The rise of ransomware: Crypto, disclosure and insurer's reaction
Part two: Discover how digital currencies are fueling the ransomware crisis.
Editor’s note: This is the second part of a two-piece series looking at the growth of ransomware and the implications for insurers. The first part reviewed what led to the situation and how the industry and regulators have responded so far.
The encrypted and unregulated nature of cryptocurrencies, long providing hackers with a perfect platform for malicious payments, is also under scrutiny. In order to further conceal their activities and launder their funds, cybercriminals are now utilizing a series of sophisticated transactions, foreign exchanges (with weak AML/KYC controls) and increasingly shifting from Bitcoin to AEC (anonymity enhanced cryptocurrencies) such as Monero.
In response, some experts and government officials have also been calling for strict regulation of (or all-out ban on) cryptocurrencies in general. Most efforts have fallen short thus far, however, many suspect the strict regulation of crypto is nearing.
With many ransom attacks going unreported, government officials, along with the FBI, are also looking to mandate disclosures. Within the past year, three bills have been introduced; the “Ransomware Disclosure Act,” the “Cyber Incident Reporting Act,” and the “Cyber Incident Notification Act.” They all have a similar aim — requiring the disclosure of cyberattacks and/or ransom payments. And with bipartisan support, 2022 appears to be the year we’ll likely see such legislation passed.
If passed, this would provide regulators with better insight that could ultimately help reduce attacks, however, it could also result in more reputational damage to the corporate victims and an increase in “follow-on suits.”
In fact, it appears the pace of follow-on litigation may already be growing, as more companies are being hit with following class action claims. Colonial Pipeline Co., Scripps Health, CaptureRX, Eleketa Inc. and Candler Hospital Systems are just five recent examples. Each of the companies was hit with multiple class action suits alleging inadequate security/disclosures, following ransomware attacks that inflicted considerable downtime, resulting in third-party financial damages and/or the exposure of protected data. This all emphasizes the importance of dovetailing cyber insurance with well-structured directors and officers insurance.
How the insurance industry is responding
While regulators continue to weigh more aggressive options, insurance companies are also responding. Almost all of the carriers are reassessing their books, responding with a multipronged underwriting approach.
For starters, many cyber insurers are increasing premiums anywhere from 15%-40% with additional rate increases expected. Many insurers are also beginning to heavily sublimit their policies’ ransomware insuring agreements. Where a carrier may have previously been comfortable issuing coverage with a $10 million limit (with a matching $10 million ransomware limit), that same carrier may now only be willing to provide $5 million in limits with ransomware coverage further sublimited.
Some carriers have gone one step further, halting new business for certain industries altogether. The application process itself in many cases has also become more lengthy, as some carriers are beginning to incorporate specific ransomware questionnaires seeking confirmation that policyholders have incorporated more advanced network security features such as compliance with Microsoft Powershell best practices and implementation of advanced email protection to thwart phishing attacks.
Security steps
The pace of ransomware attacks is only predicted to continue in 2022, but there are some security measures companies can take to protect themselves.
In addition to regular backups and implementation of robust response and business continuity plans, companies should be extra diligent in mandating the regular changing of passwords. While this may seem trivial, and may be overlooked as an inconvenience, we already mentioned above that the Colonial Pipeline attack likely originated from a single stolen user credential purchased online.
Implementing a strong employee training program is also more important now than ever, as COVID has created an ideal environment for phishing attacks. Advanced security measures such as email protection should also be explored and implemented when possible. This will not only help protect against attacks, but may also help reduce cyber insurance premiums and assist with securing coverage.
Due to the aggressive underwriting stance many carriers are now taking, it’s also important that organizations ensure their brokers are fully saturating the insurance market when obtaining proposals — this is particularly important for higher risk industries such as the manufacturing sector, financial institutions and professional service firms.
In response to the Department of the Treasury’s Office of Foreign Assets Control (OFAC), when performing ransomware insurance coverage assessments, insureds and their brokers should also be on the lookout for any OFAC specific exclusions, terrorism exclusions, and coverage terms surrounding fines and penalties.
Policy definitions should also clearly include ransom attacks that affect industrial control systems, IoT connected devices and computer systems of others. Lastly, given that mandatory ransomware disclosures may be around the corner, with the potential to inflict brand damage and shareholder litigation, implementation of well-structured D&O insurance is also more important than ever.
Evan Bundschuh, RPLU, is vice president and commercial lines head at GB&A a specialty insurance brokerage located in New York that focuses on professional and management liability programs, including directors and officers, employment practice liability, cyber risk and professional liability insurance. He can be contacted at evan.bundschuh@gbainsurance.com.
Opinions expressed here are the author’s own.
Related: