Ransomware victims are increasingly falling back on their cyber-insurance
providers to pay the ransom when they’re hit with an extortion cyberattack. But
security researchers warn that this approach can quickly become problematic.
In the first half of 2020, ransomware attacks accounted for 41 percent of the
total number of filed cyber-insurance claims, according to a Cyber Claims
Insurance Report released last year by Coalition.
And indeed, in real-world attacks over the past two years, many companies
afflicted by ransomware acknowledged that they had utilized cyber-insurance
to deal with either the ransom itself or the ensuing cost of remediation.
For instance, weeks after Riviera Beach, Fla. was hit by ransomware in June
2019, the city council held an emergency meeting. It voted unanimously to
authorize the city’s insurer to pay off a $600,000 ransom demand, after the
malware had frozen crucial data. Adversaries also took systems that control
city finances and utilities offline.
That same month, Lake City, Fla. paid ransomware attackers almost $500,000,
which the city announced would be mostly covered by insurance.
More recently, in August 2020, the University of Utah coughed up a $457,000 ransom payment, working with its cyber-insurance provider, after an attack
targeted the university’s servers, and student and faculty data.
Ransomware victim Colonial Pipeline also reportedly had cyber-insurance protection through broker Aon and Lloyd’s of London. The energy firm did pay $4.4 million to attackers. However, it unclear whether the firm utilized its policy to pay. According to a Routers news report, Colonial Pipeline had a policy that covered it for at least $15 million.
Cyber-Insurance: A Financial Cushion for Attack
For those companies impacted by a ransomware attack, cyber-insurance
is supposed to offer a buffer for companies struggling with the fallout. For
instance, after its severe 2019 cyberattack, aluminum giant Norsk Hydro
received around $20.2 million in cyber-insurance from its provider, AIG. The
total cost for damage from the attack was estimated to range between $60 and
$71 million.
(Editor’s Note: This article is based on an in-depth piece, available in the free Threatpost Insider eBook, entitled “2021: The Evolution of Ransomware.” Download it today for much more on the ransomware underground economy!)
“The financial impact of a ransomware attack is multifaceted, and goes wellbeyond the ransom payment,” said Jack Kudale, founder and CEO of Cowbell
Cyber. “Business interruption, revenue loss, potential exposure of sensitive
data and related third-party liability, forensics and restoration expertise, and
finally breach coaching and ransomware negotiations, can all be covered in a
cyber-insurance policy.”
The use of cyber-insurance specifically to cover negotiations, and the ransoms
themselves doesn’t sit well with some security researchers.
“Not only does making a ransomware payment also place an organization in a
potentially questionable legal situation, it is proving to the cybercriminals you
have funded their recent expedition,” said Brandon Hoffman, CISO at Netenrich.
Costs, Premiums and Sub-Limits
In January 2021, a study from AdvisorSmith Solutions found that the average
cost of cyber-insurance is $1,485 per year in the United States. Premiums for
cyber-insurance range from $650 to $2,357, for companies with “moderate
risks” and $1 million in company revenue, the study found. These premiums are
based on liability limits of $1 million, with a $10,000 deductible.
Some of these policies have specific constraints – known as “sub-limits” – on
ransomware-related costs.
“Many cyber-liability policies provide very limited coverage for ransomware
or cyber-extortion attacks, with coverage sub-limits as low as $25,000, even
when the cyber-liability policy has a much higher total limit,” said the report.
The sub-limits have become more common as cyber-insurance has drawn
concern from security experts about how it will change the overall security
landscape. For instance, many argue that falling back on cyber-insurance
policies during a ransomware attack could dissuade companies from adopting
the security measures that could prevent such an attack in the first place.
“From a broad perspective, building in ransomware payments to insurance
policies will only promote the use of ransomware further and simultaneously
disincentivize organizations from taking the proper steps to avoid ransomware
fallout,” Hoffman said.
Regulatory Moves Hamper Cyber-Insurance’s Role
Cyber-insurance companies often tout their ability to mediate payments
between a ransomware victim and cybercriminals. But governments are
looking at potential regulatory action when it comes to ransomware –
including a ban proposed by New York in 2020, preventing municipalities from
giving in to ransomware demands.
This ban, introduced in response to the rising tide of cyberattacks targeting
government agencies across the country, would limit municipal entities’ ability
to pay a ransom if hit by an attack. It instead suggested the creation of a
“Cyber Security Enhancement Fund” aimed at helping municipalities to upgrade
their security postures. A similar bill, proposed in the New York State Senate
in 2020, would also ban municipalities from paying ransoms – but Senate Bill
S7289 would omit the creation of a security fund.
Meanwhile, the U.S. Department of the Treasury has added multiple crimeware
gangs to its sanctions program, prohibiting U.S. entities or citizens from doing
business with them (including paying a ransom). These include the developer of
CryptoLocker (Evgeniy Mikhailovich Bogachev); the SamSam ransomware group;
North Korea-linked Lazarus Group; and Evil Corp and its leader, Maksim Yakubets.
The Department in October 2020 expanded the sanctions’ applicability,
saying that in general, companies that facilitate ransomware payments to
cyber-actors on behalf of clients (so-called “ransom negotiators”) may face
sanctions for encouraging crime and future ransomware payment demands.
Nation-State Exclusions
Cyber-insurers for their part have also added in their own loopholes when it
comes to certain nation-state attacks.
In 2017, when the NotPetya malware infected hundreds of organizations across
the world, some insurers invoked their war exclusions to avoid paying out
NotPetya-related claims. These types of war exclusions deny coverage for
“hostile or warlike action in time of peace and war.” However, this caused
some to criticize the ambiguity of how this clause could be applied.
How can cyber-insurance policies be improved to address these concerns?
Netenrich’s Hoffman argued that insurance companies should refuse to
pay premiums – let alone ransoms – unless basic prevention and recovery
measures are performed by the insured organization on an ongoing basis.
“I know this sounds harsh, but there’s a reason why governments and law
enforcement do not negotiate with terrorists in hostage situations, and
ransomware should be treated the same way,” said Hoffman. “Building a
resilience plan and a recovery plan for ransomware is the proper path, and
creating awareness of the likelihood that this can happen to your organization
will pay off in a big way.”
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!