What's behind the extreme drop off in ransomware claims?
Cyber risks are constantly evolving as hackers find easier and more lucrative attack vectors.
Few are surprised to learn that the volume of cyber insurance claims continues to climb — our own shop saw a year-over-year increase of 20%. However, what is surprising to many, is the composition of those claims.
We’re seeing both anecdotal and measurable evidence indicating a sizable drop in claims due to ransomware specifically. Among our clients, just 9% of cyber claims so far in 2022 have been due to ransomware. By comparison, 30% of the claims we saw in 2021 were sparked by cyberattacks. Whereas the attack vector was once the top category in cyber insurance claims, we now see it rank third or fourth, depending on the month.
Social engineering is the vector now occupying the top spot among all cyber insurance claims. This year alone, social engineering has been the cause of nearly half of all claims managed by Cyberscout.
What’s behind this sudden drop-off in claims?
Although the industry is only just beginning to pick up on the downward trend in ransomware claims, a few theories around root causes are circulating.
- Ransomware is an inelegant crime. Whereas social engineering is a relatively simple “transaction” between a criminal and a victim, ransomware comes with a lot of collateral damage. Most hackers are motivated by money; not hurting people or crippling organizations. It’s not unusual for a ransomware attack to have life-and-death consequences, particularly when made on a hospital, school or local government. Hackers may be finding a more targeted approach not only easier to pull off, but less devastating.
- Hackers aren’t making as much money. Large businesses — which comprise the largest portion of every cyber insurance provider’s portfolio — have become much more sophisticated in terms of both preventing and responding to attacks. With less large-scale and profitable victims walking into ransomware snares, and even fewer willing to pay the ransom when they do, gangs are finding it harder to turn a profit from attacks on an enterprise. (This is likely also the reason for an increase in cyberattacks on small organizations, such as private healthcare providers and municipalities.) What’s more, cashing out on ransom paid in cryptocurrency is expected to become more difficult as Russia’s Ministry of Finance attempts to regulate cryptocurrencies in the country.
- Governments and law enforcement are going on the offense. Stateside law enforcement agencies are taking the attacks much more seriously. As a recent example, the U.S. Department of State issued a $10 million bounty for members of a global ransomware gang in May of this year. This may have put the fear of criminal prosecution in the minds of more cyber opportunists, reducing the number of would-be attackers operating globally.
- Cybercrime is global. Much like climate change, cybercrime is an international affair. When something like the war in Ukraine occurs, its impacts are felt around the world. This is especially true for ransomware, which is often perpetrated by gangs located in Russia and Ukraine. Perhaps as fighting moves into the physical realm, the digital battlefield quiets.
What does the shift in attack vectors mean for the industry? Leaders need to consider the following impacts.
Risk volatility: Today, ransomware claims are down, and social engineering claims are up. However, the likelihood of that circumstance remaining unchanged is low. Hackers follow paths of least resistance and streams that yield the greatest revenue. They are constantly changing their approaches, and insurers need to be just as nimble.
It’s all in the data: The insurance industry loves conventional wisdom. Unfortunately, legacy mindsets do not compete well in a cyber insurance lane. In this case, conventional wisdom has it that ransomware claims are a runaway train, but the data show something different (at least for now). Insurers must avoid settling on a trendline. More frequent analysis of claims data is certainly in order, and the more insurers that share their data insights with one another, the better. A more holistic view of the threat landscape will stand up a more credible platform from which the industry can educate brokers, employers, policyholders and the larger public.
A human issue: People are easier to attack than systems. If you can convince someone to give you the keys to their car, why break the window to steal it? Insureds need constant communication, education and tips-oriented training to protect themselves, and insurers can be essential providers of that information. Personalized education and segmented training are best, as every individual on the planet has a unique risk profile due to the ever-expanding number of data breaches.
Take a position: The cyber insurance realm requires insurers to be explicit about what is covered and what is not. Overly broad language around things like cyber war exclusion is causing a lot of confusion and worry among insureds. There are too many threats, ranging from policyholder experience to lawsuits, to operate with too much grey area in a cyber insurance policy.
Cyber insurance is not like homeowners, auto insurance or any number of legacy policies. It’s ever-changing and nebulous, a potentially perplexing combo. And yet, cyber insurance is one of the world’s greatest protections against a growing economic and financial threat. Why else would President Biden have invited insurance providers to speak alongside Apple, Microsoft and Google during this summer’s cybersecurity policy meeting at the White House?
This large responsibility to keep consumers and businesses protected is why it’s essential for insurers to keep their collective ears to the ground and share what they are observing. Just as bankers regularly disseminate trending fraud data and meet regularly to discuss solutions, the insurance industry must find a way to better communicate movement in trendlines and agile ideas for nimble risk mitigation.
For all its volatility and unknowns, cyber insurance also represents an enormous opportunity, not only to generate revenue and sustain growth but to be there for an increasing number of policyholders during otherwise chaotic times.
Matt Cullina is head of global cyber insurance for Cyberscout, a TransUnion brand, which he has led for more than 10 years. Cullina has also served on the board of the Identity Theft Resource Center, including a term as the nonprofit’s board chairman. He can be reached at mcullina@sontiq.com.
Related:
Among startups without cyber insurance, cost remains a top reason
Cyber insurance demand creates opportunity for agents, brokers