As target of ransomware crooks, cyber insurers struggle

In crosshairs of ransomware crooks, cyber insurers struggle

Cybercriminals who steal sensitive data for extortion routinely try to learn how much cyber insurance coverage the victims have

 Representative image. Credit: iStock Photo

In the past few weeks, ransomware criminals claimed as trophies at least three North American insurance brokerages that offer policies to help others survive the very network-paralysing, data-pilfering extortion attacks they themselves apparently suffered.

Cybercriminals who hack into corporate and government networks to steal sensitive data for extortion routinely try to learn how much cyber insurance coverage the victims have. Knowing what victims can afford to pay can give them an edge in ransom negotiations. The cyber insurance industry, too, is a prime target for crooks seeking its customers' identities and scope of coverage.

Before ransomware evolved into a full-scale global epidemic plaguing businesses, hospitals, schools and local governments, cyber insurance was a profitable niche industry. It was accused of fueling the criminal feeding frenzy by routinely recommending that victims pay up, but kept many from going bankrupt.

Now, the sector isn't just in the criminals' crosshairs. It's teetering on the edge of profitability, upended by a more than 400 per cent rise last year in ransomware cases and skyrocketing extortion demands. As a percentage of premiums collected, cyber insurance payouts now top 70 per cent, the break-even point.

Fabian Wosar, chief technical officer of Emsisoft, a cybersecurity firm specializing in ransomware, said the prevailing attitude among insurers is no longer: Pay the criminals. It's likely to be cheaper for all involved.

“The ransomware groups got way too greedy too quickly. So the cost-benefit equation the insurers initially used to figure out whether or not they should pay a ransom — it's just not there anymore,” he said.

It's not clear how the single biggest ransomware attack on record, which began Friday, will impact insurers. But it can't be good.

Pressure is building on the industry to stop reimbursing for ransoms.

In May, the major cyber insurer AXA decided to do so with all new policies in France. But it is so far apparently alone in the industry, and governments are not moving to outlaw reimbursement.

AXA is among major insurers that have suffered ransomware attacks, with operations in Thailand hard-hit. Chicago-based CNA Financial Corp., the seventh--ranked U.S. cybersecurity underwriter last year, saw its network crippled in March. Less than a week earlier, the cybersecurity firm Recorded Future published an interview with a member of the Russian-speaking ransomware gang, REvil, that is skilled in pre-attack intelligence-gathering and happens to be behind the current attack. He suggested it actively targets insurers for data on their clients.

CNA would not confirm a Bloomberg report that it paid a $40 million ransom, which would be the highest reported ransom on record. Nor would it say what or how much data was stolen. It said only that systems where most policyholder data was stored “were not impacted.”

In a regulatory filing with the Securities and Exchange Commission, CNA also said that its losses might not be fully covered by its insurance and “future cybersecurity insurance coverage may be difficult to obtain or may only be available at significantly higher costs to us.”

Another major insurance player hit by ransomware was broker Gallagher. Although it was hit in September, only this past week (June 30) did it disclose that the attackers may have stolen highly detailed data from an unspecified number of customers — from passwords and Social Security numbers to credit card data and medical diagnoses.

Company spokeswoman Kelli Murray would not say if any cyber insurance policy contracts were on compromised servers. Nor would she say whether Gallagher paid a ransom. The criminals, from the RagnarLocker gang, apparently never posted information about the attack on their dark web leak site, suggesting that Gallagher paid.

Of the three insurance brokers that ransomware gangs claimed to have attacked in recent weeks, posting stolen data on their dark web sites as evidence, two, in Montreal and Detroit, did not respond to phone calls and emails. The third, in southern California, acknowledged being hobbled for a week.

By the time the Colonial Pipeline and major meat processer JBS were hit by ransomware in May, insurers were already passing higher coverage costs to customers.

Cyber premiums jumped by 29 per cent in January in the U.S. and Canada from the previous month, said Gregory Eskins, an analyst at top commercial insurance broker Marsh McLennan. In February, the month-to-month jump was 32 per cent, in March it was 39 per cent.

In a bid to turn back ransomware-related losses — Eskins said they amounted to about 40 per cent of cyber insurance claims in North America last year — policy renewals are carrying new, stricter rules or lowered coverage limits.

“The price has to match the risk,” said Michael Phillips, chief claims officer at the San Francisco cyber insurance firm Resilience and a co-chair of the public-private Ransomware Task Force.

A policy might now specify that reimbursement for extortion payments can't exceed one-third of overall coverage, which typically also encompasses recovery and lost income and can include payments to PR firms to mitigate reputational damage. Or an insurer may cut coverage in half, or introduce a deductible, said Brent Reith of the broker Aon.

While some smaller carriers have dropped coverage altogether, the big players are instead retooling.