In October 2021, the US government hosted several meetings bringing together a group of international officials and its own national security advisers to discuss one thing – ransomware.
The US corporate landscape had been littered with a growing number of instances of ‘cyberheists’, making cybercrime a topic of utmost and immediate concern.
As the risks to crucial supply chains that affect consumers and industry have increased, so have the rewards for the covert hacking organizations that are proving that crime really does pay – often in cryptocurrency.
In 2020, victims paid $402m in ransom, a 361% increase from the previous year, according to Chainalysis. The average ransom demanded rose 170% in the first half of 2021, averaging $1.2m (among Coalition-insured corporates), whilc the average ransom payment in 2021 jumped 82% to $570,000, according to Palo Alto Networks.
The October gathering set up by the Biden administration placed the illicit use of cryptocurrency high on its agenda, as well as developing a collaborative approach to law enforcement.
High-profile cyber-attacks
Two high profile cyberattacks in May of 2021 proved how pressing the issue had become. The first resulted when hackers held Colorado-based meat producer JBS SA to ransom to the tune of $11m, which the firm paid in bitcoin to ensure the resumption of production. In the second case, energy supplier Colonial Pipeline paid $5m of bitcoin to a different criminal hacking group.
Ransomware is typically introduced into a corporate network through malware designed to take advantage of any vulnerabilities in its cyber defense. The ransomware encrypts the victim’s data, which can only be ‘unlocked’ with a key that is delivered in return for the ransom.
These attacks are often a result of social engineering that exploits unwary employees or third party vendors. Sometimes data is exfiltrated, followed by threats to release it publicly, pushing corporates to pay up quicker.
The cost of cyber protection is spiralling. UK-listed insurer Hiscox reported 6% year on year growth in the first three quarters of 2021, while Lloyd’s of London insurer Beazley stated in November that cyber price rises continued to exceed expectations. Cyber insurance prices nearly doubled year on year in the US during the same period, and rose 73% in the UK.
“Overall, the problem is so big it’s uninsurable.”
Christian Mumenthaller, CEO, Swiss Re
But while demand for specialized insurance coverage has spiked in response to this new phenomenon, security experts are divided on its efficacy.
Some argue that the existence of insurance encourages apathy and negligence in constructing and maintaining a viable cyber defense, and that paying ransoms actually encourages those perpetrating the attacks. They contend that insurance companies tend to pay up as this is usually faster, cheaper, and more effective than trying to recover data.
Sometimes a corporate has no choice – if there is no viable back-up data storage, the only route available is payment.
The insurers bristle when considering this claim and their retort is that the cyber criminals are in fact emboldened by the relative ease with which they can penetrate weak systems and networks where basic security is lacking and there is so little realistic awareness of the risks. Last summer, the insurer AXA declared that it would not cover ransom payments under its cyber policies in France, while Christian Mumenthaler, Swiss Re’s CEO, told Reinsurance News that “overall the problem is so big it’s uninsurable.”
In most cases, the criminals play a numbers game with their opportunistic attacks rather than targeting a certain organization. The bigger the net they cast, the more victims they can ensnare. Recent revelations about the activity of renowned cyber gangs such as DarkSide indicate that they perform searches of their victims’ records to confirm the existence and type of insurance they carry before they encrypt and jam their systems. It is a chilling development and underlines the enemy’s sophistication.
The insurers stress that it is the insured that makes the ultimate call on whether to pay a ransom and not the insurer itself. Notable losses can result if a business does not evaluate the situation pragmatically – one example cited was a ransom demand of $76,000, which the City of Baltimore refused to pay and which eventually snowballed into losses of over $20m.
Often ransoms and associated costs are just the tip of the iceberg after an incident. First-party costs related to incident response might include forensic investigations, legal services to determine notice obligations, and the costs of providing notice, data restoration, and business interruption. The nightmare often continues.
Service beyond pure insurance
The competitive elements in an evolving market, and corporates’ needs, mean that insurers now offer more than just compensation and ransom crypto-cash.
Those insurers viewing the demand as an opportunity are differentiating themselves beyond basic cover and indemnity by offering better services. Reporting hotlines, a dedicated team to help customers respond when a breach occurs, and access to expert advice are all of appeal. Proactive risk mitigation is now available so that there is less likelihood of disruption and corporates can recover faster.
Businesses need to analyze any policy to account for business (and supply chain) interruption, data recovery, security incident, and breach coverage.
But the reality is that, while premiums are inevitably on the rise, many organizations are now being refused cover as the insurance industry digests a 25% increase in loss ratio.
Many require a minimum in terms of network security capability to reduce risk. And they evaluate many of the following elements before extending insurance: software patch updates, remote access other than VPN, multifactor authentication, and an immutable back-up process.
The size of the problem has prompted the entrance of government and regulators to influence practice.
While premiums are inevitably on the rise, many organizations are now being refused cover as the insurance industry digests a 25% increase in loss ratio.
AXA’s approach detailed above was allegedly driven by comments from French prosecutors that suggested disapproval of ransom payment. AXA said it made this decision in response to concerns raised by French justice and cybersecurity officials during a Senate roundtable in Paris about the global epidemic of ransomware.
The tone and ambiguity in the US is no different, where ransom payment is discouraged but not forbidden.
The US authorities have taken another tack by adding certain organizations and payment conduits to the Office of Foreign Asset Control (OFAC) sanction lists. OFAC put SUEX OTC S.R.O., a Russian exchange, on its Specially Designated Nationals and Blocked Person List as a result of its role in facilitating ransomware payments. This was OFAC’s first-ever designation of a virtual currency exchange.
OFAC has also provided guidance on preventive measures that companies should implement to help mitigate risk. It recommends not paying ransoms but recognizes this is a decision for individual entities. The OFAC guidance states that the government would enforce OFAC non-compliance not only against ransomware victims, but also against their insurers and the intermediaries they hire, such as cyber security firms that negotiate with threat actors.
Ultimately, public policy on this is far from established and insurers and their customers are following an unclear path for now.
Proactive risk management starts at home
The Institute for Security and Technology in the US released a report (Combating Ransomware) in April 2021 with recommendations from a taskforce of industry, government, and law enforcement experts. The report recommends establishing a consortium in the insurance sector that can share ransomware loss data and promote best practices in underwriting and risk management. It concludes that the insurance industry should encourage the insured to manage their own risk better.
Other interest groups such as SIFMA, the main trade association for the securities sector in the US, has been running bi-annual resilience exercises called ‘Quantum Dawn’ for its members for more than 10 years now. These have focused on physical threats, cybersecurity, terrorism, and natural-disaster risks. The tests that were run at the end of 2021 covered industry preparedness for a global ransomware attack and the recovery capability of SIFMA’s member firms, which comprise the biggest broker-dealers and banks globally.
Insurers are definitely now expecting higher security standards as a precondition for insurability. This seems certain to establish a security baseline of requirements that at the very least might include:
- a proactive strategy for reducing the risk of an effective attack;
- a well-rehearsed incident response plan to help a corporate identify security issues and recover efficiently; and
- a robust back-up environment that allows a corporate to restore encrypted data itself.
Firms of all sizes must take notice and build protected systems, in the hope that they only need the nuclear option of calling their insurer as a last resort.