Tag Archives: colonial pipeline

Does Cyber Insurance Add to Ransomware?

An increasing number of articles on the topic would have you believe so, and it is a question we’ve long pondered as one of the larger providers of cyber insurance in North America.  

The Wall Street Journal just published an article, “As Ransomware Proliferates, Insuring for It Becomes Costly and Questioned,” highlighting a surge in the cost of cyber insurance amid mounting claims from ransomware and speculating that insurance payouts may only be encouraging ransomware attacks.

A spokesperson for Tenable stated it plainly: “[T]he insurance company pays the ransom, the criminals make more money, so they make more ransomware, which leads to more insurance, which leads to more payment, and so we get into this vicious cycle.”

Logical. Or is it?

What causes ransomware?

Ransomware is not just a type of malware. It is a criminal business model in which the perpetrator seeks to obtain benefit by taking hostage a victim’s data, infrastructure, economic output, intellectual property or even privacy. It is extortion in its purest form, and it won’t go away for so long as organizations allow assets of value to be taken hostage. Whether an organization purchases insurance or not has no bearing on the value of the underlying assets taken hostage. Nor in the vast, vast majority of cases are organizations targeted because they have an insurance policy – this simply isn’t information that an attacker has prior to an initial compromise.

Organizations are targeted by threat actors because they have made poor technological choices, oftentimes exposed to the public internet, that make them targets. They are targets of opportunity. Phishing, internet-exposed remote network access, and unpatched internet-facing software and devices account for the vast majority of ransomware targeting and initial compromise. Unfortunately, there are more opportunities (i.e. vulnerable targets) than there are criminals to exploit them, and, as a result, most ransomware actors prioritize targets based on their size and financial resources, which is used as a proxy for the value of assets taken hostage and the victim’s ability to pay. We have seen first-hand communication between threat actors in which an organization gets a “pass” because it isn’t large enough.

The role of insurance in paying ransoms

Nearly all cyber insurance policies cover ransomware, including ransom amounts, but also digital forensics and incident response (DFIR) costs to respond to the ransomware event, costs to restore and recover lost assets, as well as resulting business interruption losses (i.e. lost income). From our experience, no one wants to pay a ransom. Certainly not the insurance company and almost never the client. Both have the same amount of hostility as if you’d kidnapped their children and won’t agree to pay a ransom unless it is a last resort. Often, assets can be restored without doing so, and with the insurance policy covering the other costs and lost income – exactly as intended.

However, occasionally assets cannot be restored. No backups and no recourse. Pay the ransom or face existential ruin. This is the unenviable position some organizations find themselves in, and the majority do not have insurance. For those that do, there is coverage if the policyholder elects to pay. Because it is impossible to ever be 100% secure, 100% of the time, insurance is literally the only thing that can provide protection against the possible eventuality of a ransomware attack in which an organization has no other means to recover. Moreover, because insurance policies cover the costs of experienced DFIR vendors, or also provide such services directly, as in our case, insured organizations are able to negotiate ransom demands down (nearly 100% of the time, in our experience) something a victim would have a considerably more difficult time doing on its own.

See also: Cyber Risk Impact of Working From Home

While some insurers are pulling back on coverage, and even eliminating it, and while there is chatter of public policy efforts to render extortion uninsurable or otherwise prevent extortion payments from being made, it would be a tremendous disservice to the organizations affected by these attacks to prevent the insurance industry from continuing to innovate to fight cybercrime. It is impossible to imagine how much worse the world would be without insurance. 

Not only do insurance companies provide a tremendously valuable service, they have a unique ability to encourage – even enforce – the basic cybersecurity hygiene that is so desperately needed. They can also do so at a considerably lower cost than organizations can by themselves.

The role of insurance in fighting cyber crime

There is literally no industry better positioned to fight cybercrime than the insurance industry. Insurers have one thing in common that others (including cybersecurity companies) do not: a direct financial incentive to protect insured clients and prevent financial loss.

To have an impact commensurate with our position, we must act to:

  • Improve underwriting standards across the board. In today’s market, an organization should struggle to get coverage if it has not implemented multi-factor authentication (MFA), disabled remote network access on the internet or implemented any number of other highly effective security controls. The insurance industry can and is serving as one of the single most effective enforcers of cybersecurity hygiene at scale. We’ve written about how we do this in another post, “Underwriting ransomware: Our unique approach and what it means for our customers“.
  • Provide risk engineering services to customers at little to no cost. Many insurance providers, like Coalition, are now continuously collecting data on insureds and following claims and using this information to alert other customers to imminent risks. In our case, we do this automatically and at no additional cost to the policy premium. We did this to dramatic effect following the recently disclosed zero-day vulnerabilities in Microsoft Exchange. As we published in our blog, within 48 hours of the disclosure we identified nearly 1,000 potentially affected policyholders. Today, we have only six vulnerable policyholders (!).
  • Maintain effective ransomware coverage for those that need it most. This will mean balancing public policy objectives while avoiding actions that disenfranchise businesses (particularly small businesses). Moreover, any move to make ransomware “uninsurable” would likely (and ironically) hinder, not foster, innovation in the cyber insurance market. Many, although not all, insurers have made dramatic progress in protecting clients from ransomware. Coalition customers report 1/20th the frequency of ransomware claims vs. the broader market, by our own estimates, because we help each achieve a threshold of cybersecurity hygiene that dramatically lowers the likelihood of a successful ransomware attack.

It is in the collective interest of all that, as an industry, we tackle this problem with innovation rather than merely regulation.

Wake-Up Call on Ransomware

The ransomware attack that shut down the 5,500-mile Colonial Pipeline, the largest fuel pipeline in the U.S., contains two important seeds of opportunity.

First, the federal government looks like it may get much more involved in preventing or at least prosecuting cyber attacks, specifically for important infrastructure like pipelines and electric grids, but perhaps more broadly, too.

Second, the attack raises the profile of the ransomware problem to the point that insurance clients may no longer be able to ignore it — which they mostly have even as ransomware activity quintupled globally between the first quarter of 2018 and the fourth quarter of 2020, according to Aon. This higher profile will create the opportunity for insurers to work with clients to finally step up their defenses.

Let me be clear, lest I come across as Polyannaish: This was a serious assault on a major piece of infrastructure and will likely result in higher gasoline prices, at least in the eastern half of the U.S. The attack also raises the prospect of devastating assaults on other pieces of key infrastructure, both in the U.S. and around the world. In addition, because the ransomware attack was arranged by a criminal ring in Russia, the attack brings into play all sorts of geopolitical issues that go well beyond what happens when some lone criminal hacks his way into a single corporation.

I’m merely suggesting that good things could also come out of the attack by the DarkSide group in Russia, because it underscores two problems that have long been obvious but that have somehow been ignored. The actions spurred by the attack won’t be perfect solutions by any means, but they should help.

The main action looks to be an aggressive response by the federal government, which has struck me as too passive as criminal gangs have greatly stepped up their ransomware attacks. There are limits to what the government can do against international gangs like DarkSide — it’s not as though President Biden can just call Vladimir Putin to complain and have him say, “Oh, sure, I’ll get right on it” — but having the Feds in the game should help a lot.

The other main action — the big opportunity for insurers — will occur because companies will increasingly see their vulnerability (finally!) and request help from the experts: the insurance companies that deal with cyber issues every day.

Thought leaders have been warning about ransomware for ages here at ITL — look at “5 Questions That Thwart Ransomware,” “A Dangerous New Form of Ransomware” and “Ransomware Becomes More Pernicious.”

Look, in particular, at this recent article: “How to Combat the Surge in Ransomware,” from Tokio Marine HCC’s Cyber and Professional Lines Group. It describes what I think is the ideal approach for insurers assisting their clients, not just by selling insurance but by helping them reduce their risks — steering clients toward state-of-the-art tools (priced based on the insurer’s bulk discount) that monitor vulnerabilities, toward using multi-factor authentication, toward training, etc.

As long as the bad guys have shown they can work together and take down big targets like the Colonial Pipeline, the good guys need to work together, too. That surely means more help from the federal government on what is a national and, increasingly, international problem but also means insurers need to step up and deliver the sort of expertise and counsel that they possess uniquely and that define the industry’s noble purpose.

Cheers,

Paul

P.S. Here are the six articles I’d like to highlight from the past week:

Workers Comp Trends for Technology in 2021

An efficient workflow passes 60% to 70% of medical bills straight through; workers’ comp has a long way to go.

Are Your Healthcare Vendor’s Claims Valid?

This article, the first in a series, looks at how regression to the mean is often misused to justify false claims about the success of wellness programs.

4 Ways to Seize the Latent Demand

Consumers recognize now more than ever the importance of adequate insurance coverage. Now is the time to seize on this opportunity.

Time to Reimagine the Finance Function

What’s possible for finance has been redefined: Comprehensive data makes it easier to connect performance across the business.

Tapping Into Life, Health Innovation

Those who welcome outsider participation in innovation can unlock new solutions without needing to reinvent their current businesses.

Insurance and Financial Protection

If the life insurance crisis is hard to understand, we must make it easy to comprehend. The insurance industry must lead us through this crisis.