How The Cyber Insurance Industry's Bottom Line Is Fueling Ransomware
from the p-and-l dept
The past decade or so has seen an explosive upward trend for the cyber insurance industry. Given the rise of malware, particularly of ransomware, it's perhaps not surprising that an insurance market sprouted up around that reality. It's gotten to the point that those of us who's day to day business is managing client networks in the SMB space are now regularly fielding requests for how to obtain cyber insurance.
But when you begin to dig into how that industry operates and the methodology by which it advises its clients, it becomes quickly apparent that the cyber insurance industry itself is fueling the growth in ransomware attacks worldwide. ProPublica has a long and fascinating post on the topic, first discussing a real world example concerning a municipality that was hit with ransomware, attempted to resolve this on its own through restoration of backups, but ultimately was advised by its cyber insurance partner to pay the ransom. In doing so, the municipality was out only its $10k deductable, while the insurance company paid out over $400k to the attacker. This was seen as a good deal for the municipality.
But was it? It turns out that the IT department for the city was putting together a restoration plan. That plan would take time to implement, require the involvement of outside consultants, and would require overtime work by the IT staff. All of that, of course, would be paid for by the cyber insurance company if the city went down that path. Instead, the ransom was paid.
This highlights two troubling trends in the cyber insurance industry. The first trend concerns how insurance companies advise their clients when attacked... and why they advise them in the way they do.
A spokesperson for Lloyd’s, which underwrites about one-third of the global cyber-insurance market, said that coverage is designed to mitigate losses and protect against future attacks, and that victims decide whether to pay ransoms. “Coverage is likely to include, in the event of an attack, access to experts who will help repair the damage caused by any cyberattack and ensure any weaknesses in a company’s cyberprotection are eliminated,” the spokesperson said. “A decision whether to pay a ransom will fall to the company or individual that has been attacked.” Beazley declined comment.
Fabian Wosar, chief technology officer for anti-virus provider Emsisoft, said he recently consulted for one U.S. corporation that was attacked by ransomware. After it was determined that restoring files from backups would take weeks, the company’s insurer pressured it to pay the ransom, he said. The insurer wanted to avoid having to reimburse the victim for revenues lost as a result of service interruptions during recovery of backup files, as its coverage required, Wosar said. The company agreed to have the insurer pay the approximately $100,000 ransom.
Examples of this abound throughout the rest of the post. Essentially, the insurance company simply calculates what will be the more expensive payout for the insurer: the ransom or the cost of recovery? If the cost of the ransom is less, the insurance company advises, and sometimes pressures, the client to decide to pay the ransom. This can often times look like the better option, as recovery from malicious disaster is time-consuming and comes without the assurance that a full recovery is even possible. What's a $10k deductible compared with a city's systems being down for two weeks? This can seem like a win for the insuree, or at least the most mitigated loss possible.
The problem is what this does throughout the rest of the world, which is troubling trend number two.
As insurance companies have approved six- and seven-figure ransom payments over the past year, criminals’ demands have climbed. The average ransom payment among clients of Coveware, a Connecticut firm that specializes in ransomware cases, is about $36,000, according to its quarterly reportreleased in July, up sixfold from last October. Josh Zelonis, a principal analyst for the Massachusetts-based research company Forrester, said the increase in payments by cyber insurers has correlated with a resurgence in ransomware after it had started to fall out of favor in the criminal world about two years ago.
One cybersecurity company executive said his firm has been told by the FBI that hackers are specifically extorting American companies that they know have cyber insurance. After one small insurer highlighted the names of some of its cyber policyholders on its website, three of them were attacked by ransomware, Wosar said. Hackers could also identify insured targets from public filings; the Securities and Exchange Commission suggests that public companies consider reporting “insurance coverage relating to cybersecurity incidents.”
To some degree, this happens whenever insurance is introduced into a specific market. Nefarious actors recognize how insurance companies calculate their decision making and react accordingly. Now that cyber insurance is commonplace, and given that those insurance companies very often recommend paying malware ransoms, there are more attacks asking for more money more often.
The cyber insurance companies, in the interest of maximizing income and minimizing payouts on their own policies, are actually fueling the ransomware industry. You might guess that the industry would see this as a problem. Given the data, however, it's likely that the increase in attacks the insurance industry is fueling ultimately benefits the cyber insurance industry.
Driven partly by the spread of ransomware, the cyber insurance market has grown rapidly. Between 2015 and 2017, total U.S. cyber premiums written by insurers that reported to the NAIC doubled to an estimated $3.1 billion, according to the most recent data available.
That reads like a classic case of causing the problem for which you sell the cure. Nobody is suggesting that cyber insurance companies are doing this on purpose, of course, but that is indeed the practical effect.
The real problem is that all of the incentives are wrong here if the ultimate goal is less ransomware. Fortunately, there will come a point where diminishing returns for the industry will incentivize it to try to reduce attacks. That's why, as the post notes, the best solutions for how to prevent ransomware attacks may well end up coming from the insurance industry itself.
But in the meantime, ransomware continues to grow and grow, supercharged by the profit and loss needs of the industry that's supposed to oppose it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cyber insurance, insurance, ransomware
Reader Comments
Subscribe: RSS
View by: Time | Thread
'We may be paying, but we won't be paying YOU.'
Paying ransom is a great way to ensure that you will get hit again, as it not only makes clear that you are vulnerable, but also that ransom demands will result in a payout for the ones issuing those demands.
Much like copyright extortionists paying the initial demand may seem like the cheaper option but all it does it paint a huge freakin' target on your back and let everyone else who may want a cut know that going after you is a lucrative endeavor, as opposed to potential targets who make clear that it doesn't matter if refusing the demand will cost them, none of the money will go to the ones issuing those demands, and as such the only thing the one issuing ransom demands will get will be an investigation by the police or other similar agency.
[ link to this | view in chronology ]
Re: 'We may be paying, but we won't be paying YOU.'
Hence the quote from the article: "One cybersecurity company executive said his firm has been told by the FBI that hackers are specifically extorting American companies that they know have cyber insurance."
It's likely that an investigation's going to happen either way. Did any of the victims stop assisting the FBI?
[ link to this | view in chronology ]
Re: Re: 'We may be paying, but we won't be paying YOU.'
It's likely that an investigation's going to happen either way.
Sure, but there's a significant difference between 'tried to extort money from a target and only got the attention of the FBI' and 'tried to extort money from a target, got several tens, if not hundreds of thousands of dollars, and now have to deal with an FBI investigation.'
With potential gains like that on the line criminals are much more likely to risk an investigation, but if it's well known that there will be no money gained, only an investigation, then it becomes much less tempting.
[ link to this | view in chronology ]
What happens if paying the ransom does not result in the correct decryption key being received. Also, who pays for the work that should be carried out to ensure the ransomware has not left a backdoor or spyware behind.
[ link to this | view in chronology ]
Re:
Oddly, the Ransomware folks have secure support lines to help their paying customers recover their data. The high cost of running a support team is one factor pushing the scammers away from random attacks and into the business of highly targeted strikes against businesses of municipalities with deep pockets.
In one sense, it is a validation of the free market - working as intended! Market pressure forces them to uphold their promises even if the force of law can't ensure that the files will be encrypted.
[ link to this | view in chronology ]
Re:
I think one of article's points is that nobody pays for that. The insurance premiums will go up, and the insurer will pay out again if the backdoor/spyware is used against the company.
[ link to this | view in chronology ]
And its the cyber so there is no way to tell who is behind it...
even if its a few guys in the basement of one of the larger insurers making extra bank...
[ link to this | view in chronology ]
Who knows, this might become a new 419 scam.
"I earned my money by convincing a multinational prince company to give me money so they did not lose their porn empire. I now need someone to help me protect my millions. I will give you a small cut of 30% if you just give me your name, address, and telephone number and your bank details, I will make sure monies are transferred!"
[ link to this | view in chronology ]
Nothing new here
Disclosure: I sell insurance for a living, including cyber insurance.
Insurers have been paying ransoms for years. When the Somali piracy problem was at its height, insurers seriously considered ceasing ransom payments and diverting the money to a mercenary navy: https://www.wired.com/2008/10/mercenaries-vs/
At municipality level cyber insurance is booming as many are now being told this cover (particularly the third party liability aspect) is compulsory alongside their other insurances. The first party section of the policy is commonly bought alongside the third party cover and it is the former which pays for the rebuilding and reinstatement of data post attack... or the payment of ransom.
However, even insurance companies will say that their products should be bought in conjunction with existing tech protections. The policy should be the safety net if your system protections fail.
Municipality and Enterprise level policies are not off the shelf - they are structured and the contract is built around existing protections in place, attitude of the buyer and any claims history to date.
If your system protections are low, user culture poor and buying attitude "give me the cheapest bit of paper so I can tick the box" then you will get an expensive (low value) policy with low limits of cover.
If you have strong systems, a good internal attitude towards infosec and active risk management; you will have more insurers quoting for your business, greater market competition, greater premium value and also an insurer with a more pro-active claims attitude than "how little can we pay to get out of this".
[ link to this | view in chronology ]
Full Nightly Back-Ups
It gets harder in many industries because of the increased volume of data, but for recovery it is hard to beat. City Hall closes at 1700, the cron jobwrites a tape at 1800, and the IT guys sleep like rocks overnight.
For those needing 24/7, the method of daily data extraction and preservation is more complicated. Still, the goal is to be able to restore from back-up and be alive the next day.
Part of figuring out how to scale your operations ought to be figuring out how to make a back-up, and how you will restore it. It cannot hurt to do a test restore every so often.
[ link to this | view in chronology ]