Cyber risk insurers are ratcheting up their underwriting standards in response to increasingly severe and frequent ransomware attacks around the world. The number of ransomware attacks rose by 62% globally last year to 305 million, according to a recent report by SonicWall (Cyber Threat Report 2021).
Some ‘spectaculars’ made headline news. In the southeast US, fuel delivery was interrupted for several days in May after a ransomware attack on Colonial Pipeline. Colonial Pipeline paid a $4.4m (£3.1m) ransom to the Russian cybercriminal gang responsible.
Then in June, the network of the world’s largest meat-processing company, JBS, was hacked in a ransomware attack that disrupted its operations in the US, Australia and Canada.
The insurance industry itself suffered at least two high-profile attacks in 2021.
US insurer CNA reportedly paid hackers a $40m ransom to unlock its network earlier this year, while AXA’s Asian unit was held to ransom after hacker group Avaddon stole three terabytes of personal customer data.
It’s a lucrative business. The average ransomware payment was $154,108 in 2020 and 27% of victim organisations paid up, according to a report from Emsisoft (The Cost of Ransomware in 2021); the average cost of downtime was estimated at $274,200.
The numbers make worrying reading for cyber underwriters. Emsisoft’s report says the average ransom demand grew by more than 80% in 2020. Globally, a minimum of $18bn was paid in ransoms, while the cost of downtime in the private and public sectors added billions more in costs, the report adds.
Cyber risk inflation
Jack Hammond, partner in broker McGill and Partners’ cyber team, said recent conversations with insurers indicate that they have seen an increase of more than 150% in ransom and extortion attacks since 2019, which are now affecting all sizes of company and industry: “There seems to be a trend though for ransomware groups to focus their efforts on the largest targets in the pursuit of more lucrative ransom payoffs.”
This increase in ransomware claims has led to a deterioration of insurers’ loss ratios, fuelling a rise in premium rates, MrHammond said: “Insurers are suffering losses from multiple sections of a traditional cyber policy, with ransomware causing business interruption (income) losses, incident response costs to be incurred and data liability claims, which are all on top of the potential ransom payment.”
Paul Bantick, global head of cyber and tech at specialty insurer Beazley, said the scale and complexity of ransomware attacks has driven rate hardening, while capacity is reducing as parts of the market reduce line size and, in some cases, exit: “In our view, you cannot address the pressure on the cyber market through rate and limit alone, and the most effective defence against ransomware is robust cybersecurity and risk management. We are investing in additional tools and services to improve our clients’ cyber defences, to help reduce their exposure to cyber threats in the first place.”
It follows that to curb ransomware exposures, some insurers have adopted a strategy of stringent risk selection and risk management, run in tandem with cyber portfolio management and a push for rate, McGill’s Mr Hammond noted: “[Some] have said there are encouraging signs of this impacting frequency and severity. It is unclear whether insurers will opt for ‘minimum standards’ underwriting, where only risks that adhere to a certain level of cybersecurity are considered.”
AIG has gone on the record saying that it is imposing sub-limits and demanding co-insurance to further insulate itself from ransomware-related losses.
Rumours that some insurers were considering excluding ransomware from cyber risk policies surfaced after AXA announced it would no longer indemnify actual ransom payments in France. But brokers told GRM that outside France there is little appetite for a blanket exclusion on ransomware attacks.
Beazley confirmed to GRM that it would continue to include ransomware within its cyber insurance offering and “focus on addressing the root causes of cyber claims by helping businesses to improve their risk management, while always complying with local regulations”.
Organisations that don’t maintain enhanced security measures and protocols to protect their systems and data may find that insurance is no longer available to them, warned Vanessa Cathie, vice president, global cyber and technology at broker Lockton: “The deployment of MFA is seen as the mandatory cyber equivalent of locks on doors and windows under domestic policies, while endpoint protection can be compared to sprinklers under a fire policy.”
Your money or your network
It’s possible that other jurisdictions could follow France’s lead on banning ransom payments, however, according to Ms Cathie: “Ultimately the decision may be taken out of insurers’ hands if governments globally prevent the payment of ransoms further down the line.”
Also, in the US, the Treasury Department’s Office of Foreign Assets Control operates a sanctions list and if attackers have any connection with one of the countries on that list, paying the ransom is illegal.
Lockton’s Ms Cathie said the argument for banning ransom payments is not clear cut: “It can be simplistic to adopt the moral position that a demanded sum should not be paid. There may be critical implications that flow from a ransomware attack, depending on the nature of the organisation.”
Ransomware attacks are set to be a growing problem for businesses around the world as more people get in on the act. By criminal standards, most forms of hacking have a low risk and low cost of entry. But ransomware, which is fast becoming a sort of franchise business, is now within the reach of less tech-savvy crooks.
The Russia-based gang DarkSide, which is credited with perpetrating the Colonial Pipeline attack, has even advertised that it is looking for partners in an attempt to adopt an affiliate ‘as-a-service’ model, according to the consultant Intel 471.
Beazley’s Paul Bantick said risk professionals need to consider cyber risk threats in the round, as the types of threat continue to morph and change: “Two years ago, the biggest cyber threat was data breach, today it’s ransomware, who knows what it will be in two years’ time? That’s why it’s important for clients of every size and us as insurers to focus on establishing more robust risk management practices and strengthening defences against these threats.”