Hackers who gain access to corporate networks and government networks in order to steal sensitive data are often keen to find out how much cyber insurance the victims have. Ransom negotiation can be easier if ransom demands are made by cybercriminals who know the financial capabilities of victims. Crooks are also looking for the identities and coverage of cyber insurance customers.
Cyber insurance was a niche business before ransomware became a global epidemic that ravaged businesses, schools, and local governments. The company was accused of encouraging criminal feeding by recommending victims to pay up. However, it kept many people from going bankrupt.
The sector is not just under the thumb of criminals. The sector is on the brink of bankruptcy, despite a 400% increase in ransomware cases last year and skyrocketing demands for extortion. Cyber insurance payouts are now at 70% as a percentage of premiums. This is the break-even point.
Chief technical officer at Emsisoft, which specializes in ransomware and cybersecurity, Fabian Wosar said that the current attitude among insurance companies is not to pay the criminals. It is likely to be more affordable for everyone.
"The ransomware organizations got too greedy too fast. He said that the cost-benefit formula the insurers used initially to determine whether they should pay ransom was no longer relevant.
It is unclear how the single largest ransomware attack,, which started Friday, will affect insurers. It can't be.
The industry is under increasing pressure to stop paying ransoms.
, the main cyber insurance company AXA, decided in May to make this happen with all new policies in France. It is not the only one in the sector, and governments aren't moving to outlaw reimbursement.
AXA was one of the major insurers to be hit by ransomware attacks. Thailand operations were also hard hit. CNA Financial Corp. from Chicago, which was the seventh-ranked U.S. cybersecurity subwriter, had its network shut down in March. Recorded Future, a cybersecurity firm, published a interview with a member the Russian-speaking ransomware gang REvil. This gang is adept in intelligence-gathering, and happened to be behind the current attack. It is targeting insurers to obtain data about their clients, he suggested.
CNA refused to confirm that a Bloomberg report claimed it had paid $40 million in ransom. This would have been the largest reported ransom ever. It also refused to say how much or what data was stolen. It stated that the systems that most policyholder data were stored "were unaffected."
CNA filed a regulatory file with Securities and Exchange Commission. CNA stated that future cybersecurity insurance coverage might be more difficult or cost prohibitive.
Gallagher, a broker in the insurance industry, was also affected by ransomware. It was discovered that ransomware had been infected in September. However, it was only revealed this week (June 30, 2013) that hackers may have accessed highly sensitive data from a large number of customers -- including passwords and Social Security numbers as well as credit card and medical data. Kelli Murray, a company spokeswoman, would not confirm if any cyber-insurance policy contracts were compromised. She also refused to say whether Gallagher was paid ransom. Gallagher may have paid the ransom because the RagnarLocker gang criminals didn't post any information about the attack to their dark web leak site.
Three ransomware gangs attacked three insurance brokers in recent weeks. They posted stolen data on their dark websites as evidence. Two of them, Montreal and Detroit, didn't respond to emails or phone calls. In southern California, the third acknowledged that he was temporarily incapacitated for a week.
Insurers were already passing on higher insurance costs to customers by May when ransomware was discovered at JBS and Colonial Pipeline, the major meat processors.
According to Gregory Eskins, an analyst with Marsh McLennan, cyber premiums rose by 29% in January, in the U.S., and Canada, compared to the previous month. The month-to-month jump in February was 32%; it was 39% in March.
Eskins stated that ransomware-related losses amounted roughly to 40% of all cyber insurance claims in North America last Year. Policy renewals now have stricter rules or lower coverage limits to try to reverse the trend.
Michael Phillips, chief claim officer at Resilience in San Francisco and co-chair of Resilience's public-private Ransomware Task Force, stated that the price must match the risk.
An insurance policy may now stipulate that reimbursement for extortion payments cannot exceed one-third the overall coverage. This typically includes recovery, lost income, and payments to PR firms to minimize reputational damage. Brent Reith, a broker at Aon, stated that an insurer might reduce coverage or add a deductible.
Some smaller carriers may have lost coverage, but the major players are retooling.
There are also hybrid insurers such as Resilience or Boston-based Corvus. They do more than simply ask potential customers for information. They actively engage customers when cyber threats arise and physically test their cyber defenses.
Phil Edmundson, Corvus CEO, stated that "We monitor and make active recommendations not only once a year, but throughout the year."
Is the industry agile enough to handle the increasing demands?
In a May report, the Government Accountability Office stated that cyber insurance would continue to be available in an affordable manner. The New York State Department of Finance also warned that large industry losses could occur in a February circular.
Insurers and insured share experiences and data in a way that is stingy, according to the U.K. Royal United Services Institute in a report. While governments are starting to push for mandatory industry reporting, most ransomware attacks go undeported. Insurers aren't transparent as a business sector. They are not regulated by the federal government in the United States, but by the state governments.
For now, however, cyber insurances are resisting any calls to stop ransom payments being reimbursed.
Adrian Cox, CEO of Beazley (UK-based Beazley), stated in a May earnings conference that "generally speaking, network security isn't good enough at this moment." He also said that it was up to the government to decide if payments are poor public policy. In February's annual report, CEO Evan Greenberg from Chubb Limited, the largest U.S. cyber insurance company, stated that it is up to government to decide on a ban. He did however endorse the ban on payments.
Jan Lemnitzer is a Copenhagen Business School lecturer and believes that cyber insurance should be mandatory for all businesses, large or small. Just as everyone who drives must have insurance and seat belts, so too should cyber insurance. According to a Royal United Services Institute study, it is recommended for all government vendors and suppliers.
Lemnitzer agrees that ransom payments are problematic but says it would be an easy task to force insurers to stop paying them.
As a disincentive, some have suggested that ransom payments could be subject to fines. The government could also retain a portion of any cryptocurrency that was seized from ransomware criminals. Proceeds would go to a federal ransomware defence fund.
These measures could impact criminal revenues, according to Stewart Baker, Steptoe and Johnson's former general counsel for the NSA.
"In the long-term, it likely means that the resources currently going to Russia for Ferraris in Moscow will now be used to improve cybersecurity in America."
