Recently, ransomware criminals claimed as trophies at least three North American insurance brokerages that offer policies to help others survive the very network-paralyzing, data-pilfering extortion attacks they themselves apparently suffered.
Cybercriminals who hack into corporate and government networks to steal sensitive data for extortion routinely try to learn how much cyber insurance coverage the victims have. Knowing what victims can afford to pay can give them an edge in ransom negotiations. The cyber insurance industry, too, is a prime target for crooks seeking its customers’ identities and scope of coverage.
Before ransomware evolved into a full-scale global epidemic plaguing businesses, hospitals, schools, and local governments, cyber insurance was a profitable niche industry. It was accused of fueling the criminal feeding frenzy by routinely recommending that victims pay up but kept many from going bankrupt.
The cyber insurance segment is in trouble. It is now on the edge of profitability, upended by a more than 400% rise last year in ransomware cases and skyrocketing extortion demands. As a percentage of premiums collected, cyber insurance payouts now top 70%, the break-even point.
Fabian Wosar, chief technical officer of Emsisoft, a cybersecurity firm specializing in ransomware, said the prevailing attitude among insurers is no longer: Pay the criminals. It’s likely to be cheaper for all involved. “The ransomware groups got way too greedy too quickly. So, the cost-benefit equation the insurers initially used to figure out whether or not they should pay a ransom it’s just not there anymore,” he said.
It is not clear how the single biggest ransomware attack on record, which began on 06 July 2021 but will impact all insurers. Pressure is building on the industry to stop reimbursing for ransoms. In May 2021, the major cyber insurer AXA decided to do so with all new policies in France. But it is so far apparently alone in the industry, and governments are not moving to outlaw reimbursement.
AXA is among major insurers that have suffered ransomware attacks, with operations in Thailand hard-hit. Chicago-based CNA Financial Corp., the seventh-ranked US cybersecurity underwriter last year, saw its network crippled in March 2021. Less than a week earlier, the cybersecurity firm Recorded Future published an interview with a member of the Russian-speaking ransomware gang, REvil, that is skilled in pre-attack intelligence-gathering and happens to be behind the current attack. He suggested it actively targets insurers for data on their clients.
CNA would not confirm a Bloomberg report that it paid a $40 million ransom, which would be the highest reported ransom on record. Nor would it say what or how much data was stolen. It said only those systems where most policyholder data was stored “were not impacted.”
In a regulatory filing with the Securities and Exchange Commission, CNA also said that its losses might not be fully covered by its insurance and “future cybersecurity insurance coverage may be difficult to obtain or may only be available at significantly higher costs to us.”
Another major insurance player hit by the ransomware was broker Gallagher. Although it was hit in September 2020, only in late June 2021 did it disclose that the attackers may have stolen highly detailed data from an unspecified number of customers from passwords and Social Security numbers to credit card data and medical diagnoses. Company spokeswoman Kelli Murray would not say if any cyber insurance policy contracts were on compromised servers. Nor would she say whether Gallagher paid a ransom. The criminals, from the RagnarLocker gang, apparently never posted information about the attack on their dark web leak site, suggesting that Gallagher paid.
Of the three insurance brokers that ransomware gangs claimed to have attacked in recent weeks, posting stolen data on their dark websites as evidence, two, in Montreal and Detroit, did not respond to phone calls and emails. The third, in southern California, acknowledged being hobbled for a week.
By the time the Colonial Pipeline and major meat processer JBS were hit by ransomware in May, insurers were already passing higher coverage costs to customers. Cyber premiums jumped by 29% in January in the US and Canada from the previous month, said Gregory Eskins, an analyst at top commercial insurance broker Marsh McLennan. In February, the month-to-month jump was 32%, in March it was 39%.
In a bid to turn back ransomware-related losses Eskins said they amounted to about 40% of cyber insurance claims in North America last year policy renewals are carrying new, stricter rules or lowered coverage limits. “The price has to match the risk,” said Michael Phillips, chief claims officer at the San Francisco cyber insurance firm Resilience and a co-chair of the public-private Ransomware Task Force.
A policy might now specify that reimbursement for extortion payments cannot exceed one-third of overall coverage, which typically also encompasses recovery and lost income and can include payments to PR firms to mitigate reputational damage. Or an insurer may cut coverage in half, or introduce a deductible, said Brent Reith of the broker Aon. While some smaller carriers have dropped coverage altogether, the big players are instead retooling.
Then there are hybrid insurers like Resilience and Boston-based Corvus. They do not simply ask potential customers to fill out a questionnaire. They physically probe their cyber defenses and actively engage clients as cyber threats occur. “We’re monitoring and making active recommendations not just once a year but throughout the year and dynamically,” said Corvus CEO Phil Edmundson.
The Government Accountability Office warned in a May 2021 report that “the extent to which cyber insurance will continue to be generally available and affordable remains uncertain.” And the New York State Department of Finance said in a February 2021 circular that massive industry losses were possible.
Both insured and insurers, stingy about sharing experiences and data, shoulder the blame for that, the UK Royal United Services Institute said in a new report. Most ransomware attacks go unreported, and no central clearinghouse on them exists, though governments are beginning to pressure mandatory industry reporting. As a business sector, insurers are not especially transparent. In the US they are regulated not by the federal government but by the states. And for now, cyber insurers are mostly resisting calls to halt reimbursements for ransoms paid.
In a May 2021 earnings call, the CEO of UK-based Beazley, Adrian Cox, said “generally speaking network security is not good enough at the moment.” He said it is up to the government to decide whether payments are bad public policy. CEO Evan Greenberg of the leading US cyber insurer, Chubb Limited, agreed in the company’s annual report in February that deciding on a ban is the government’s purview. But he did endorse outlawing payments.
Jan Lemnitzer, a Copenhagen Business School lecturer, thinks cyber insurance should be compulsory for businesses large and small, just as everyone who drives must have car insurance and seat belts. The Royal United Services Institute study recommends it for all government suppliers and vendors. While he considers banning ransom payments problematic, Lemnitzer says it would be a “no-brainer” to compel insurers to stop reimbursing for them.
Some have suggested imposing fines on ransom payments as a disincentive. Or the government could retain a percentage of any cryptocurrency recovered from ransomware criminals, the proceeds going to a federal ransomware defense fund. Such measures could bite into criminal revenues, said attorney Stewart Baker of Steptoe and Johnson, a former NSA general counsel. “In the long run, it probably means that resources that are currently going to Russia to pay for Ferraris in Moscow will instead go to improve cybersecurity in the United States.”
The following is what Red Sky Alliance recommends:
- All data in transmission and at rest should be encrypted.
- Proper data backup and off-site storage policies should be adopted and followed.
- Implement 2-Factor authentication-company-wide.
- For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
- Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Recommend/require cybersecurity software, services, and devices to be used by all at-home working employees and consultants.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Ensure that all software updates and patches are installed immediately.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings