BOSTON (AP) – In recent weeks, ransomware criminals have claimed trophies at least three North American insurance brokerage firms that offer policies to help others survive crippling data extortion attacks the network and which they themselves apparently suffered.
Cyber criminals who hack corporate and government networks to steal sensitive data for extortion purposes routinely attempt to find out how much cyber insurance coverage victims have. Knowing what victims can afford to pay can give them an edge in ransom negotiations. The cyber insurance industry is also a prime target for crooks looking for the identity and extent of coverage of its clients.
Before ransomware turned into a large-scale global epidemic plaguing businesses, hospitals, schools and local governments, cyber insurance was a profitable niche industry. He has been accused of fueling the criminal feeding frenzy by systematically recommending that victims pay, but has kept many from going bankrupt.
Now, the sector is not only in the crosshairs of criminals. It is on the verge of profitability, shaken by a more than 400% increase in ransomware cases and skyrocketing extortion requests last year. As a percentage of premiums collected, cyber insurance payments now exceed 70%, the break-even point.
Fabian Wosar, CTO of Emsisoft, a cybersecurity firm specializing in ransomware, said the prevailing attitude among insurers is no longer: paying criminals. It is likely to be cheaper for everyone involved.
“Ransomware groups got too greedy too quickly. So the cost-benefit equation that insurers initially used to determine whether or not to pay a ransom – it’s just not there anymore, ”he said.
It’s unclear how the biggest ransomware attack on record, which began on Friday, will impact insurers. But it can’t be good.
Pressure is mounting on the industry to stop paying ransoms.
In May, the big cyber insurer AXA decided to do it with all the new policies in France. But it is so far apparently the only one in the industry, and governments are not about to ban the refund.
AXA is among the major insurers that have suffered ransomware attacks, with operations in Thailand hit hard. Chicago-based CNA Financial Corp., America’s seventh-largest cybersecurity insurer last year, saw its network crippled in March. Less than a week earlier, cybersecurity firm Recorded Future published an interview with a member of the Russian-speaking ransomware gang, REvil, who is skilled in pre-attack intelligence gathering and who happens to be behind the attack. of the current attack. He suggested that he actively target insurers for data on their customers.
CNA has not confirmed a Bloomberg report that it paid a ransom of $ 40 million, the highest ransom on record. It also won’t say what data was stolen or how much data was stolen. He only said that the systems where most policyholder data was stored “were not affected”.
In a regulatory filing with the Securities and Exchange Commission, the CNA also said its losses may not be fully covered by its insurance and that “future cybersecurity insurance coverage may be difficult to obtain or would only be available” at much higher costs for us ”.
Another major insurance player affected by ransomware is broker Gallagher. Although he was hit in September, it wasn’t until last week (June 30) that he revealed that attackers may have stolen very detailed data from an unknown number of clients – passwords and numbers. from social security to credit card data and medical diagnoses. Company spokeswoman Kelli Murray did not say whether cyber insurance contracts were on compromised servers. She also wouldn’t say if Gallagher paid a ransom. The criminals, from the RagnarLocker gang, apparently never published any information about the attack on their dark website, suggesting that Gallagher paid.
Of the three insurance brokers that ransomware gangs have claimed to have attacked in recent weeks, posting stolen data on their dark websites as evidence, two, in Montreal and Detroit, did not respond to phone calls. and emails. The third, in southern California, admitted to being hobbled for a week.
By the time the Colonial Pipeline and major meat processor JBS were hit with ransomware in May, insurers were already passing higher coverage costs on to customers.
Cyber premiums jumped 29% in January in the United States and Canada from the previous month, said Gregory Eskins, analyst at leading commercial insurance broker Marsh McLennan. In February, the month-over-month jump was 32%, in March it was 39%.
In a bid to reduce ransomware losses – Eskins said they accounted for about 40% of cyber insurance claims in North America last year – policy renewals feature new, tougher rules or lowered coverage limits .
“The price has to match the risk,” said Michael Phillips, claims director at San Francisco cyber insurance firm Resilience and co-chair of the public-private ransomware task force.
A policy can now specify that reimbursement for extortion payments cannot exceed one-third of overall coverage, which typically also includes collection and loss of income and can include payments to public relations firms to mitigate damage to the reputation. Or an insurer can cut coverage in half or introduce a deductible, said Broker Aon’s Brent Reith.
While some smaller carriers have abandoned their coverage altogether, the larger players are retooling instead.
Then there are hybrid insurers like Resilience and Corvus, based in Boston. They don’t just ask potential customers to fill out a questionnaire. They physically probe their cyber defenses and actively engage their clients when cyber threats arise.
“We monitor and make active recommendations not only once a year, but throughout the year and in a dynamic manner,” said Phil Edmundson, CEO of Corvus.
But is the industry as a whole nimble enough to absorb the growing onslaught?
The Government Accountability Office warned in a May report that “the extent to which cyber insurance will continue to be generally available and affordable remains uncertain.” And the New York State Department of Finance said in a February circular that massive losses to the industry were possible.
Policyholders and insurers, stingy with sharing of experiences and data, bear the blame, the UK’s Royal United Services Institute said in a new report. Most ransomware attacks go unreported and there is no central clearinghouse for them, although governments are starting to push for the industry to report mandatory.
As a business sector, insurers are not particularly transparent. In the United States, they are not regulated by the federal government but by the states.
And for now, cyber insurers are mostly resisting calls to halt refunds of ransoms paid.
In a call for results in May, UK-based Beazley CEO Adrian Cox said “overall network security is not good enough at the moment”. He said it is up to the government to decide whether the payments are bad public policy. CEO Evan Greenberg of America’s leading cyber insurer, Chubb Limited, agreed in the company’s annual report in February that the decision to ban is within the purview of the government. But he approved the ban on payments.
Jan Lemnitzer, professor at Copenhagen Business School, believes cyber insurance should be mandatory for businesses large and small, just as everyone who drives should have car insurance and seat belts. The Royal United Services Institute study recommends it to all government vendors and vendors.
While he considers the ban on ransom payments problematic, Lemnitzer says it would be “obvious” to force insurers to stop paying them.
Some have suggested imposing fines on ransom payments as a deterrent. Or the government could keep a percentage of any cryptocurrency recovered from ransomware criminals, with the proceeds going to a federal ransomware defense fund.
Such measures could eat into criminal revenues, said attorney Stewart Baker of Steptoe and Johnson, a former general counsel for the NSA.
“In the long run, that probably means that the resources that currently go to Russia to pay Ferraris in Moscow will instead go to improving cybersecurity in the United States. “