Ransomware epidemic for Insurers – Reasons & Response Strategy

The current threat from ransomware attacks has grown exponentially exposing major flaws in our cybersecurity infrastructure and readiness while plaguing businesses of all kinds especially data-rich companies. Few of the publicized attacks include the $11M payout for meat packer JBS and $4.4M for colonial pipeline that were paid in digital cryptocurrency.

However, the attacks have now been spreading to critical infrastructure providers like hospitals, schools, transportation, food, groceries, utilities, and local governments where sustained disruption could cripple public services. Earlier in 2019, criminals hobbled 22 Texas municipalities through hacking into a managed services provider, but the threats for large scale disruption to the public is very real and cannot be ignored.

Extent of the Problem?

The frequency of ransomware attacks increased by 400% last year with one happening every 14 seconds, while losses skyrocketed to $30B per FBI estimates. Interestingly, even as 40% of companies paid the ransom, interestingly 80% of them end up getting hit again proving ransomware is not a one-time problem for victims but needs on-going fortification of cyber-defenses and ongoing management of risk.

Cyber-Insurance that often covers ransomware and costs for restoration is a relatively newer product line within Insurance and has been modest in scale globally. Even in the US, despite several years of growth, only 33% of companies purchase dedicated cyber insurance policies.

Cyber-insurance is sometimes blamed for the rise in ransomware by analysts and policymakers. Payments of ransomware by Insurance companies does raise the potential for “moral hazard” as with many other insurance products since policyholders/victims might adopt a complacent attitude to cyber risks and vulnerabilities, while Insurers might consider paying ransom cheaper than the full costs of investigation, discovery, remediation, and restoration. Paying ransomware also incentivizes hacking Insurer databases by cyber criminals to find targets with higher policy limits.

As a percentage of premiums, cyber insurance payouts covered $30B of losses in 2020 and 70% of aggregate premiums, which is near the threshold where the insurance industry will be unprofitable on cyber coverage unless they increased premiums. Expectedly, Cyber premiums have rapidly climbed higher reflecting higher losses due to frequency and severity of the attacks, jumping by 30-40% month-on-month at the beginning of the year in the US/Canada per reports from major brokerages, as carriers adjusted risks and payouts vs. premiums collected.

What are the Reasons for the rise in Ransomware?

There are many reasons for the rise in Ransomware we are touching a few major points here:

Aided by Cybersecurity Failures

Rise in ransomware attacks is aided by cybersecurity failures at companies where hackers exploit potential vulnerabilities and weaknesses in the technology infrastructure and network security. In general, many companies across industries are dealing with newer ‘digital supply chains and technology infrastructure’ that is not hardened to cyber threats so often not that well prepared to handle the increased sophistication of these attacks.

Insurers see more profit in paying Ransom claim than improving compromised systems

Ransomware attacks themselves have become lucrative, with a recent one being as high as $50M. Attackers are resorting to double-extortion tactics by stealing sensitive (sometimes customer) data before encrypting and threatening to expose the information on the dark web if victims refuse to pay up, often in cryptocurrency. Although victims have been encouraged by federal and state authorities to report attacks and not pay ransom, companies often choose to pay to prevent data losses and cost of large-scale disruption. For example, the hack at Colonial pipeline shut down the 5500-mile pipeline for 6 days causing massive gasoline outages and pushed prices to 6-year highs since Colonial provides 45% of gasoline in the East Coast.

Source: Guidewire

From insurance standpoint, paying a ransom claim is often more appealing to Insurers than having to cover all the costs that comes with restoring compromised systems, business disruption and downtime, and lost businesses that companies suffer. There’s lack of regulatory clarity in this area since the position from Governments across the world has been ambiguous at best.

Systematic hacking of Insurer databases

Systematic hacking into insurer databases is aiding ransomware attacks. Insurer databases provide criminals with information on their customer base and policy limits that enable them launch targeted attacks. AXA Thailand, CNA Financial, Gallagher, Chubb have all been targeted in the past. In addition, in AXA’s case, hackers have made off with 3TB of data including personal and medical records.

Emergence of Specialized hacking affiliate groups

Emergence of hacking affiliate groups and increased sophistication around these attacks is another reason. There are specialized groups that lease ransomware-as- a-service to cyber criminals who then share the proceeds with these groups. Revil is one such well publicized group that has been providing ransomware as a service since 2019.

State backed attackers from various parts of the world, especially Eastern Europe that see ransomware as an opportunity to make quick money and disrupt operations and critical infrastructure at select targets.

So how should Insurers respond?

Cybersecurity and ransomware are a relatively newer emerging risk categories that do not have mature actuarial models to price risk in an environment that’s fluid and fast evolving. Insurers and victims are reluctant to disclose breaches due to reputational damage and competitive advantage that adds to the problem of insufficient data to model risk.

Insurers are trying to determine appropriate levels of coverage while making upward adjustments on pricing often due to the increasing frequency and severity of the attacks. Despite the uncertainty over pricing, many carriers are embracing cyber products since it is an emerging and growing product line in an industry where many lines (like personal P&C) are expected to shrink and get commoditized.

Cyber insurance is normally structured as a tower, where each portion of the risk maybe underwritten by different groups. Beyond the initial hit above the client’s excess, conditions for the primary layer insurance have been getting tighter.

The following are areas that Insurance carriers can review to respond effectively to ransomware related risks:
  • Insurers can conduct due diligence on the state of cybersecurity and resilience at their customers. As part of the underwriting process, many carriers are now partnering with cybersecurity firms to assess companies’ security protocols leveraging cybersecurity tools to ensure they have adequate controls in place. This is a big improvement over the past where many carriers just asked clients to fill out detailed questionnaires on their cyber security practices. Hybrid insures like Resilience and Corvus are probing cyber defenses themselves and actively engaging with clients as cyber threats occur and making continual recommendations as new threats emerge and best practices evolve. Carriers and potentially customers are also tying up with companies like Coveware that have first-responder services while in an active attack, including negotiations, settlement, and restoration.
  • Insurance carriers can build more awareness amongst business owners and help make cybersecurity and risk of ransomware attacks a top priority for their customers’ management to handle this risk.
  • Insurers could carefully review their policies to incentivize better cyber risk management by tightening the conditions under which ransoms are paid or reviewing their products for limits and coverages. Restricting exposure through limiting new business, capping coverage limits, or introducing conditions like reimbursement for extortions be not more than 50% of total coverage are examples. Higher limits could be available only if clients demonstrate strong cybersecurity controls. Insurers could introduce a deductible or cut coverages. AIG as an example is putting coinsurance in place. There is historical precedence in Insurance where product simplification and lower limits and coverages have reduced fraud and proliferation of bad actors.
  • Insurers can work collaboratively with regulators who have been voicing disapproval of ransom payments. For example, AXA France suspended ransomware coverage while continuing to pay for restoration, legal protection, and operating losses. In the US, the treasury has warned against ransomware payments to federally sanctioned entities but sometimes the identity of the attackers is not known while negotiating on the payments that makes the process difficult. For now, cyber insurers are resisting calls to halt reimbursements completely since that can be expensive for their clients and for the industry. Even as the process is difficult and the collaborative structures and processes are emerging, cybersecurity threats are now global, sophisticated, relentless, pervasive, and related, so needs holistic response and collaboration with regulators and state agencies to be dealt with effectively.


Case for Collective & Coordinated Response?

Insurers are grappling with fundamental questions and uncertainty around measuring risk, establishing limits on liability, modeling risk, managing overall exposures, and adjusting to an emerging situation where attacks are rising exponentially. Due to the volume of attacks, Insurers and companies can be easily overwhelmed, so ransomware needs a coordinated response from multiple stakeholders. Insurance industry bodies, regulators and the government should review policies on ransomware to ensure collective and unified response not just individual carriers.

This is the time for Insurers, government agencies, interested public organizations and international bodies to come together to start rapidly collaborating to collect, analyze, and disseminate data on cyber security, incidents, and responses. Insurers are a vital link to the chain and part of the solution to manage cyber risks, they are neither the root cause of the problem nor can address the problem completely without all stakeholders coming together and providing coordinated response.

The Bottomline

There is growing acknowledgement that cybersecurity problems are big and potentially in some cases uninsurable. It is possible that Governments need to find a way to provide security and cover the risk, which at times could be too large for the insurance industry itself so providing a financial backstop. There’s potentially room for some private-public partnerships between the government and Industry consortia to potentially find ways to manage, limit and prevent risks.

About the author

Saurav Basu is the Founder of Exavalu, an award-winning, fast-growing Digital Advisory and Technology Solutions Consulting firm that’s helping enterprise clients navigate challenges and leverage opportunities caused by Digital disruption. Saurav has a professional background of over 25 years of progressive experience in advising client executive/leadership teams, leading complex business transformation efforts and managing global consulting organizations delivering impact across a number of industries. He is a thought leader, value creator and organization builder.