The changing face of cyber ransom
The cyber insurance sector refused to be fazed by snowballing ransomware attacks, helping insureds protect themselves better. But a potent threat to both parties persists.
Ransomware has quickly become the poster risk for cyber security professionals and insurers. In its report A Hard Reset, Howden noted that the number of ransomware attacks grew by 230% between 2019 and 2021, average payments went up 370% and the average cost of downtime per incident was up by 170%.
Although the cyber highwaymen were reined in somewhat over 2022 and ransomware claims fell from those historic highs, a more recent report from Boston-based specialty business Corvus Insurance says that threat actors were no less rapacious when they did succeed.
In the first half of last year, the average dollar amount of ransom paid ticked up by 4% to average $255,000. And even though there were fewer ransomware claims in the first half of this year, a larger percentage of them involved data exfiltration, a tactic used to increase leverage over the victim.
Shay Simkin, Tel Aviv based global head of cyber at Howden reckons scattergun ransom demands have risen from $500 in bit coin to multi-million dollar payments. Attacks are now more sophisticated and they’re targeted towards companies that have been closely researched by criminal gangs.
The development of double and triple extortion involving data exfiltration is fuelling severity for insurers, Simkin says.
“By 2021, instead of simply encrypting computers and offering a decryption key, criminals started asking for a double ransom. They encrypt the data and offer decryption for a ransom payment - but they also extract critical Intellectual Property from the victim company and demand a further payment,” Simkin explains.
“Today there’s also a triple ransom threat whereby data is encrypted, data is extracted for additional payment and then the criminal approaches third parties potentially compromised by the breach. They tell the third party that they will publish their information unless the third party pressures the victim company into paying a ransom.”
Insurers are responding to the changing ransomware tactics being deployed by criminal gangs, however, Simkin says.
“First they have started requiring clients to have certain risk management controls in place. This move towards mandated controls in order to secure insurance has made the insurance industry in a sense the de facto regulator, a catalyst for better cyber security in economies.
“The second step is that cyber risk insurance prices have been adjusted to the right level, after a period of steep rate and deductible increases. There was a capacity crunch and insurers tended to cherry pick companies in less risky industries and with the right controls in place. The claims ratio fell accordingly in 2022, compared with the previous year.”
Tom Quy, cyber practice leader at reinsurance broker Acrisure Re, says that the surge in ransomware attacks made corporate insurance buyers very aware of the value of cyber cover and demand spiked:
“When the ransomware epidemic got going around 2019/20 the market all but shut – certainly with respect to clients buying cyber for the first time. Underwriters had to remediate their books. There was a realisation during this time amongst insureds globally, that cyber was no longer a privacy risk, or specific to the U.S., and that all industries were exposed. This has led to renewed demand for the product.
“The market has moved on however, and has opened back up with buyers now able to obtain the cover they need, albeit by demonstrating that they have the necessary controls in place,” Quy says.
“The re-underwriting of the book and the renewed focus on risk management has arguably led to loss frequency falling [within the insured risk pool]. The headlines suggest that ransomware might still be rampant, but it is a different picture within the insured risk pool. You can certainly underwrite around ransomware, because the vulnerabilities are broadly known and understood by insurers and brokers,” Quy adds.
Jennifer Braney, cyber specialist broker at Gallagher Re agrees, pointing to signs of improvement in the most recent quarterly data as evidence of just how effective ransomware mitigation strategies employed over the past two years have really been.
“This includes not just rate increases, but improved risk selection criteria informed by claims information, a deeper understanding of risk factors, and coverage management through sub-limits,” Braney says.
“Extortion has been insurable across many classes of business such as kidnap and ransom and piracy for decades, if not centuries – this is nothing new for the market. There is a sense of not wanting to ‘re-victimise the victim’ by making this uninsurable in a legal sense.
“We are fortunate to have a free market that allows some carriers to offer this sort of coverage, whereas others can decide not to dependant on where their appetite lies,” Braney says.
She stresses that cyber insurance provides a lot of value beyond indemnity, including pre-underwriting risk evaluations and crisis management.
“In the late noughties, there was a surge in piracy at sea, with ransom demands increasing in frequency and severity. The ultimate solution to this was onboarding security on vessels as a deterrent. The cyber market is actively involved in a similar way by helping insureds be more secure to prevent these types of attacks from occurring in the first place.”
Dan Trueman, head of cyber and technology at global insurer AXIS, feels that underwriters have done a good job on maintaining the insurability of ransomware within cyber coverage in the face of a potentially snowballing threat.
“Ransomware is by no means a new problem but it is fair to say that since mid-2018 the increase in both frequency and severity of ransomware events has been a noticeable change. The advantage carriers have, particularly those with material cyber insurance portfolios is that we can track such trends and correlate actions that can be taken against the effects,” he told Insider Engage.
“Specialist carriers in the cyber space have identified core minimum and essential cyber hygiene standards that do not necessarily eliminate ransomware threats but can be shown to materially reduce the likelihood and impact of such events.”
He stresses that the market can’t rest on its risk management laurels however: “It is incumbent on the insurance market to offer protection to businesses and thus it is important that ransomware remains insurable. The identification, qualification and quantification of ransomware threats and setting minimum standards to reduce likelihood and impact is a core way that insurers can help to support businesses and ensure they continue to be able to transfer their most significant risks. That is, after all, the social value of insurance.”