Insurance Industry

How Insurers are Combating Ransomware Hackers

November 25, 2020

How Insurers are Combating Ransomware Hackers

Nowadays, you can get insurance coverage for just about anything, but what about cyberspace? Now that we’re deep into the digital revolution, the insurance industry has evolved to address the challenge of safeguarding businesses against the ever-increasing threat of online crime.

Insurers looking to quantify the economic impact of cybercrime face 3 major challenges. First, the amounts are astronomical. Second, risk profiling is driven by ever-changing hacking strategies as illustrated by countless examples of high-profile cyber-attacks. And third, the lack of equivalent data-driven sources for cyber risk. For example, the data used to set premiums is collected from the internet, and such publicly available data is likely to underestimate the potential financial impact of attacks for insurers since both insurers and victimized companies are reluctant to disclose real figures due to concerns over loss of competitive advantage or reputational damage.

This new reality has also placed pressure on the insurance industry to figure out how to handle this massive, relatively new category of risk and how best to protect businesses and organizations from potentially catastrophic breaches.

Graph showing the rise of global ransomware damage costs between the years 2015 to 2021
Source: Security Ventures

One of the most rapidly growing trends in cybercrime is ransomware. This variation of malware allows hackers to lock people out of their business systems until they pay a ransom to an offshore bank account, usually in cryptocurrency.

Ransomware – an increasingly lucrative business

Based on analysis by the Threat Hunting Team at CYE, hackers have grown more sophisticated during the past year, shifting from individuals and mom-and-pop operations to larger companies that can afford to pay bigger ransoms.

“Many companies are large enough to be worth extorting but not large enough to have sufficient network protection to defend against ransomware”.

CYE threat hunting team leader

Ransomware tactics have evolved as well. In 2020 we have seen a new wave of ransomware attacks called “double extortion.” In this type of attack, threat actors maximize their chance of making a profit by threatening the victim with an additional abuse of the information they encrypted such as selling or auctioning it.

Industry cyber experts claim that even when public agencies and companies hit by ransomware could potentially recover their files on their own, insurers prefer to pay the ransom.

Should you pay the ransom?

As befits decision making in the insurance industry, whether or not your client (and you) should pay the ransom is a rational calculation to minimize losses. Ransomware is often associated with large insurance claims since the indirect risks of business interference and reputational damage can be even higher than the payout itself.

Simply put, an insurance company may choose to pay the ransom when the cost of prolonged recovery from backups would exceed its $1 million coverage limit while the payment demand is under 0.5$ million.

US government agencies and security researchers say paying ransoms contributes to the profitability and spread of cybercrime and in some cases may ultimately be funding terrorist regimes. But for insurers, it makes financial sense, it holds down claim costs by avoiding expenses such as covering lost revenue from snarled services and ongoing fees for consultants aiding in data recovery. Insurance leaders claim that the onus isn’t on the insurance company to stop the criminal, that’s not their mission. Their objective is to help their clients to get back to business.

What happens after you pay?

From a macro perspective, rewarding hackers with payments promotes more ransomware attacks, which in turn frightens more businesses and government agencies into buying policies.

From a business perspective, paying once may be destructive later on. When you pay a ransom, you automatically mark yourself as an attractive and lucrative target, and you thereby put yourself at risk of being attacked again.

Therefore, cyber insurance is a valuable component in a larger risk management strategy that includes technology as well as training, education, and testing. To combat the scourge of ransomware, companies still need to teach employees how to recognize threats, patch regularly, limit user privileges, and establish sufficient cyber hygiene to avoid being targeted again.

Companies are fighting hackers on an unbalanced playing field, where defense is much harder than offense, and cyber insurance has proven to be a valuable partner in that fight.

CYE’s experts serve as trusted advisors to insurance companies around the world and help them and their clients manage their cyber risks. Contact us for more information.