses of all kinds especially data-rich companies. Few of the publicized attacks include the $11M payout for meat packer JBS and $4.4M for colonial pipeline that were paid in digital cryptocurrency.
However, the attacks have now been spreading to critical infrastructure providers like hospitals, schools, transportation, food, groceries, utilities, and local governments where sustained disruption could cripple public services. Earlier in 2019, criminals hobbled 22 Texas municipalities through hacking into a managed services provider, but the threats for large scale disruption to the public is very real and cannot be ignored.
The frequency of ransomware attacks increased by 400% last year with one happening every 14 seconds, while losses skyrocketed to $30B per FBI estimates. Interestingly, even as 40% of companies paid the ransom, interestingly 80% of them end up getting hit again proving ransomware is not a one-time problem for victims but needs on-going fortification of cyber-defenses and ongoing management of risk.
Cyber-Insurance that often covers ransomware and costs for restoration is a relatively newer product line within Insurance and has been modest in scale globally. Even in the US, despite several years of growth, only 33% of companies purchase dedicated cyber insurance policies.
Cyber-insurance is sometimes blamed for the rise in ransomware by analysts and policymakers. Payments of ransomware by Insurance companies does raise the potential for “moral hazard” as with many other insurance products since policyholders/victims might adopt a complacent attitude to cyber risks and vulnerabilities, while Insurers might consider paying ransom cheaper than the full costs of investigation, discovery, remediation, and restoration. Paying ransomware also incentivizes hacking Insurer databases by cyber criminals to find targets with higher policy limits.
As a percentage of premiums, cyber insurance payouts covered $30B of losses in 2020 and 70% of aggregate premiums, which is near the threshold where the insurance industry will be unprofitable on cyber coverage unless they increased premiums. Expectedly, Cyber premiums have rapidly climbed higher reflecting higher losses due to frequency and severity of the attacks, jumping by 30-40% month-on-month at the beginning of the year in the US/Canada per reports from major brokerages, as carriers adjusted risks and payouts vs. premiums collected.
There are many reasons for the rise in Ransomware we are touching a few major points here:
Rise in ransomware attacks is aided by cybersecurity failures at companies where hackers exploit potential vulnerabilities and weaknesses in the technology infrastructure and network security. In general, many companies across industries are dealing with newer ‘digital supply chains and technology infrastructure’ that is not hardened to cyber threats so often not that well prepared to handle the increased sophistication of these attacks.
Ransomware attacks themselves have become lucrative, with a recent one being as high as $50M. Attackers are resorting to double-extortion tactics by stealing sensitive (sometimes customer) data before encrypting and threatening to expose the information on the dark web if victims refuse to pay up, often in cryptocurrency. Although victims have been encouraged by federal and state authorities to report attacks and not pay ransom, companies often choose to pay to prevent data losses and cost of large-scale disruption. For example, the hack at Colonial pipeline shut down the 5500-mile pipeline for 6 days causing massive gasoline outages and pushed prices to 6-year highs since Colonial provides 45% of gasoline in the East Coast.
From insurance standpoint, paying a ransom claim is often more appealing to Insurers than having to cover all the costs that comes with restoring compromised systems, business disruption and downtime, and lost businesses that companies suffer. There’s lack of regulatory clarity in this area since the position from Governments across the world has been ambiguous at best.
Systematic hacking into insurer databases is aiding ransomware attacks. Insurer databases provide criminals with information on their customer base and policy limits that enable them launch targeted attacks. AXA Thailand, CNA Financial, Gallagher, Chubb have all been targeted in the past. In addition, in AXA’s case, hackers have made off with 3TB of data including personal and medical records.
Emergence of hacking affiliate groups and increased sophistication around these attacks is another reason. There are specialized groups that lease ransomware-as- a-service to cyber criminals who then share the proceeds with these groups. Revil is one such well publicized group that has been providing ransomware as a service since 2019.
State backed attackers from various parts of the world, especially Eastern Europe that see ransomware as an opportunity to make quick money and disrupt operations and critical infrastructure at select targets.
Cybersecurity and ransomware are a relatively newer emerging risk categories that do not have mature actuarial models to price risk in an environment that’s fluid and fast evolving. Insurers and victims are reluctant to disclose breaches due to reputational damage and competitive advantage that adds to the problem of insufficient data to model risk.
Insurers are trying to determine appropriate levels of coverage while making upward adjustments on pricing often due to the increasing frequency and severity of the attacks. Despite the uncertainty over pricing, many carriers are embracing cyber products since it is an emerging and growing product line in an industry where many lines (like personal P&C) are expected to shrink and get commoditized.
Cyber insurance is normally structured as a tower, where each portion of the risk maybe underwritten by different groups. Beyond the initial hit above the client’s excess, conditions for the primary layer insurance have been getting tighter.
Insurers are grappling with fundamental questions and uncertainty around measuring risk, establishing limits on liability, modeling risk, managing overall exposures, and adjusting to an emerging situation where attacks are rising exponentially. Due to the volume of attacks, Insurers and companies can be easily overwhelmed, so ransomware needs a coordinated response from multiple stakeholders. Insurance industry bodies, regulators and the government should review policies on ransomware to ensure collective and unified response not just individual carriers.
This is the time for Insurers, government agencies, interested public organizations and international bodies to come together to start rapidly collaborating to collect, analyze, and disseminate data on cyber security, incidents, and responses. Insurers are a vital link to the chain and part of the solution to manage cyber risks, they are neither the root cause of the problem nor can address the problem completely without all stakeholders coming together and providing coordinated response.
There is growing acknowledgement that cybersecurity problems are big and potentially in some cases uninsurable. It is possible that Governments need to find a way to provide security and cover the risk, which at times could be too large for the insurance industry itself so providing a financial backstop. There’s potentially room for some private-public partnerships between the government and Industry consortia to potentially find ways to manage, limit and prevent risks.
About the author
Saurav Basu is the Founder of Exavalu, an award-winning, fast-growing Digital Advisory and Technology Solutions Consulting firm that’s helping enterprise clients navigate challenges and leverage opportunities caused by Digital disruption. Saurav has a professional background of over 25 years of progressive experience in advising client executive/leadership teams, leading complex business transformation efforts and managing global consulting organizations delivering impact across a number of industries. He is a thought leader, value creator and organization builder.