Ransomware attacks are on the rise, with a 102 per cent increase this year compared with the beginning of 2020. This poses a conundrum for insurers: to pay or not to pay?
Within the space of a month, the world was hit by three serious attacks. First, a cyber-criminal gang took the Colonial Pipeline, North America’s largest pipeline for refined oils, offline. Then the Irish healthcare system was hit twice in one week by ransomware. Most recently, the world’s largest meat processing company, JBS, was forced to shut down production, impacting the global meat supply.
These incidents won’t be the last. While this highlights a serious issue for organisations on how best to handle and respond to cyber-attacks, it is also a big red flag for the insurance industry, which could potentially be forced to pay out millions in payments to cover ransomware attacks.
Previously, insurers encouraged companies to pay the cyber-criminals ransom, as this was viewed as a cheaper and easier method than restoring IT systems. However, this is actually perpetuating the issue by providing a short-term fix for poor cyber-hygiene. Long term, including ransomware payments within insurance policies may contribute to the wider issue, with organisations less focused on having the correct security tools in place to avoid and limit the fallout from ransomware.
The holes in the cyber-insurance safety net
With ransomware attacks becoming all too common, the risk is potentially becoming uncontrollable for insurers, especially if organisations don’t have proper protection in place to begin with. This is the cyber equivalent of being involved in a car crash when seat belts aren’t worn for protection. Organisations need to move beyond a check box approach to security to fight today’s sophisticated attacks and insurance companies aren’t supporting that shift.
Instead, insurers are hardening the cyber-insurance market in a reaction to deteriorating loss ratios and increasing reinsurance costs. This means buyers have to pay increasing premiums and see a reduction in available limits when cyber-exposures are increasing. Insurance was already a thin safety net only mitigating part of an organisation’s financial risk, not including technical risk and leaving intellectual property and personal data vulnerable. It doesn’t solve the fundamental issues cyber-attacks cause, such as restoring back-ups, preventing data from being sold on the dark web or the hit to a brand’s reputation.
The onslaught of ransomware attacks is also changing the game. The city of Baltimore famously declined to pay a $76,000 ransom to a cyber-criminal gang, yet it ended up costing $18.2 million to fully restore their systems. Because of stories such as this, insurance companies have started inserting clauses to ensure they don’t have to cover ransomware attacks. These exclusion clauses mean that if an organisation is hit by a nation state attack, then any contractual agreement to pay ransomware attacks is not reimbursable. In fact, most insurance policies have separate clauses and additional premiums in the event of an “act of war” or “terrorism” and with the United States’ consideration of treating ransomware attacks as a similar priority to terrorism, this could have major repercussions for insurers and their customers.
In most cases terrorism coverage is offered separately, which reflects the current circumstances for private insurers or the federal government in accordance with the Terrorism Risk and Insurance Act (TRIA). For coverage to be triggered under TRIA, a terrorist attack must be declared as a “certified act” by the Secretary of the Treasury. In addition, acts of war are almost never covered as the exclusions reflect the likelihood that acts of war are fundamentally uninsurable.
It can also mean that if an organisation experiences any sort of ransomware attack, its insurance company doesn’t have to payout. This makes it imperative that companies are able to respond quickly and reduce damages themselves by having the right systems in place to combat potential ransomware attacks.
Covering an expanding network
The risk of potential ransomware attacks has expanded with hybrid work becoming more popular post-pandemic. Organisations’ networks are no longer limited to on-premises office space, and there are many more touch points and data exposures. It’s important organisations can quantify the risks in this new environment.
Ransomware attacks are also evolving. Security teams now not only need to contend with decrypting files and having a quick recovery time but also the risk of data exfiltration which could constitute a major GDPR breach.
While it is essential that organisations create a programme that allows employees to better understand digital environments, making it easier for them to recognise risks and potential threats in a hybrid environment, let’s take the onus off the user.
The security team also needs to embrace modern tools for complete visibility into the organisation’s network. With today’s threats providing early warning signs such as unusual traffic, east-west movement and data exfiltration, network visibility is a critical first notification that something is awry. Also, with the help of machine learning and behaviour-based analytics, organisations can establish routine behaviour on the network, empowering security teams to spot malicious activity when anomalies occur.
A clear view of an organisation’s network provides security teams with an understanding of which parts are mission critical and likely to be high value targets to cyber-criminals. This overview of IT real estate is useful for choosing the insurance model which best protects organisations, providing an added layer of protection to cover vital parts of the network.
Cyber-attacks are inevitable and organisations can’t have a standardised approach for their widespread network. By quantifying which parts of the network are worthwhile covering with insurance alongside advanced cyber-security software, organisations are able to shield themselves and their employees from ransomware attacks effectively.
by Mike Campfield, VP, GM of International Sales and Global Security Programs at ExtraHop