The recent increase in cyber-attacks and sky-rocketing ransom demands has also led to a substantial increase in policy pricing. According to a report published by the insurance broker Howden, the pricing for cyber insurance has increased 32% globally between June 2020 and June 2021. Insurers are also insisting that prospective policyholders certify that they have implemented stringent cybersecurity measures.
Despite significant growth, the cyber insurance sector has performed poorly in recent years and insurers are struggling to accurately assess risk. A report by S&P Global found that, in 2020, the cyber insurance industry’s loss ratio was 72.8%, compared to a typical insurance loss ratio of 30-60%. Furthermore, Barron’s reported that in 2020, two of the largest insurers paid out close to 100% of premiums.
There are an everchanging array of factors impacting the risk of cyber-crime. Below, we review the impact of two factors from the perspective of both the insured and insurer:
Companies are justifiably looking to protect themselves from the financial impact of a ransomware attack, but what if purchasing insurance could invertedly increase the risk of attack? Cyber security firm Sophos studied 1,823 companies and found that organizations with cyber insurance were twice as likely to pay ransoms as those without. If criminals are aware of this, it follows that they would target companies with ransomware insurance.
In a 2021 interview, a representative from REvil, a well-known Russian ransomware group, described companies with insurance as the “tastiest morsels” for hackers and confirmed they are unequivocally targeting cyber insurers to obtain a list of policyholders. In March 2021, one of the largest insurance companies in the United States, paid a $40 million ransom to regain control of their computer systems following a ransomware attack. While the company said in a statement “they did not believe” that policyholder data was compromised, it is still unclear if information relating to insureds and their policies ended up in the hands of the hackers.
There are many more examples of how cyber insurance could increase risk, including the following:
On a global scale, the interaction between cyber insurance and ransomware attacks has been well debated in the industry, with cyber experts blaming the frequency and size of insurance ransomware payouts for the significant jump in cyber-attacks. In early 2021, former head of the UK’s National Cyber Security Centre went as far as to say that insurers providing cyber insurance are “inadvertently funding organized crime by paying out claims” and that it’s necessary to “look seriously about changing the law on insurance and banning these payments, or at the very least, having a major consultation with the industry.” In May 2021, France’s largest insurer said that it would no longer reimburse ransomware payments due to uncertainty within the French government about the legal status of ransomware payments.
Just as cyber insurance entices attackers, does the payment of a ransom act like a beacon to criminals? It’s well known that both the U.S. and U.K. governments have a “no ransom” policy in relation to citizens held hostage. This is based on the reasoning that hostage-takers distinguish between governments that pay ransoms and those that don’t, and therefore, avoid taking hostages from the countries that don’t pay ransoms. It follows that the same logic would apply to ransoms relating to cyber-attacks and the research backs it up.
A large cyber-security firm, Cyberreason, found in a recent study that 80% of organizations that paid a ransom, faced a second attack. While the U.S. Cybersecurity & Infrastructure Security Agency advises against paying ransoms stating that “paying ransom offers no assurance that a victim organization will regain access to their data or have their stolen data returned”. Many companies still pay ransoms.
A ransom payment could impact the risk of a future attack in the following scenarios:
As discussed above, on a global scale, the cumulative effect of companies paying ransoms increases the attractiveness of the ransomware industry to criminals, thus increasing overall risk to all companies. The more ransoms that are paid, the more appealing the ransomware ‘sector’ is to criminals, leading to a greater number of attacks, and what we are now seeing as an explosion of cyber-crime. To try and interrupt this vicious cycle, New York State has introduced Bill S6806A to the Senate, which, if passed, prohibits the payment of ransomware by “government entities, business entities or healthcare entitles or by another entity on their behalf.”. It’s likely that many states and potentially countries around the world will follow suit.
The cyber insurance industry is in a state of flux. Insurers are struggling to accurately assess risk and companies are trying to combat constant cyber-attacks and increasing policy costs. It’s unclear what the future holds but we know that insurers are taking drastic steps to manage risk by creating sub-limits for various types of cyber-coverage, ensuring stringent cyber-security standards are met by insureds, and providing incident response teams, including cyber experts and negotiators, to assist insureds after an attack.
This article was co-authored by Shelina Boksh, CPA, Senior Forensic Accountant.