The ransomware attack on Colonial Pipeline Co. that caused gasoline shortages along the U.S. East Coast also sparked a debate about whether cyber insurance helps protect against marauders — or attracts them.
Some cyber-security experts say hackers target companies that have coverage, because they know the firms can pay ransoms. But others believe the blame is misplaced and that insurers, if anything, have raised the bar on cybersecurity.
“Ransomware actors are in it for the money so if they know a target is insured, they may go after that target,” said Chris Painter, president of the Global Forum on Cyber Expertise and former cyber coordinator at the U.S. State Department. “On the other hand, underwriting standards for insurance often contain requirements that incentivize their insureds to be better at cybersecurity and hopefully prevent some of these attacks.”
Attacks have been on the rise. Cyber-security firm Emsisoft sees a roughly 12.4% jump in victims saying they were hit last year, compared with 2019. The amount of ransom being demanded nearly doubled in 2020, according to Group-IB.
“Ransomware has been sharply escalating in its frequency and the amount of demands being asked,” said Matthew McCabe, a senior vice president in the cyber practice at Marsh McLennan. “Cyber attacks are increasing in their sophistication and organization. Ransomware gangs have been at this for a while now and, as with any enterprise, they get better at it as they go along.”
Meanwhile, the cyber-insurance market has been growing. Premiums for standalone cyber policies were up 28% in 2020 compared to a year earlier and have increased about 76% since 2016, according to ratings firm AM Best. But not every company is buying coverage. Just 47% of insurance broker Marsh’s clients in the U.S. purchased standalone cyber policies, up from 42% in 2019, the firm said.
Having that insurance can put a target on a company’s back, according to Analyst1’s chief security strategist, Jon DiMaggio. He cited a 2021 report from Cisco Talos that quoted an attacker saying a ransom payment was all but guaranteed if the target has insurance.
Some disagree. Joshua Motta, co-founder and chief executive officer of cyber insurer Coalition, and Adam Lantrip of insurance broker CAC Specialty said system vulnerabilities are more to blame.
“I don’t think it’s as binary of a process of saying, ‘This company buys cyber insurance and so I’m going to go after them,’ ” said Lantrip, the cyber practice leader at CAC. “When we talk to security firms and people who do threat intelligence, they typically will say it’s more likely the case that the attackers are looking at who is showing the world a particular piece of technology that they know they can exploit. That’s how they narrow their target list.”
Coalition’s Motta said ransom payments are often the only way to respond to attackers.
“At least 50% of the time there’s not really an option,” he said. “Not only have they encrypted the data, they’ve encrypted the backups and there’s no way to recover without paying the ransom.”
Motta argues that insurers are helping the industry by raising the level of cybersecurity due diligence by firms. And those efforts redouble after a high-profile incident like Colonial’s, according to Adam O’Donnell, a cybersecurity expert at Internet 2.0.
“I’ve seen a lot of organizations where their self-assessment maturity is very high, and then a very basic cyber attack proves that they’re completely wrong,” O’Donnell said.
Insurers have responded to the surge in attacks by ramping up scrutiny of new clients and their efforts to protect data, according to Marsh’s McCabe. Axa SA’s France business is no longer underwriting new policies that reimburse for ransomware, according to a spokesperson. Other insurers have sought to cap their exposure, according to CAC’s Lantrip.
For now, the question of how to stop the cycle of ransomware attacks and payments remains.
“You have to go after the money,” Coalition’s Motta said. “Some of these threat actors bring in more haul than international drug cartels.”