Ransomware attacks have become even more damaging, audacious and widespread over recent years, with no obvious let-up on the horizon. The growth of this particular class of cybercrime can be tied in part to ongoing digitalisation and society’s reliance on IT, which the pandemic only served to accelerate. Despite all the benefits of digital technology, the proliferation of ransomware is an unfortunate by-product.
The ongoing diffusion of new digital technologies in everyday life and business has fundamentally affected the risk landscape facing firms and individuals.
Although technological advances create many benefits that improve our lives and lifestyles, they also leave users open to cybersecurity breaches and intrusions. The response to the global spread of COVID-19 in 2020 and 2021 has only accelerated prevailing digital trends and amplified cyber risks.
- The Geneva Association report highlights the important role of private re/insurers, alongside governments, in boosting society’s resilience to ransomware and ensuring the full benefits of digitalisation can be realised.
- The report explores the significant value add of cyber insurance beyond risk transfer, amid ongoing debate on whether to ban ransom payments or associated insurance coverage.
- Governments should do more to counter ransomware attacks: disrupt cybercriminal business models, fight illicit use of cryptocurrencies and promote cyber hygiene throughout business and society.
The report’s key messages include the following:
- Cyber insurance does more than provide cover for ransoms: Cyber insurance may also cover a range of first- and third-party losses incurred by victims of ransomware (e.g. business interruption, data and system recovery, forensics and legal assistance), as well as arrange expert support in managing incidents. Insurance also helps organisations identify and address cybersecurity vulnerabilities and adopt better risk prevention in a fast-changing landscape.
- Banning ransom payments would be a blunt, potentially ineffective policy instrument: An outright ban on the payment of ransoms or their reimbursement by re/insurers could backfire by driving transactions underground and encouraging ransomware attackers to engage in new, more malicious forms of extortion.
- Governments and regulators must do more to counter ransomware attacks: Public policies should be aimed at deterring ransomware attacks, disrupting cybercriminals’ business models and illicit use of cryptocurrencies, and better preparing organisations for intrusion.
Extortion through ransomware is only one feature of the evolving cyber risk landscape, but its potential impact on victims and their insurers, who may underwrite associated losses, demands special attention.
For re/insurers, the proliferation of ransomware attacks has driven up claims, which has prompted an increase in insurance premiums.
Many ransomware victims may simply find it easier and less costly to pay the ransom demand than to endure interruption to their businesses and/or incur costs to remove the malware and restore data. This is potentially creating a vicious cycle and incentivising criminals to continue carrying out ransomware attacks.
A natural reaction may be to prohibit ransom payments altogether; some governments around the world contemplate such a move. But the law of unintended consequences suggests caution, as such a ban could mean that organisations most in need of protection are even more exposed to an attack.
Instead, the future management and prevention of ransomware attacks will be a complex undertaking, requiring a multi-faceted approach.
Jad Ariss, Managing Director The Geneva Association
Some re/insurers have already invested in new ways to assess insureds’ cyber maturity and security controls. Additionally, insurers can leverage premium discounts, co-insurance and retention arrangements to incentivise organisations to adopt essential cybersecurity best practices, reducing their susceptibility to intrusion.
With ransomware we see an example of the important ‘prevention and mitigation’ role insurers play as risk managers. They control a critical lever with their ability to incentivise customers to maintain strong cybersecurity controls and standards, helping to reduce firms’ vulnerability to attack and boost their cyber resilience.
Jad Ariss, Managing Director of The Geneva Association
Governments and regulators have their levers, too, and as our report highlights, they need to rein in the illegal use of cryptocurrencies and do more to ensure information exchange about incidents as well as improve international cooperation among law enforcement.
Ransomware attacks – a form of cyber extortion
As a form of cyber extortion, ransomware is malicious software that gains access to files or systems and blocks user access until the victim pays a ransom in exchange for a decryption key. It has become a serious issue as the number of attempted intrusions and successful attacks as well as the size of ransom demands have trended sharply higher in recent years.
Cybercriminals are also deploying sophisticated approaches to extort their victims, including threats to release sensitive information or take down a firm’s website if the ransom is not paid.
The development of the ransomware-as-a-service (RaaS) business model has supercharged this field of cybercrime and enabled threat actors, even with limited technical IT skills, to launch highly disruptive attacks.
Ransomware attacks have been a significant factor in the notable deterioration in cyber insurers’ underwriting performance over the past two years.
In aggregate, the loss ratio on US cyber insurance rose from 44.6% in 2019 to 66.9% in in 2020, with ransomware accounting for three quarters of claims according to credit rating agency AM Best.
While the bulk of ransomware claims reflect recovery and remediation costs from an attack, including business interruption, the share associated with the reimbursement of ransoms has increased. More recent indicators suggest no material improvement in the claims environment, with ransomware remaining a key driver.
In the face of continued claims, cyber insurers’ loss ratios remained elevated in 2021 despite a steep increase in the price of cyber insurance last year.
By paying ransoms, firms also potentially incentivise ransomware criminals and in the process amplify the risk of future attacks on themselves or others.
While this economic externality exists whether or not the victim of a ransomware attack is insured, some external commentators have expressed concern that the presence of insurance could make the situation worse by encouraging targeted ransomware attacks on those with cover.
Breakdown of ransomware insurance claims, by type of expense
Governments have also hinted at the unintentional impact that insurance may have on ransomware extortion, highlighting how the ransoms demanded are often tailored to the amount insured under the cyber insurance policy.
The ransomware landscape is now highly evolved and sophisticated, especially with the development of ransomware-as-a-service. Such ransomware attacks are driving significant increases in insurance claims and, as a consequence, premiums. Would banning ransom payments be a viable solution? According to our study, insurance companies do not think so.
Darren Pain, The Geneva Association’s Director of Cyber and Evolving Liability
Prohibiting ransom payments or their reimbursement by insurers would likely drive transactions underground, forfeiting the ability of the authorities to record and analyse incidents and prosecute criminals. Furthermore, the last thing we should do is take steps that might discourage smaller firms from taking out cyber insurance, the benefits of which go well beyond reimbursing ransoms.”
This has revived a policy debate about how far governments should intervene to mitigate the economic externality associated with ransoms either paid directly by victims or reimbursed by re/insurers; that is, the extent to which governments can use additional laws, regulations and taxes to ensure victim firms recognise the costs that paying ransoms impose on others in terms of possibly fostering more ransomware and ratcheting up future extortion demands.
In practice, there are no easy solutions and measures often involve important trade-offs, not least because of the potential for unintended consequences.
The challenge of economic externalities is not unique to ransomware. Similar issues arise in the context of kidnap and ransom (K&R) insurance. K&R re/insurers have developed market practices to encourage a standard approach to information exchange and resolution which works to stabilise ransoms.
Although the market for cyber insurance is also concentrated, there are limited mechanisms to share intelligence about attacks, let alone impose sanctions on re/insurers that deviate from established ransom benchmarks.
Ransomware attacks and payouts
By compensating victims for all insured costs of a cyber-attack, insurers make good on their promise to indemnify policyholders against any harm suffered that was beyond their control. As part of the underwriting process, insurers also expose weaknesses in an organisation’s cyber defences and provide guidance for strengthening security. These core aims of insurance need to be weighed against any potential adverse-incentive effects on cybercriminals to carry out ransomware attacks.
This is why it is important that the views of re/insurers on how to deal with ransomware are always part of the debate.
For a re/insurer perspective, we surveyed and/or interviewed selected Geneva Association member companies that are active in cyber insurance.
The main findings are as follows:
- Banning ransom payments is a blunt, potentially ineffective instrument. Banning ransom payments by the targeted companies or prohibiting reimbursement by re/insurers would probably discourage some attacks; but such a blunt policy response may not always have the desired effect, especially if bans are not consistently applied on an international level.
- Cyber insurance provides more than cover for ransoms. Most re/insurers are not daunted by the prospect of a ban on ransom payments – the value proposition of cyber insurance would remain, especially since it serves as a key mechanism for convening experts to assess the incident and recommend a timely response.
- Involving outside experts leads to better outcomes for the insured. Independent experts help the affected organisations make informed decisions about ransomware attacks and better negotiate, potentially lowering the ransom actually paid, although the chosen response to a ransomware attack is ultimately up to the victim.
- Insurance helps improve overall cyber hygiene standards. Along with supporting the insured in the case of an attack, insurance plays an important role in encouraging good cyber hygiene and risk prevention, for example through premium discounts, co-insurance and retention arrangements as well as cover limits, all of which can vary across firms according to their overall security standards.
- Governments and regulators must go further to counter ransomware attacks. Policies aimed at deterring ransomware attacks, disrupting cybercriminals’ business models (including their use of cryptocurrencies to launder funds), better preparing organisations for intrusions and more effectively responding to attacks will improve the security of cyberspace and help legitimate businesses gain the upper hand against cyber adversaries.
There is no silver bullet for ransomware. A multi-faceted approach will be required to reduce the underlying drivers, limit their impact and ensure business resilience.
For that reason, cyber insurance should be seen as an integral part of the solution rather than a catalyst for ransomware.
While outright ransom bans or restrictions continue to be discussed in some jurisdictions, such legal reforms remain subject to considerable debate and ultimately may never make it to the statute book.
Instead, governments seem to be coalescing around a combination of enhanced security measures to counter the rise in ransomware.
The cyber insurance market remains small but nascent
These include updating disclosure laws to increase the understanding of the crime and enable better targeting of disruption activities; tougher regulation to make it harder for criminals to use cryptocurrencies for illicit purposes; more effective mechanisms and institutional structures to exchange threat information among stakeholders, including improved international cooperation among law enforcement agencies; and measures to promote cybersecurity best practice as well as address vulnerabilities in software supply chains.
Premiums represent less than 1% of the global property and casualty market while some reports indicate that only around a third of small businesses purchase this kind of protection.
To help the market develop further, policymakers should therefore avoid measures that could inadvertently discourage households and firms from buying cyber insurance.
Instead, policies that aim to safeguard cyberspace, promote cybersecurity and undermine cybercriminals’ business models will help to counter malware cyberattacks and increase re/insurers’ appetite to absorb cyber risks from those less able to deal with them.
Ransomware – a type of malicious software that gains access to files or systems and blocks user access until the victim pays a ransom in exchange for a decryption key – and other associated forms of cyber extortion has recently become especially prolific.
These sorts of cyberattacks have been a significant factor in the sharp deterioration in cyber insurers’ underwriting performance over the past two years.
In the face of higher incurred losses, risk-absorbing capacity has fallen as some re/ insurers have withdrawn from the cyber market and/or reduced limits and sub-limits on available cover. With demand for protection remaining strong, and even growing given heightened awareness of malicious cyber threats, this has triggered a rapid re-pricing of cyber insurance.
According to Marsh, in the year to Q1 2022 the cost of cyber protection rose by more than 100% in the U.S. and the U.K. and by 80% in Continental Europe.
More restrictive coverage terms, including higher retentions, co-insurance and exclusions, have also become more prevalent.
Improved cyber insurance pricing
Improved cyber insurance pricing may have arrested the worsening in underwriting performance. But market indicators suggest no material improvement in the claims environment. More than 80% of U.S. brokers indicated that cyber claims increased in Q4 2021, up from 66% in Q4 2020.
Anecdotal evidence from the 1 January 2022 reinsurance renewal cycle revealed additional reported loss activity for earlier years.
Claims data analysed by Aon indicate that ransomware incidents contributed to losses in more than 50% of instances in each of the first three quarters of last year.
Equally, Willis Towers Watson highlight that ransomware is anticipated to have been the costliest loss event category in 2021. Given the continued upward pressure on claims, cyber insurers’ loss ratios remained elevated in 2021.
Affirmative cyber insurance policies typically cover the external expenses associated with the breach, business interruption costs, liabilities to third parties affected by the attack as well as any ransom paid.
While ransom reimbursements do not make up the bulk of ransomware insurance claims, their share in overall incident costs has grown in recent years, alongside breach response costs. According to data from Corvus, extortion payments represented 30% of the value of ransomware claims in 2020, up from just over 20% in 2019.
Insurance payments for ransomware causes more attacks
In compensating victims for all insured costs of an attack, including any ransoms paid, insurers make good on their core promise to indemnify policyholders against any harm suffered that was beyond their control. However, some external commentators worry that reimbursing victims for ransoms may encourage targeted ransomware attacks.
One 2021 study shows that 70% of U.K. IT security professionals surveyed believe insurance payments to companies that have paid a ransomware demand exacerbate the problem and cause more attacks.
Governments have also hinted at the unintentional impact that insurance may have on ransomware extortion. In its recently published Ransomware Action Plan, the Australian government noted that ransom payments demanded from insured organisations are often tailored to the insured amount under a cyber insurance policy.
Cyber insurance does more than just provide vital financial protection and the operational support needed to deal with a ransomware intrusion.
As part of the underwriting process, insurers often expose weaknesses in an organisation’s cyber defences, provide guidance to strengthen their security posture and – through the terms and conditions of available cover – incentivise investment in best-practice cyber hygiene.
Some carriers (directly or in collaboration with specialist cybersecurity firms) continuously monitor the threat environment, highlighting vulnerabilities and weaknesses in a firm’s networks and systems that might be unknown to the policyholder. In many cases, those issues can be addressed quickly to prevent the firm from becoming the victim of an attack.
……………………………
AUTHORS: Darren Pain – Director Cyber and Evolving Liability Geneva Association, Dennis Noordhoek – Director Public Policy & Regulation Geneva Association
