Companies relying on their cyber-insurance policies to pay off ransomware criminals are being blamed for a recent uptick in ransomware attacks.
Author: Lindsey O'Donnell
Ransomware victims are increasingly falling back on their cyber-insurance providers to pay the ransom when they’re hit with an extortion cyberattack. But security researchers warn that this approach can quickly become problematic.
In the first half of 2020, ransomware attacks accounted for 41 percent of the total number of filed cyber-insurance claims, according to a Cyber Claims Insurance Report released last year by Coalition.
And indeed, in real-world attacks over the past two years, many companies afflicted by ransomware acknowledged that they had utilized cyber-insurance to deal with either the ransom itself or the ensuing cost of remediation.
For instance, weeks after Riviera Beach, Fla. was hit by ransomware in June
2019, the city council held an emergency meeting. It voted unanimously to
authorize the city’s insurer to pay off a $600,000 ransom demand, after the
malware had frozen crucial data. Adversaries also took systems that control
city finances and utilities offline.
That same month, Lake City, Fla. paid ransomware attackers almost $500,000, which the city announced would be mostly covered by insurance.
More recently, in August 2020, the University of Utah coughed up a $457,000 ransom payment, working with its cyber-insurance provider, after an attack targeted the university’s servers, and student and faculty data.
Ransomware victim Colonial Pipeline also reportedly had cyber-insurance protection through broker Aon and Lloyd’s of London. The energy firm did pay $4.4 million to attackers. However, it unclear whether the firm utilized its policy to pay. According to a Routers news report, Colonial Pipeline had a policy that covered it for at least $15 million.
Cyber-Insurance: A Financial Cushion for Attack
For those companies impacted by a ransomware attack, cyber-insurance is supposed to offer a buffer for companies struggling with the fallout. For instance, after its severe 2019 cyberattack, aluminum giant Norsk Hydro received around $20.2 million in cyber-insurance from its provider, AIG. The total cost for damage from the attack was estimated to range between $60 and $71 million.
“The financial impact of a ransomware attack is multifaceted, and goes wellbeyond the ransom payment,” said Jack Kudale, founder and CEO of Cowbell Cyber. “Business interruption, revenue loss, potential exposure of sensitive data and related third-party liability, forensics and restoration expertise, and finally breach coaching and ransomware negotiations, can all be covered in a cyber-insurance policy.”
The use of cyber-insurance specifically to cover negotiations, and the ransoms themselves doesn’t sit well with some security researchers.
“Not only does making a ransomware payment also place an organization in a potentially questionable legal situation, it is proving to the cybercriminals you have funded their recent expedition,” said Brandon Hoffman, CISO at Netenrich.
Costs, Premiums and Sub-Limits
In January 2021, a study from AdvisorSmith Solutions found that the average cost of cyber-insurance is $1,485 per year in the United States. Premiums for cyber-insurance range from $650 to $2,357, for companies with “moderate risks” and $1 million in company revenue, the study found. These premiums are based on liability limits of $1 million, with a $10,000 deductible.
Some of these policies have specific constraints – known as “sub-limits” – on ransomware-related costs.
“Many cyber-liability policies provide very limited coverage for ransomware or cyber-extortion attacks, with coverage sub-limits as low as $25,000, even when the cyber-liability policy has a much higher total limit,” said the report.
The sub-limits have become more common as cyber-insurance has drawn concern from security experts about how it will change the overall security landscape. For instance, many argue that falling back on cyber-insurance policies during a ransomware attack could dissuade companies from adopting the security measures that could prevent such an attack in the first place.
“From a broad perspective, building in ransomware payments to insurance policies will only promote the use of ransomware further and simultaneously disincentivize organizations from taking the proper steps to avoid ransomware fallout,” Hoffman said.
Regulatory Moves Hamper Cyber-Insurance’s Role
Cyber-insurance companies often tout their ability to mediate payments between a ransomware victim and cybercriminals. But governments are looking at potential regulatory action when it comes to ransomware – including a ban proposed by New York in 2020, preventing municipalities from giving in to ransomware demands.
This ban, introduced in response to the rising tide of cyberattacks targeting government agencies across the country, would limit municipal entities’ ability to pay a ransom if hit by an attack. It instead suggested the creation of a
“Cyber Security Enhancement Fund” aimed at helping municipalities to upgrade their security postures. A similar bill, proposed in the New York State Senate in 2020, would also ban municipalities from paying ransoms – but Senate Bill S7289 would omit the creation of a security fund.
Meanwhile, the U.S. Department of the Treasury has added multiple crimeware gangs to its sanctions program, prohibiting U.S. entities or citizens from doing business with them (including paying a ransom). These include the developer of CryptoLocker (Evgeniy Mikhailovich Bogachev); the SamSam ransomware group; North Korea-linked Lazarus Group; and Evil Corp and its leader, Maksim Yakubets.
The Department in October 2020 expanded the sanctions’ applicability, saying that in general, companies that facilitate ransomware payments to cyber-actors on behalf of clients (so-called “ransom negotiators”) may face sanctions for encouraging crime and future ransomware payment demands.
Cyber-insurers for their part have also added in their own loopholes when it comes to certain nation-state attacks.
In 2017, when the NotPetya malware infected hundreds of organizations across the world, some insurers invoked their war exclusions to avoid paying out NotPetya-related claims. These types of war exclusions deny coverage for “hostile or warlike action in time of peace and war.” However, this caused some to criticize the ambiguity of how this clause could be applied.
How can cyber-insurance policies be improved to address these concerns? Netenrich’s Hoffman argued that insurance companies should refuse to pay premiums – let alone ransoms – unless basic prevention and recovery measures are performed by the insured organization on an ongoing basis.
“I know this sounds harsh, but there’s a reason why governments and law
enforcement do not negotiate with terrorists in hostage situations, and
ransomware should be treated the same way,” said Hoffman. “Building a
resilience plan and a recovery plan for ransomware is the proper path, and
creating awareness of the likelihood that this can happen to your organization
will pay off in a big way.”