Companies relying on their cyber-insurance policies to pay off ransomware criminals are being blamed for a recent increase in ransomware attacks.
Ransomware victims are increasingly falling back on their cyber-insurance
providers to pay the ransom when they are hit with an extortion cyber-attack. But
security researchers warn that this approach can quickly become problematic.
In the 1st half of 2020, ransomware attacks accounted for 41% of the
total number of filed cyber-insurance claims, according to a Cyber Claims
Insurance Report released last year by Coalition.
In real-world attacks over the past 2 years, many companies
afflicted by ransomware acknowledged that they had utilised cyber-insurance
to deal with either the ransom itself or the ensuing cost of remediation.
For instance, weeks after Riviera Beach, Fla. was hit by ransomware in June
2019, the city council held an emergency meeting. It voted unanimously to
authorise the city’s insurer to pay off a $600k ransom demand, after the
malware had frozen crucial data. Hackers also took systems that control
city finances & utilities offline.
University of Utah
That same month, Lake City, Fla. paid ransomware attackers almost $500k,
which the city announced would be mostly covered by insurance.
More recently, in Aug. 2020, the University of Utah paid a $457k ransom payment, working with its cyber-insurance provider, after an attack targeted the university’s servers, & student & faculty data.
Ransomware victim Colonial Pipeline also reportedly had cyber-insurance protection through broker Aon & Lloyd’s of London. The energy firm did pay $4.4m to attackers. However, it unclear whether the firm utilised its policy to pay. According to a Routers news report, Colonial Pipeline had a policy that covered it for at least $15 million.
For those companies affected by a ransomware attack, cyber-insurance
is supposed to offer a ‘buffer’ for companies struggling with the aftermath. For
instance, after its severe 2019 cyber-attack, aluminium company Norsk Hydro
received around $20.2m in cyber-insurance from its provider, AIG.
The total cost for damage from the attack was estimated to range between $60-
“The financial impact of a ransomware attack is multifaceted, and goes well beyond the ransom payment,” stated Jack Kudale, Founder & CEO of Cowbell Cyber.
“Business interruption, revenue loss, potential exposure of sensitive
data and related 3rd-party liability, forensics & restoration expertise, &
finally breach coaching & ransomware negotiations, can all be covered in a
The use of cyber-insurance specifically to cover negotiations, & the ransoms
themselves does not seem right to some security researchers.
“Not only does making a ransomware payment also place an organisation in a
potentially questionable legal situation, it is proving to the cyber-criminals you
have funded their recent expedition,” stated Brandon Hoffman, CISO at Netenrich.
Costs, Premiums & Sub-Limits
In Jan. 2021, a study from Advisor Smith Solutions found that the average
cost of cyber-insurance is $1,485 per year in the US. Premiums for
cyber-insurance range from $650 to $2,357, for companies with “moderate
risks” and $1 million in company revenue, the study found.
These premiums are based on liability limits of $1m, with a $10k deductible.
Some of these policies have specific constraints – known as “sub-limits” – on
“Many cyber-liability policies provide very limited coverage for ransomware
or cyber-extortion attacks, with coverage sub-limits as low as $25k, even
when the cyber-liability policy has a much higher total limit,” explained the report.
Overall Security Landscape
The sub-limits have become more common as cyber-insurance has drawn
concern from security experts about how it will change the overall security
landscape. E.g., many argue that falling back on cyber-insurance
policies during a ransomware attack could dissuade companies from adopting
the security measures that could prevent such an attack in the 1st place.
“From a broad perspective, building in ransomware payments to insurance
policies will only promote the use of ransomware further & simultaneously
disincentivise organisations from taking the proper steps to avoid ransomware
fallout,” Hoffman observed.
Cyber-insurance companies often tout their ability to mediate payments
between a ransomware victim and cyber-criminals. But govts. are
looking at potential regulatory action when it comes to ransomware –
including a ban proposed by New York in 2020, preventing municipalities from
giving in to ransomware demands.
This ban, introduced in response to the rising number of cyber-attacks targeting
govt. agencies across the US, would limit municipal entities’ ability
to pay a ransom if hit by an attack. It instead suggested the creation of a “Cyber Security Enhancement Fund” aimed at helping municipalities to upgrade
their security postures.
New York State Senate
A similar bill, proposed in the New York State Senate in 2020, would also ban municipalities from paying ransoms – but Senate Bill
S7289 would omit the creation of a security fund.
Also, the US Department of the Treasury has added multiple crimeware
gangs to its sanctions program, prohibiting US entities or citizens from doing
business with them (including paying a ransom).
These include the developer of Crypto Locker (Evgeniy Mikhailovich Bogachev); the Sam ransomware group; N. Korea-linked Lazarus Group; & Evil Corp & its leader, Maksim Yakubets.
The Department in Oct. 2020 expanded the sanctions’ applicability,
saying that in general, companies that facilitate ransomware payments to
cyber-actors on behalf of clients (so-called “ransom negotiators”) may face
sanctions for encouraging crime & future ransomware payment demands.
Cyber-insurers have also added in their own loopholes when it
comes to certain nation-state attacks.
In 2017, when the NotPetya malware infected 100s of organisations across
the world, some insurers invoked their war exclusions to avoid paying out
NotPetya-related claims. These types of war exclusions deny coverage for
“hostile or warlike action in time of peace & war.” However, this caused
some to criticise the ambiguity of how this clause could be applied.
How can cyber-insurance policies be improved to address these matters?
Netenrich’s Hoffman argued that insurance companies should refuse to
pay premiums – let alone ransoms – unless basic prevention & recovery
measures are performed by the insured organisation on an ongoing basis.
Negotiate with Terrorists
“I know this sounds harsh, but there’s a reason why govts. & law
enforcement do not negotiate with terrorists in hostage situations, &
ransomware should be treated the same way,” explained Hoffman.
“Building a resilience plan & a recovery plan for ransomware is the proper path, &
creating awareness of the likelihood that this can happen to your organisation
will pay off in a big way.”