The recent surge of ransomware attacks is upending the cyber insurance industry, pushing up the requirements and cost of coverage just as more companies need it.
Ransomware attacks — in which cybercriminals take over an organization’s computer network and demand a payment to hand back control — have increased in frequency and severity over the past two years. According to blockchain research firm Chainalysis, ransom payments from companies increased 341 percent to a total of $412 million during 2020.
“This is a tipping point this year,” said John Kerns, an executive managing director at insurance brokerage Beecher Carlson, a division of Brown & Brown, which sells cyber insurance. “I’ve been in business for 32 years and haven’t seen a market quite like this.”
That is pushing insurance carriers to reevaluate how much coverage they can afford to offer and how much they have to charge clients to do so. Underwriters are demanding to see detailed proof of clients’ cybersecurity measures in ways they never have. For example, not using multifactor authentication, which requires a user to verify themselves in multiple ways, might result in a rejection.
The majority of insurance companies are raising premiums for plans that cover damage from hacks, including ransomware attacks. Prices for at least half of insurance buyers went up 10 percent to 30 percent in late 2020, according to a survey cited by the U.S. Government Accountability Office. In some cases, annual premiums that companies are expected to pay have increased by as much as 50 percent, said Joshua Motta, founder of insurance tech company Coalition.
Many insurers also are restricting how much cyber coverage they can offer or limiting the terms and conditions, several industry executives said. In some cases, that means slashing the amount of reimbursement that can be used specifically for ransomware attacks.
Overall, ransomware claims have increased by upward of 300 percent in the past year, Kerns estimated. At the same time, the GAO study shows that companies are increasingly opting to buy cyber insurance — large insurance broker Marsh McLennan told the agency that 47 percent of its eligible clients decided to get the coverage last year, compared with 26 percent in 2016.
Adding to the chaos is the fact that hackers themselves are sometimes targeting companies specifically because they have insurance, according to James Turgal, a former FBI agent who is now a vice president at Optiv, a cybersecurity firm that advises companies on how to deal with hacks.
New hacking groups are getting into ransomware attacks to go after what they see as an “endless pot of money” facilitated by insurance companies, Turgal said. “I’ve worked cases where they’re actually providing a snapshot of your cyber insurance cover page from your own system showing you, ‘Hey, you have cyber insurance, so there’s no reason not to pay.’ ”
French insurance giant AXA said at the beginning of May that it would stop reimbursing ransomware payments in France, after French officials raised concerns that the payments were encouraging more crime. Days later, an AXA subsidiary was hit by a ransomware attack, according to a statement on the subsidiary’s website.
Ransomware is a catchall term for software that lets hackers take over control of a computer network and lock out the original owner. They usually gain access by tricking employees into giving up passwords or downloading malicious code through “phishing” emails. Attackers generally leave a digital ransom note explaining that the network owner has a set period of time to pay using cryptocurrency or risk losing access to their computers permanently.
Chainalysis data shows the average ransom payment has quadrupled from about $12,000 at the end of 2019 to $54,000 at the beginning of this year. Hackers also have started stealing and dumping sensitive files from their victims if they aren’t paid promptly.
Ransomware attacks have hit many aspects of everyday life in the past two years. Chemotherapy treatments in Vermont were delayed, meat plants were temporarily shut down across the United States, and an attack on the company that owned the Colonial Pipeline set off a panic up and down the East Coast that spurred a real-life fuel shortage.
Colonial Pipeline, which admitted it paid about $4.3 million to hackers who breached its system, confirmed in testimony before Congress this month that it did have cyber insurance. The Justice Department recently said it reclaimed more than $2 million of that.
“We’ve had cyber insurance for quite some time,” Colonial CEO Joseph Blount said during the Senate hearing. “We have submitted a claim for that ransom payment, and I haven’t had that confirmed to me yet, but I suspect that it will be covered.”
Many more of these attacks go publicly unreported. But insurance firms still feel the effects when they shell out millions to reimburse ransom payments and get businesses back on their feet.
“I know that we have several clients that had under-the-radar ransomware losses that were seven-figure losses,” said Adam Lantrip, leader of the cyber practice at insurance broker CAC Specialty.
But insurers are struggling to find a way to make the business worth staying in the game, especially as they deal with the uncertain and ever-changing cyberattack landscape.
It used to be that insurers would write a cyber policy with few limitations, largely taking the client’s word for it that they had cybersecurity protocols in order. That changed last year as insurers increasingly paid out cyber claims. More underwriters are now partnering with outside cybersecurity firms to vet companies’ protocols and security readiness, said Erica Davis, global co-head of cyber at global risk and reinsurance company Guy Carpenter.
In the past, insurers may have just asked potential clients to fill out a questionnaire about their cyber practices, she said. Now, in addition to that, many are using cybersecurity tools to run an analysis of clients’ controls to make sure they are up to par.
Even if insurers are willing to offer coverage, many are declining to take new clients or are capping amounts at about half of what they used to be for some clients. Many carriers will now offer up to $5 million in coverage for midsize clients in some industries, Lantrip said, compared with about $10 million in years past — although higher caps could be available to companies with strong cybersecurity controls.
Even with increased security vetting, uncertainty reigns throughout the industry. Cyberattack techniques are known to change and adapt rapidly, even as companies put up best practices to defend them. Insurers especially fear aggregate attacks, Kerns said — such as the SolarWinds or Microsoft Exchange Server hacks — which can take down multiple clients at once.
A representative for one of the most active criminal ransomware gangs, REvil, said the group targets companies that it knows have insurance.
“Yes, this is one of the tastiest morsels,” he said in an interview with intelligence analyst Dmitry Smilyanets of cybersecurity company Recorded Future. “Especially to hack the insurers first — to get their customer base and work in a targeted way from there.”