How The Cyber Insurance Industry's Bottom Line Is Fueling Ransomware
from the p-and-l dept
The past decade or so has seen an explosive upward trend for the cyber insurance industry. Given the rise of malware, particularly of ransomware, it’s perhaps not surprising that an insurance market sprouted up around that reality. It’s gotten to the point that those of us who’s day to day business is managing client networks in the SMB space are now regularly fielding requests for how to obtain cyber insurance.
But when you begin to dig into how that industry operates and the methodology by which it advises its clients, it becomes quickly apparent that the cyber insurance industry itself is fueling the growth in ransomware attacks worldwide. ProPublica has a long and fascinating post on the topic, first discussing a real world example concerning a municipality that was hit with ransomware, attempted to resolve this on its own through restoration of backups, but ultimately was advised by its cyber insurance partner to pay the ransom. In doing so, the municipality was out only its $10k deductable, while the insurance company paid out over $400k to the attacker. This was seen as a good deal for the municipality.
But was it? It turns out that the IT department for the city was putting together a restoration plan. That plan would take time to implement, require the involvement of outside consultants, and would require overtime work by the IT staff. All of that, of course, would be paid for by the cyber insurance company if the city went down that path. Instead, the ransom was paid.
This highlights two troubling trends in the cyber insurance industry. The first trend concerns how insurance companies advise their clients when attacked… and why they advise them in the way they do.
A spokesperson for Lloyd’s, which underwrites about one-third of the global cyber-insurance market, said that coverage is designed to mitigate losses and protect against future attacks, and that victims decide whether to pay ransoms. “Coverage is likely to include, in the event of an attack, access to experts who will help repair the damage caused by any cyberattack and ensure any weaknesses in a company’s cyberprotection are eliminated,” the spokesperson said. “A decision whether to pay a ransom will fall to the company or individual that has been attacked.” Beazley declined comment.
Fabian Wosar, chief technology officer for anti-virus provider Emsisoft, said he recently consulted for one U.S. corporation that was attacked by ransomware. After it was determined that restoring files from backups would take weeks, the company’s insurer pressured it to pay the ransom, he said. The insurer wanted to avoid having to reimburse the victim for revenues lost as a result of service interruptions during recovery of backup files, as its coverage required, Wosar said. The company agreed to have the insurer pay the approximately $100,000 ransom.
Examples of this abound throughout the rest of the post. Essentially, the insurance company simply calculates what will be the more expensive payout for the insurer: the ransom or the cost of recovery? If the cost of the ransom is less, the insurance company advises, and sometimes pressures, the client to decide to pay the ransom. This can often times look like the better option, as recovery from malicious disaster is time-consuming and comes without the assurance that a full recovery is even possible. What’s a $10k deductible compared with a city’s systems being down for two weeks? This can seem like a win for the insuree, or at least the most mitigated loss possible.
The problem is what this does throughout the rest of the world, which is troubling trend number two.
As insurance companies have approved six- and seven-figure ransom payments over the past year, criminals’ demands have climbed. The average ransom payment among clients of Coveware, a Connecticut firm that specializes in ransomware cases, is about $36,000, according to its quarterly reportreleased in July, up sixfold from last October. Josh Zelonis, a principal analyst for the Massachusetts-based research company Forrester, said the increase in payments by cyber insurers has correlated with a resurgence in ransomware after it had started to fall out of favor in the criminal world about two years ago.
One cybersecurity company executive said his firm has been told by the FBI that hackers are specifically extorting American companies that they know have cyber insurance. After one small insurer highlighted the names of some of its cyber policyholders on its website, three of them were attacked by ransomware, Wosar said. Hackers could also identify insured targets from public filings; the Securities and Exchange Commission suggests that public companies consider reporting “insurance coverage relating to cybersecurity incidents.”
To some degree, this happens whenever insurance is introduced into a specific market. Nefarious actors recognize how insurance companies calculate their decision making and react accordingly. Now that cyber insurance is commonplace, and given that those insurance companies very often recommend paying malware ransoms, there are more attacks asking for more money more often.
The cyber insurance companies, in the interest of maximizing income and minimizing payouts on their own policies, are actually fueling the ransomware industry. You might guess that the industry would see this as a problem. Given the data, however, it’s likely that the increase in attacks the insurance industry is fueling ultimately benefits the cyber insurance industry.
Driven partly by the spread of ransomware, the cyber insurance market has grown rapidly. Between 2015 and 2017, total U.S. cyber premiums written by insurers that reported to the NAIC doubled to an estimated $3.1 billion, according to the most recent data available.
That reads like a classic case of causing the problem for which you sell the cure. Nobody is suggesting that cyber insurance companies are doing this on purpose, of course, but that is indeed the practical effect.
The real problem is that all of the incentives are wrong here if the ultimate goal is less ransomware. Fortunately, there will come a point where diminishing returns for the industry will incentivize it to try to reduce attacks. That’s why, as the post notes, the best solutions for how to prevent ransomware attacks may well end up coming from the insurance industry itself.
But in the meantime, ransomware continues to grow and grow, supercharged by the profit and loss needs of the industry that’s supposed to oppose it.