Key points:
- More than half of ransomware victims reportedly pay ransom, but there is an absence of quality data and reporting that would enable better analyses.
- As payouts have increased, the number of customers electing to have cyberinsurance coverage (the take-up rate) has increased, although SMBs lag behind mid- to large-sized entities.
- As payouts have increased, insurance premiums have gone up and are expected to rise again in 2021.
- Insurers are starting to limit coverage for the healthcare and education sectors, two sectors that are notoriously “soft targets.” Other sectors, including the government sector, may also experience reduced caps or coverage.
In recent months, threat actors including REvil (Sodinokibi), Conti (Ryuk), and DarkSide all mention — and even brag — how they research how much cyberinsurance their victims have when they are calculating how much ransom to demand. And we have seen, in some negotiation chats that were made public, negotiators actually referring to specific amounts and letting their victims know that they shouldn’t try to argue for less because the threat actors know the insurance cap.
“UNKN” from REvil went even further. In a recent interview, they indicated that insurers themselves were great targets from their perspective.
The comments, taken together, suggested that maybe if victims didn’t carry so much cyberinsurance, the threat actors wouldn’t demand so much. Could it be that simple? I put the question to DarkSide when I interviewed them, “Someone suggested that if companies didn’t have cyberinsurance, ransomware threat actors would lose interest and just go away. Do you think that’s true?” That was the only question that DarkSide did not answer. Perhaps they didn’t want to encourage insurance companies to reduce coverage by admitting that entities might be less desirable as targets if they had less coverage?
Less than one month later, global insurance company AXA announced that it would no longer write policies in France that include coverage for ransom payments. New policies written would cover recovery from a ransomware incident, but not a payment of ransom itself. Existing policies would not be affected.
At the same time AXA was making its headline-making announcement, the Government Accountability Office was getting ready to publish its own report:
CYBER INSURANCE: Insurers and Policyholders Face
Challenges in an Evolving Market
GAO-21-477
Some of the major findings and points in the report include:
The proportion of clients electing to sign up for cyberinsurance (the “take-up rate”) increased from 26% in 2016 to 47% in 2020. Rates for small and mid-size entities lagged behind those of larger entities. The reason for that could reflect a combination of factors: SMBs underestimating cyber risks, difficulty understanding coverage, a belief that their current coverage is adequate, and affordability
concerns.
In the government’s desire to discourage victims from paying ransom (which presumably encourages) more crime, the government does not seem to have really publicized the fact that the majority of victims reportedly do pay ransom (or at least that is what I am hearing from different sources). But the reality is that we do not have high-quality data on how many ransomware attacks there are, and what percent of victims pay — and how much they pay because most incidents go unreported. Without that information, insurers are somewhat in the dark in trying to understand trends and future costs, and the customers are also in the dark about how much risk they face.
The industry sectors with the highest take-up rates in
2016–2020 included education and health care. Those sectors collect, store, and use significant amounts of personally identifiable information or protected health information. And unfortunately, they do not seem to secure it well, making them easy targets — and if they have good insurance coverage — lucrative targets. While some threat actors have stated that they will not attack hospitals and certain types of medical entities, other threat actors feel no such ethical restraint and continue to attack medical practices as well as entities involved in researching or producing vaccines.
With attacks and payouts increasing, it is not surprising that the cose of insurance increased. One survey found that more than half of respondents’ clients experienced premium increases of 10-30% in late 2020.
How much does insurance cost? Well, different carriers have different rates and cover different things, but the GAO reported that brokers specializing in cyber insurance for small
and mid-size entities reported that “average premiums for cyber policies currently range from about $1,400 to about $3,000 per million of limit for small entities that have strong cyber controls and are in low-risk industries. Premiums can be many times that amount depending on entity and industry risk factors.” Expect those numbers to rise in 2021 for mid-size and larger entities in high-risk sectors.
But one take-home message from the GAO report is that coverage limits are already being reduced in the healthcare and education sectors due to the number of cyberattacks. And ominously, perhaps, the report notes:
The extent to which cyber insurance will continue to be generally available and affordable remains uncertain. Despite the upward trend in take-up rates to date, insurer appetite and capacity for underwriting cyber risk has contracted more recently, especially in certain high-risk industry sectors such as health care and education and for public-sector entities, according to the Council of Insurance Agents and Brokers, Marsh McLennan, and A.M. Best.
While the government has not banned ransom payments, and such a law would generate a lot of concerns and pushback, the insurance industry may be the most effective way to get entities not to make themselves more attractive targets by carrying high amounts of coverage for ransom payments.
And wouldn’t it be better to spend money on security before the fact instead of on premiums for insurance coverage for clean-up from a breach?
There’s a lot more to the GAO report, which you can access here.