Does cyber insurance make ransomware worse?
Coalition, Inc.’s chief exec dives into drivers of ransomware as well as the industry’s role in the issue.
An increasing number of articles on the topic would have you believe so, and it is a question we’ve long pondered as one of the larger providers of cyber insurance in North America.
The Wall Street Journal published an article highlighting a surge in cyber insurance costs amidst mounting claims from ransomware and speculating that insurance payouts may only be encouraging even more ransomware attacks.
A spokesperson for Tenable stated it plainly: “[t]he insurance company pays the ransom, the criminals make more money, so they make more ransomware, which leads to more insurance, which leads to more payment, and so we get into this vicious cycle.”
Logical. Or is it/?
What causes ransomware?
Ransomware is not just a type of malware; it is a criminal business model in which the perpetrator seeks to obtain benefit by taking hostage a victim’s data, infrastructure, economic output, intellectual property, or even privacy. It is extortion in its purest form, and it won’t go away for so long as organizations allow assets of value to be taken hostage. Whether an organization purchases insurance or not has no bearing on the value of the underlying assets taken hostage. Nor in the vast majority of cases are organizations targeted because they have an insurance policy — this simply isn’t information that an attacker has prior to an initial compromise.
Organizations are targeted by threat actors because they have made poor technological choices, oftentimes exposed to the public internet, that make them targets. They are targets of opportunity. Phishing, internet-exposed remote network access, and unpatched internet-facing software and devices account for the vast majority of ransomware targeting and initial compromise.
Unfortunately, there are more opportunities (i.e. vulnerable targets) than there are criminals to exploit them and, as a result, most ransomware actors prioritize targets based on their size and financial resources, which is used as a proxy for the value of assets taken hostage and the victim’s ability to pay. We have seen firsthand communication between threat actors in which an organization gets a “pass” because they aren’t large enough.
Organizations are targeted by threat actors because they have made poor technological choices, oftentimes exposed to the public internet, that make them targets. They are targets of opportunity.
The role of insurance in paying ransoms
Nearly all cyber insurance policies cover ransomware including ransom amounts, but also digital forensics and incident response (DFIR) costs to respond to the ransomware event, costs to restore and recover lost assets, as well as resulting business interruption losses (i.e. lost income). From our experience, no one wants to pay a ransom. Certainly not the insurance company, and almost never the client. Both have the same amount of hostility as if you’d kidnapped their children and won’t agree to pay a ransom unless it is a last resort. Often assets can be restored without doing so, and with the insurance policy covering the other costs and lost income — exactly as intended.
However, occasionally, assets cannot be restored. No backups and no recourse. Pay the ransom or face existential ruin. This is the unenviable position some organizations find themselves in, and the majority do not have insurance. For those that do, there is coverage if the policyholder elects to pay. Because it is impossible to ever be 100% secure 100% of the time, insurance is literally the only thing that can provide protection against the possible eventuality of a ransomware attack from which an organization has no other means to recover from.
Moreover, because insurance policies cover the costs of experienced DFIR vendors or also provide such services directly, as in our case, insured organizations are able to negotiate ransom demands down (nearly 100% of the time in our experience) — something a victim themselves would have a considerably more difficult time doing.
It is impossible to imagine how much worse the world would be without insurance. While some insurers are pulling back on coverage and even eliminating it, and while there is chatter of public policy efforts to render extortion uninsurable or otherwise prevent extortion payments from being made, it would be a tremendous disservice to the organizations impacted by these attacks to prevent the insurance industry from continuing to innovate to fight cybercrime.
Not only do insurance companies provide a tremendously valuable service, but they also have a unique ability to encourage — even enforce — the basic cybersecurity hygiene that is so desperately needed. They can also do so at a considerably lower cost than organizations can do themselves.
The role of insurance in fighting cybercrime
There is literally no industry better positioned to fight cybercrime than the insurance industry. Insurers have one thing in common that others (including cybersecurity companies) do not: a direct financial incentive to protect insured clients and prevent financial loss.
To have an impact, we must act to:
- Improve underwriting standards across the board. In today’s market, an organization should struggle to get coverage if they have not implemented MFA, disabled remote network access on the internet, or implemented any number of other highly effective security controls. The insurance industry can and is serving as one of the single most effective enforcers of cybersecurity hygiene at scale.
- Provide risk engineering services to customers at little to no cost. Many insurance providers, like Coalition, are now continuously collecting data on insureds and following claims and using this information and learnings to alert other customers to imminent risks. In our case, we do this automatically and at no additional cost to the policy premium. We also did this to dramatic effect following the recently disclosed zero-day vulnerabilities in Microsoft Exchange. As we published in our blog, within 48 hours of the disclosure, we identified nearly 1,000 potentially impacted policyholders. Today we have only six vulnerable policyholders (!), and our team isn’t stopping until it hits 0.
- Maintain effective ransomware coverage for those that need it most. This will mean balancing public policy objectives while avoiding actions that disenfranchise businesses (particularly small businesses). Moreover, any move to make ransomware “uninsurable” would likely (and ironically) hinder, not foster, ongoing innovation in the cyber insurance market. Many, although not all, insurers have made dramatic progress in protecting clients from ransomware.
These are things Coalition has been doing since our founding, and it is working. It is in the collective interest of all that, as an industry, we tackle this problem with innovation rather than merely regulation.
Joshua J. Motta is co-founder and CEO of Coalition, Inc.
This article is reprinted, with permission, from the Coalition blog.
Related:
- Risk trends to discuss with financial service clients
- How revenue & data influence cyber premiums
- Insurance carriers are attracting hackers at a hastened pace