Is Cyber Insurance making it harder to defend against Ransomware?
Written by Karolis Liucveikis on
It is almost daily that ransomware makes headlines in some form or another. Many of the headlines and subsequent articles cover the latest large corporations to fall victim to a ransomware attack.
Recent high-profile attacks, including the Colonial Pipeline Incident and subsequent responses by governments across the globe, attest to this.
Given the threat posed by ransomware and other cyber incidents in general it is little wonder that cyber insurance offerings have been developed to try and mitigate the risk somewhat. This has led to experts asking if such insurance packages are enabling ransomware attacks to some extent?
Cyber insurance, or cyber-liability insurance, is a type of insurance policy designed specifically to help mitigate the threats posed by cyber-attacks. These policies are designed to protect organizations against the fallout of an attack and do not prevent an attack.
The policy may include stipulations to cover financial losses suffered as a result of the attack and well to minimize business disruption. In some instances of a ransomware attack the insurer might allow the claimant to recover funds paid to cover the ransom.
Some experts argue that this exacerbates the problem of ransomware. Insurers can do this because it is not illegal to pay a ransom, all law enforcement can do currently is advise against paying the ransom as it funds criminal activity.
The question of cyber insurance doing potentially more harm than good has been one of the primary research points explored in the Royal United Services Institute (RUSI) research paper. The conclusions the paper comes at does not look favorably on the cyber insurance sector, stating,
“To date, cyber insurance has failed to live up to expectations that it may act as a tool for improving organisations' cyber security practices. Cyber insurers may be unintentionally facilitating the behaviour of cybercriminals by contributing to the growth of targeted ransomware operations.”
And,
“There are widespread concerns that insurers are fuelling ransomware attacks by paying ransom demands. Paying ransoms is not currently illegal, and it is often cheaper to pay off extortionists than it is to rebuild IT infrastructure or cover losses from business interruption,”
While the paper is critical of cyber insurance it does acknowledge why businesses find such insurance policies appealing. Refusing to pay the ransom can lead to months of downtime and the huge costs for organizations that attempt to restore their network from scratch.
According to RUSI, some ransomware victims and their insurers will pay the ransom because they see it as the lowest cost option for restoring networks. It is also believed that ransomware gangs are even actively seeking to target victims with cybersecurity insurance policies because they believe that's the best way to guarantee they'll make money from encryption campaigns.
The good news is that RUSI believes that cyber insurance can be part of the solution, noting that by encouraging policyholders to improve their defenses in order to do as much as possible to prevent them from falling victim to a ransomware attack in the first place.
It is believed that this would significantly disrupt the current ransomware business model that has proved so effective.
“There are widespread concerns that insurers are fuelling ransomware attacks by paying ransom demands. Paying ransoms is not currently illegal, and it is often cheaper to pay off extortionists than it is to rebuild IT infrastructure or cover losses from business interruption,”
Analyzing the Problem
The paper goes into great depth in both analyzing and explaining the problems associated with cyber insurance. The areas of concern of particular interest are the relative immaturity of the policies being offered and the lack of industry-wide standards or best practices.
Looking at the cyber insurance market’s relative immaturity, respondents admitted that in developing policies a lot of “things” need to be figured out and that such policies are still in a trial-and-error phase of their development.
It is further argued that the required technical expertise, that could be provided by cybersecurity specialists and computer scientists, has not fully permeated the cyber insurance market.
This has partly resulted in perceptions that more power is placed in the hands of buyers or brokers than the insurers. Such a perception is supported by the competition between insurers in this new market as there has been an influx of insurers offering such products and are competing for a relatively small number of contracts.
This places more importance on securing the contract by appeasing brokers and buyers rather than doing what is best to help prevent abuse by ransomware gangs. Researchers noted,
“In practice, the result is that cyber insurance providers may feel compelled to reduce security requirements and simplify questionnaires, making it harder to negotiate coverage that is conditional on accreditation to security standards or other best practices.133 Underwriters that do try to insist on more stringent conditions or cyber hygiene clauses can find themselves undercut by competitors who are prepared to offer coverage without (or with fewer of) them. This trend has been exacerbated by the actions of some brokers who, as one reinsurer argued, ‘have been rigorous about making sure they have the broadest possible terms at the cheapest possible price with the least possible hassle’. The race to the bottom has likely had a disproportionate impact on cyber insurers’ ability to incentivise better cyber security practices at SME level, where the competition is particularly intense and underwriting practices are more lax.”
When comparing cyber insurance to more mature insurance products like property insurance there is no set of standards regarding cyber insurance. Researchers believe that this has negatively impacted how insurers can help drive the best cybersecurity practices.
It has been suggested that in the absence of such standards, buyers of cyber insurance can choose companies that ask the fewest questions and require a minimum set of security standards to be met.
Ransomware and Cyber Insurance
At its worst, the cyber insurance industry may be incentivizing bad behavior. The interaction between cyber insurance and ransomware is provided as an example of this. Researchers noted,
“There are also widespread concerns that insurers are fuelling ransomware attacks by paying ransom demands. Paying ransoms is not currently illegal, and it is often cheaper to pay off extortionists than it is to rebuild IT infrastructure or cover losses from business interruption. This, in turn, serves to normalise the act of making a payment, which has always been advised against by governments and law enforcement agencies. It also adds fuel to the fire by incentivising more cybercriminals to engage in ransomware operations and enabling existing operators to invest in and expand their capabilities. A recent advisory by the US Department of the Treasury’s Office of Foreign Assets Control also highlighted that cyber insurers may be facilitating payments to sanctioned individuals or entities”
As mentioned above, that organizations with cyber insurance may be deemed better targets for ransomware attacks given that attackers feel they are more likely to be paid, it should also be noted that insurers can also be viewed as such. Members behind the Sodinokibi have admitted to targeting insurers to get information on policyholders.
It is also believed that the paying of ransoms by insurers may normalize the paying of ransoms. This is problematic as companies will then rather pay for insurance rather than security infrastructure designed to prevent the attack.
Infrastructure is costly and may cost significantly more than a policy to pay the ransom and to prevent the policyholder from suffering extended periods of downtime. RUSI concluded that,
“The impact of ransomware on the cyber insurance industry emphasises the need to address some of these issues and questions sooner rather than later. As some insurers risk being overwhelmed by losses, the industry and governments need to react quickly to ensure adequate protection and coverage for businesses.”
▼ Show Discussion