In 2021, our newsfeeds were flooded with reports of cyber-attacks and colossal ransomware payments. Most companies have either been directly impacted themselves or indirectly through a vendor in their supply chain, and they are looking for ways to manage risk. Cyber insurance is becoming a mainstream insurance product with insurers offering both specific cyber policies and ‘bolt on’ cyber endorsements for standard property policies.
The recent increase in cyber-attacks and sky-rocketing ransom demands has also led to a substantial increase in policy pricing. According to a report published by the insurance broker Howden, the pricing for cyber insurance has increased 32% globally between June 2020 and June 2021. Insurers are also insisting that prospective policyholders certify that they have implemented stringent cybersecurity measures.
Despite significant growth, the cyber insurance sector has performed poorly in recent years and insurers are struggling to accurately assess risk. A report by S&P Global found that, in 2020, the cyber insurance industry’s loss ratio was 72.8%, compared to a typical insurance loss ratio of 30-60%. Furthermore, Barron’s reported that in 2020, two of the largest insurers paid out close to 100% of premiums.
There are an everchanging array of factors impacting the risk of cyber-crime. Below, we review the impact of two factors from the perspective of both the insured and insurer:
- Obtaining ransomware insurance
- Paying a ransom
Does Obtaining Ransomware Insurance Increase Risk?
Companies are justifiably looking to protect themselves from the financial impact of a ransomware attack, but what if purchasing insurance could invertedly increase the risk of attack? Cyber security firm Sophos studied 1,823 companies and found that organizations with cyber insurance were twice as likely to pay ransoms as those without. If criminals are aware of this, it follows that they would target companies with ransomware insurance.
In a 2021 interview, a representative from REvil, a well-known Russian ransomware group, described companies with insurance as the “tastiest morsels” for hackers and confirmed they are unequivocally targeting cyber insurers to obtain a list of policyholders. In March 2021, one of the largest insurance companies in the United States, paid a $40 million ransom to regain control of their computer systems following a ransomware attack. While the company said in a statement “they did not believe” that policyholder data was compromised, it is still unclear if information relating to insureds and their policies ended up in the hands of the hackers.
There are many more examples of how cyber insurance could increase risk, including the following:
- If a company utilizes ransomware insurance to pay a ransom, the attacker will likely be aware of this and may execute a repeat attack to further exploit the coverage. Alternatively, the attacker may sell the information relating to the insurance coverage to other attackers, increasing the risk of a future attack from another actor.
- If a hacker breaches a company’s file server, they may be able to search the server and access documentation relating to a company’s cyber insurance policy. If a hacker is aware that the company has coverage and can identify the policy limit information, they can then use this to guide their ransomware demand.
On a global scale, the interaction between cyber insurance and ransomware attacks has been well debated in the industry, with cyber experts blaming the frequency and size of insurance ransomware payouts for the significant jump in cyber-attacks. In early 2021, former head of the UK’s National Cyber Security Centre went as far as to say that insurers providing cyber insurance are “inadvertently funding organized crime by paying out claims” and that it’s necessary to “look seriously about changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry.” In May 2021, France’s largest insurer said that it would no longer reimburse ransomware payments due to uncertainty within the French government about the legal status of ransomware payments.
Does Paying a Ransom Increase Risk?
Just as cyber insurance entices attackers, does the payment of a ransom act like a beacon to criminals? It’s well known that both the U.S. and U.K. governments have a “no ransom” policy in relation to citizens held hostage. This is based on the reasoning that hostage-takers distinguish between governments that pay ransoms and those that don’t, and therefore, avoid taking hostages from the countries that don’t pay ransoms. It follows that the same logic would apply to ransoms relating to cyber-attacks and the research backs it up.
A large cyber-security firm, Cyberreason, found in a recent study that 80% of organizations that paid a ransom, faced a second attack. While the U.S. Cybersecurity & Infrastructure Security Agency advises against paying ransoms stating that “paying ransom offers no assurance that a victim organization will regain access to their data or have their stolen data returned”. Many companies still pay ransoms.
A ransom payment could impact the risk of a future attack in the following scenarios:
- The first ransom payment is made public and entices other criminals to attack the same company knowing they have the funds available and the protocols in place to pay ransoms. While companies (and insurers) often try to keep payments confidential, often payment amounts are shared by the attacker. Interestingly, a new crowdfunded website called “Ransomwhere.re” is attempting to provide a publicly trackable record of bitcoin payments to key ransomware groups, while keeping victims’ records anonymous.
- The same attacker strikes again with the hope of receiving another payment and potentially extorting the same cyber vulnerability as the first attack (if this has not been fixed by the victim). Attackers have also been known to leave a “back-door” into the victim’s operating system that allows them to access the system at a later date.
- The specific technical vulnerability that the attacker used to gain access to the system is made public or sold to another attacker. To mitigate this risk, companies can attempt to ensure that the cyber vulnerabilities that led to the first attack have been resolved, and as previously mentioned, insurers are now at high levels of cyber security.
As discussed above, on a global scale, the cumulative effect of companies paying ransoms increases the attractiveness of the ransomware industry to criminals, thus increasing overall risk to all companies. The more ransoms that are paid, the more appealing the ransomware ‘sector’ is to criminals, leading to a greater number of attacks, and what we are now seeing as an explosion of cyber-crime. To try and interrupt this vicious cycle, New York State has introduced Bill S6806A to the Senate, which, if passed, prohibits the payment of ransomware by “government entities, business entities or healthcare entitles or by another entity on their behalf.”. It’s likely that many states and potentially countries around the world will follow suit.
The cyber insurance industry is in a state of flux. Insurers are struggling to accurately assess risk and companies are trying to combat constant cyber-attacks and increasing policy costs. It’s unclear what the future holds but we know that insurers are taking drastic steps to manage risk by creating sub-limits for various types of cyber-coverage, ensuring stringent cyber-security standards are met by insureds, and providing incident response teams, including cyber experts and negotiators, to assist insureds after an attack.
This article was co-authored by Shelina Boksh, CPA, Senior Forensic Accountant.