BOSTON — In the past few weeks, ransomware criminals claimed as trophies at least three North American insurance brokerages that offer policies to help others survive the very network-paralyzing, data-pilfering extortion attacks they themselves apparently suffered.
Cybercriminals who hack into corporate and government networks to steal sensitive data for extortion routinely try to learn how much cyber insurance coverage the victims have. Knowing what victims can afford to pay can give them an edge in ransom negotiations. The cyber insurance industry, too, is a prime target for crooks seeking its customers’ identities and scope of coverage.
Before ransomware evolved into a full-scale global epidemic plaguing businesses, hospitals, schools and local governments, cyber insurance was a profitable niche industry. It was accused of fueling the criminal feeding frenzy by routinely recommending that victims pay up, but kept many from going bankrupt.
Now, the sector isn’t just in the criminals’ crosshairs. It’s teetering on the edge of profitability, upended by a more than 400% rise last year in ransomware cases and skyrocketing extortion demands. As a percentage of premiums collected, cyber insurance payouts now top 70%, the break-even point.
Fabian Wosar, chief technical officer of Emsisoft, a cybersecurity firm specializing in ransomware, said the prevailing attitude among insurers is no longer: Pay the criminals. It’s likely to be cheaper for all involved.
“The ransomware groups got way too greedy too quickly. So the cost-benefit equation the insurers initially used to figure out whether or not they should pay a ransom — it’s just not there anymore,” he said.
It’s not clear how the single biggest ransomware attack on record, which began Friday, will impact insurers. But it can’t be good.
Pressure is building on the industry to stop reimbursing for ransoms.
In May, the major cyber insurer AXA decided to do so with all new policies in France. But it is so far apparently alone in the industry, and governments are not moving to outlaw reimbursement.
AXA is among major insurers that have suffered ransomware attacks, with operations in Thailand hard-hit. Chicago-based CNA Financial Corp., the seventh–ranked U.S. cybersecurity underwriter last year, saw its network crippled in March. Less than a week earlier, the cybersecurity firm Recorded Future published an interview with a member of the Russian-speaking ransomware gang, REvil, that is skilled in pre-attack intelligence-gathering and happens to be behind the current attack. He suggested it actively targets insurers for data on their clients.
CNA would not confirm a Bloomberg report that it paid a $40 million ransom, which would be the highest reported ransom on record. Nor would it say what or how much data was stolen. It said only that systems where most policyholder data was stored “were not impacted.”
In a regulatory filing with the Securities and Exchange Commission, CNA also said that its losses might not be fully covered by its insurance and “future cybersecurity insurance coverage may be difficult to obtain or may only be available at significantly higher costs to us.”
Another major insurance player hit by ransomware was broker Gallagher. Although it was hit in September, only this past week (June 30) did it disclose that the attackers may have stolen highly detailed data from an unspecified number of customers — from passwords and Social Security numbers to credit card data and medical diagnoses. Company spokeswoman Kelli Murray would not say if any cyber insurance policy contracts were on compromised servers. Nor would she say whether Gallagher paid a ransom. The criminals, from the RagnarLocker gang, apparently never posted information about the attack on their dark web leak site, suggesting that Gallagher paid.
Of the three insurance brokers that ransomware gangs claimed to have attacked in recent weeks, posting stolen data on their dark web sites as evidence, two, in Montreal and Detroit, did not respond to phone calls and emails. The third, in southern California, acknowledged being hobbled for a week.
By the time the Colonial Pipeline and major meat processer JBS were hit by ransomware in May, insurers were already passing higher coverage costs to customers.
Cyber premiums jumped by 29% in January in the U.S. and Canada from the previous month, said Gregory Eskins, an analyst at top commercial insurance broker Marsh McLennan. In February, the month-to-month jump was 32%, in March it was 39%.
In a bid to turn back ransomware-related losses — Eskins said they amounted to about 40% of cyber insurance claims in North America last year — policy renewals are carrying new, stricter rules or lowered coverage limits.
“The price has to match the risk,” said Michael Phillips, chief claims officer at the San Francisco cyber insurance firm Resilience and a co-chair of the public-private Ransomware Task Force.
A policy might now specify that reimbursement for extortion payments can’t exceed one-third of overall coverage, which typically also encompasses recovery and lost income and can include payments to PR firms to mitigate reputational damage. Or an insurer may cut coverage in half, or introduce a deductible, said Brent Reith of the broker Aon.
While some smaller carriers have dropped coverage altogether, the big players are instead retooling.
Then there are hybrid insurers like Resilience and Boston-based Corvus. They don’t simply ask potential customers to fill out a questionnaire. They physically probe their cyber defenses and actively engage clients as cyber threats occur.
“We’re monitoring and making active recommendations not just once a year but throughout the year and dynamically,” said Corvus CEO Phil Edmundson.
But is the overall industry nimble enough to absorb the growing onslaught?
The Government Accountability Office warned in a May report that “the extent to which cyber insurance will continue to be generally available and affordable remains uncertain.” And the New York State Department of Finance said in a February circular that massive industry losses were possible.
Both insured and insurers, stingy about sharing experiences and data, shoulder the blame for that, the U.K. Royal United Services Institute said in a new report. Most ransomware attacks go unreported, and no central clearinghouse on them exists, though governments are beginning to pressure for mandatory industry reporting. As a business sector, insurers are not especially transparent. In the U.S. they are regulated not by the federal government but by the states.
And for now, cyber insurers are mostly resisting calls to halt reimbursements for ransoms paid.
In a May earnings call, the CEO of U.K.-based Beazley, Adrian Cox, said “generally speaking network security is not good enough at the moment.” He said it is up to government to decide whether payments are bad public policy. CEO Evan Greenberg of the leading U.S. cyber insurer, Chubb Limited, agreed in the company’s annual report in February that deciding on a ban is government’s purview. But he did endorse outlawing payments.
Jan Lemnitzer, a Copenhagen Business School lecturer, thinks cyber insurance should be compulsory for businesses large and small, just as everyone who drives must have car insurance and seat belts. The Royal United Services Institute study recommends it for all government suppliers and vendors.
While he considers banning ransom payments problematic, Lemnitzer says it would be a “no-brainer” to compel insurers to stop reimbursing for them.
Some have suggested imposing fines on ransom payments as a disincentive. Or the government could retain a percentage of any cryptocurrency recovered from ransomware criminals, the proceeds going to a federal ransomware defense fund.
Such measures could bite into criminal revenues, said attorney Stewart Baker of Steptoe and Johnson, a former NSA general counsel.
“In the long run, it probably means that resources that are currently going to Russia to pay for Ferraris in Moscow will instead go to improve cybersecurity in the United States.”