The Ransomware Cyber Insurance Cycle Fueling the Extortion Economy
Since first emerging back in the mid to late 1990s, cybersecurity insurance has gone from being a product that was hard to sell to what is now very difficult to buy. For a number of years insurers flocked to the cybersecurity sector, enticed by the rapid growth and ambiguous risk profile. Insurance policies were focused on selling the broadest and best coverage for what was widely considered to be an affordable price to attract buyers. Since the insurance industry lacked the data necessary to predict the likelihood, frequency or cost of cyber attacks, insurers built buffers into their policy premiums that resulted in big profits. According to Fitch data, insurers’ direct loss ratio never surpassed 50% between 2015 – 2019. Those numbers jumped in 2020 with insurers reporting a 73% direct loss ratio, and some insurers in the US market reporting losses above 100% for standalone cyber insurance. Faced with mounting losses, insurers began to limit their own risk exposure by hiking premiums, narrowing the scope of coverage, and some even began abandoning the sector altogether.
So what changed? Ransomware. Ransomware is one of today’s primary cyber threats and has absolutely exploded with extortion demands escalating to hit new records on a routine basis. According to the National Association of Insurance Commissioners, the average ransomware payment is increasing, rising from $312,000 in 2019 to $570,000 in 2020. Suspected ransomware payments totaling $590 million were made in the first six months of 2021, compared with the $416 million reported for the whole of 2020. A growing number of high profile attacks, like we saw in 2021 with Acer, Apple, and Accenture, are demanding ransoms as high as $50 million dollars. Worse yet, over 80% of the companies that pay ransomware are hit a second time. Premiums for cyber insurance policies that cover ransomware payments are climbing as well, with double-digit increases every month in the first quarter of 2021.
Over the past couple of years, criminal gangs like Wizard Spider, Sprite Spider, DarkSide, and Mummy Spider have become far more strategic with their ransomware attacks. From franchising their Ransomware-as-a-Service (RaaS) operations, to targeting critical infrastructure and supply chains, to double extortion, and beyond, attackers have learned that extortion delivers a big payoff with seemingly no limits to what businesses — and insurers — are willing to pay. Insurers and businesses alike have defaulted to paying the ransom amounts because the damages incurred from a breach would most likely be far more costly and, in the case of infrastructure or hospitals, could be catastrophic.
Because of the inclination to just pay the ransoms, some believe that the cyber insurance industry is what continues to escalate ransomware. Conversely, insurers argue that businesses have used ransomware coverage as a fallback and haven’t done enough in terms of ransomware prevention and mitigation, knowing that they had coverage to minimize any potential losses that would ultimately be seen as a standard cost of business. There are, of course, too many other factors at play to really point the finger in any one direction. The global pandemic and abrupt shift to remote work/learning, advances in technology, growth of cloud infrastructure, political tension, etc., have all played a part in creating an environment ripe for exploitation by attackers. Regardless of which perspective you take on what prompted the current state of ransomware, it’s clear that current conditions are fueling the extortion economy.
The cost of cyber insurance that covers ransomware has skyrocketed, with premiums continuing to increase from 30% to 45% a year. In 2021, Aon PLC warned policyholders to expect premiums to increase substantially—by at least 20 percent and possibly as high as 50 percent in 2022. With some insurers reporting that ransomware accounts for 75% of all cyber insurance claims, the percentage by which attacks are increasing is outpacing the increase in premiums.
As losses from cyber insurance coverage becomes increasingly untenable for insurers, they are now demanding that businesses shoulder more responsibility when it comes to cyber attacks through preventative measures to avoid having to file a claim in the first place. To obtain or renew cyber insurance policies, businesses will be required to prioritize internal cybersecurity measures to prevent, detect and mitigate their risk of breaches and ransomware. Even at the significantly higher prices, businesses are extremely unlikely to be able to purchase the type of broad cyber risk and ransomware coverage they’ve had in the past.
We recently talked with Leigh Gustafson, a broker with leading US insurance brokerage firm, Lockton Companies, to ask some questions about the changes and trends she sees happening in the cyber insurance market.
“The biggest change we’ve seen in the cyber insurance market over the last year, is the degree of scrutiny that carriers have placed on insureds’ information security practices. In the past, companies with even rudimentary controls could obtain coverage but the proliferation of ransomware has left some companies that lack core minimum controls scrambling for coverage. Some carriers will not even consider a company for coverage if it doesn’t have multi-factor authentication and good backups.” Given the recent surge in cyber claim severity, it is no surprise that insurers are looking to mitigate their losses by imposing minimum cybersecurity controls on insureds.
In terms of coverage, Gustafson explained that “Cyber insurance is rated based on an analysis of each organization. Controls, industry, annual revenue, record count, reliance on vendors are among the many factors that influence policy limits and pricing.” Gustafson indicated that the amount of coverage a company might purchase is largely dependent upon how much limit the insurers are willing to offer, and the company’s risk tolerance and budget. Her advice? Work with a qualified cyber insurance broker, such as Lockton, to help understand your company’s risk and its coverage options.
The discussion then shifted towards the topic of sub-limiting coverage. Lockton confirmed that ransomware attacks have had a tangible impact on certain types of coverage and that in addition to observing lower aggregate limits and increases in retention amounts, some carriers are sub-limiting specific types of coverage, such as ransom payments, losses stemming from phishing campaigns, and notification costs associated with the compromise of personal information.
We also asked about the recent court decision in the case of Merck vs Ace American Insurance, which concluded that the NotPetya cyber attack perpetrated by Russia’s military intelligence agency was not an “act of war” under the cyber policy at issue and therefore not subject to the policy’s acts of war exclusion. While the judgment was just announced, it is anticipated that the insurance market will likely respond with more aggressive changes to “acts of war” policy exclusions and will continue to tighten coverage to reduce their potential losses from state-sponsored cyber attacks as much as possible.
Though the numbers vary from one insurer to the next, the global cyber insurance market is estimated to only cover about 15% commercial organizations. As even the largest organizations are getting priced out of the type of broad ransomware coverage they had had in the past, combined with those which never had coverage to begin with, millions of businesses around the world will be left with little or no ransomware insurance coverage that can be critical to surviving a ransomware attack without going under. This imbalance is creating an immediate and sustained need for these organizations to take pre-emptive action to protect and mitigate against cyber threats, breaches and ransomware in the face of an exploding threat landscape.
The message from the cyber insurance industry echoes what the cybersecurity community has been pushing for years — you need to lower your cyber risk, make your company a hardened target against cyber attacks, as well as implement and test recovery systems. In some cases, this can be challenging because getting to the ideal level of security may require heavy investments into an organization’s infrastructure. However, there is nothing that prevents any size business from performing basic cyber hygiene practices.
zvelo’s Cybersecurity Team recommends these three low-to-no cost, yet high impact, cyber hygiene practices to make your organization a hardened target:
- Organizations need to implement multi-factor authentication (MFA) and have a good password policy in place that comprises complex and hard to guess passwords. Passwords need to expire every few months. Users with both admin and regular accounts must be required to set a unique password for both.
- Ensure ports, protocols, and services that do not have business users are turned off. Those that do, need to be updated from legacy services (e.g. Turn off SMB v2).
- Ensure proper separation of permissions by conducting an audit on groups in your organization. Limit permissions to only those who need them and have a specific purpose. (e.g. Someone on the Engineering team doesn’t need access to the HR files.)
The Bottom Line? Businesses can no longer rely on cyber insurance to bail them out of a ransomware attack. They need to take proactive steps aimed at changing user behaviors, implement cybersecurity prevention systems, have rapid response procedures in place if/when breached and be ready to restore their operational systems overnight. Businesses have to take steps to make themselves a hardened target. The attackers will go wherever there is the least amount of resistance and the greatest payoff — and they will always find a weak spot.