Ransomware attacks are on the rise in the United States and local counties are scrambling to keep their cyber systems insured. For those who lack cyber protection, the price can be both costly and time-consuming.
- Cyber insurance does more than provide cover for ransoms: Cyber insurance may also cover a range of first- and third-party losses incurred by victims of ransomware (e.g. business interruption, data and system recovery, forensics and legal assistance), as well as arrange expert support in managing incidents. Insurance also helps organisations identify and address cybersecurity vulnerabilities and adopt better risk prevention in a fast-changing landscape.
- Banning ransom payments would be a blunt, potentially ineffective policy instrument: An outright ban on the payment of ransoms or their reimbursement by re/insurers could backfire by driving transactions underground and encouraging ransomware attackers to engage in new, more malicious forms of extortion.
- Governments and regulators must do more to counter ransomware attacks: Public policies should be aimed at deterring ransomware attacks, disrupting cybercriminals’ business models and illicit use of cryptocurrencies, and better preparing organisations for intrusion.
During the 2019 Baltimore Ransomware Attack, the city of Baltimore was targeted by a variant of ransomware called Robbinhood. As a result, the majority of the city’s essential servers were immediately shut down.
In order to reverse the damage, hackers demanded 13 bitcoin – roughly $76,000. If the city failed to pay the ransom, the amount would increase, as would the intensity of the shutdown.
Ultimately, the city refused to pay the ransom and the total cost of the attack far exceeded the initial amount requested by the hackers. Throughout the event, the city struggled to maintain its systems.
The Real Estate Accounting and Services Division was heavily impacted as it housed systems for tax collection, title fees, and even water bills.
It is estimated that Baltimore lost more than $8.2 million in revenue from this division alone. The total price of the attack was more than $18 million.
While costly, the Baltimore incident is not anomalous. According to Brett Callow, a threat analyst at Emsisoft, there were more than 150 cyber attacks on local municipalities, school districts and universities in 2021.
As the threat of cyber attack against counties has never been greater, insurance companies are making it clear that insureds need to take action if they wish to remain covered.
Ransomware attacks have been a significant factor in the notable deterioration in cyber insurers’ underwriting performance over the past two years.
In aggregate, the loss ratio on US cyber insurance rose from 44.6% in 2019 to 66.9% in in 2020, with ransomware accounting for three quarters of claims according to credit rating agency AM Best.
While the bulk of ransomware claims reflect recovery and remediation costs from an attack, including business interruption, the share associated with the reimbursement of ransoms has increased. More recent indicators suggest no material improvement in the claims environment, with ransomware remaining a key driver.
Gone are the days when a county could merely answer a few questions to receive cyber insurance. Today, insurance carriers require an in-depth and bottom up understanding of a county’s security practices and protocols.
While the majority of insureds recognize the need to secure their own systems, many are finding it difficult to keep up.
As technology advances, some local governments are becoming increasingly stretched for resources. In smaller towns, there may simply not be enough employees involved to dedicate time to cyber security. In the event that a county is denied access to cyber insurance, there is no clear path to get protected.
Tim Oliver, the Chief Information Officer of Horry County, South Carolina has firsthand experience with this stressful process.
His county, which is home to roughly 365,000 people, was 2 months away from losing access to its cyber policy.
In his case, he had to round up the resources necessary to strengthen his county’s cyber practices such that they would satisfy their insurance company.
Luckily, his county has over 3,000 employees, making it possible (though unremittingly stressful) to meet the standards of their cyber liability carrier.
Smaller communities do not have the same luck, which is forcing them to get creative. When denied access to a cyber security policy, the standard reaction is to simply hope for the best.
The challenge is that, at this point, many county officials are aware that cyber security is a real threat with legitimate and everlasting consequences.
In order to combat their vulnerabilities, some uninsured cities are creating their own cyber security insurance policies. In effect, this means that officials are setting aside money in the event that a ransomware attack or data breach affects their city directly.
While this does not tighten up cybersecurity loopholes, it does provide a sense of preparedness should an attack occur.
The good news is that local governments are beginning to take ownership of their security policies. Moving forward, insurance brokers can help these cities become more proactive in covering up their vulnerabilities by educating them on the steps they must take in order to qualify for a cyber policy.