The issue at the heart of ransomware insurance will be familiar to most parents of young children: rewarding bad behavior only invites more of the same, so it's generally not a good idea. But critics of the ransomware insurance industry argue that's exactly what the practice does.
Ransomware insurance has by now long been suspected of excusing lax security practices and inspiring confidence among cybercriminals that they'll receive a timely payment following a successful breach.
Exactly how widespread ransomware claims by businesses are is difficult to determine since companies don’t exactly jump at the chance to discuss their run-ins with ransomware publicly. But it’s safe to assume that claims have risen alongside an undeniable surge in ransomware attacks.
Another issue with the cyber insurance industry stems from the fact that paying a ransom is no guarantee that data will be returned. In our recent report on the hidden costs of ransomware, nearly 20 percent of respondents were not able to recover their data even after making an extortion payment.
The Paris-based insurance giant AXA broke new ground this year by announcing it would stop insuring against cyberattacks, citing a lack of guidance from French regulators about the practice. It’s worth remembering that the FBI “does not support paying a ransom in response to a ransomware attack.”
So, if U.S.-based insurers were to follow AXA’s logic, they too would stop covering ransomware payments. So far, few have. For now.
Doomed to be a short-lived sector?
The industry publication InsuranceJournal.com recently wrote in a post on its site that "pressure is building on the industry to stop reimbursing for ransoms.” Before ransomware went rampant, the article notes, cybersecurity insurance was a profitable sub-category of the insurance business as a whole. But those days may be numbered. The sector is now “teetering on the edge of profitability” according to the post’s author.
It’s well-known within cybersecurity circles that ransomware actors will conduct advanced research to determine if a potential target is insured. If so, it’s hardly a deterrent since it increases the likelihood a payment will be made.
It winds up being a self-reinforcing cycle. As ProPublica wrote in its study of the industry, “by rewarding hackers, it encourages more ransomware attacks, which in turn frighten more businesses and government agencies into buying policies.”
A commonly cited defense of ransomware insurance is that they not only protect against the cost of the ransom, but also against knock-on expenses from ransomware like downtime, reallocation of tech resources and reputational damage. We know from our own research that these costs can be significant, so there’s some validity to this argument.
But the real question the cyber insurance industry needs to answer is whether it can ever again be profitable. A recently released paper from the British defense think tank Royal United Services Institute (RUSI), titled Cyber Insurance and the Cyber Security Challenge, identified this as one of the key challenges to the industry’s viability.
That paper found that “there is arguably too little global premium to absorb losses from a systemic event.” In other words, the next NotPetya could sink the industry.
Ransomware on the whole has caused losses in the cyber insurance industry, not least because, “unlike the majority of risks insurers cover, ransomware attacks are both a high-impact and a high-probability risk.”
Subhead about a solution
Importantly, the RUSI paper in the end reported that it was unable to find empirical evidence that “cyber insurers may be unintentionally facilitating the behavior of cybercriminals by contributing to the growth of targeted ransomware operations.” While that fact undermines arguments that cyber insurers are a boon for ransomware actors, it doesn’t speak to the question of viability.
As with any nascent industry, ransomware insurance vendors have some tough issues to grapple with concerning how they do business. The “race to the bottom,” which RUSI describes as a combination of cheap premiums and loose restrictions on underwriting (not requiring basic cybersecurity measures as part of the deal, for example), represents the real risk to the industry.
Its possible cyber insurance companies could drastically reduce claims by mandating a cyber resilience posture as a condition of being insured. Like a higher life insurance premium for a career stunt man, organizations without robust cybersecurity in place (including defense plus backup and restoration capabilities) could be forced to foot a higher bill. While this is already standard practice among many insurers, industry regulation may be required to prevent the opening of a market for insurers with more lax baseline cybersecurity requirements.
At the very least, insurers should insist on three core elements of cybersecurity strategy before underwriting:
- Endpoint and network level security to guard against attacks. Devices secured with antiviruses and networks secured by DNS filters or firewalls should be the bare minimum requirement for protecting against ransomware attacks. Without them, ransomware actors are being invited in the front door.
- Mandated ongoing security awareness training for employees. User-enabled breaches remain one of the most common causes of a successful ransomware attack. Without addressing end users’ tendency to fall for phishing and other social engineering attacks, while ransomware actors may find the front door locked, they know there’s a good chance it will be opened for them by someone on the inside.
- Proven data backup and security protocols. Maintaining complete copies of mission-critical data is one of the simplest ways to undermine ransomware actors. By collectively removing this key piece of leverage, organizations can go a long way toward normalizing the non-payment of ransomware demands, easing the burden on cyber insurers.
Making the above the minimum standard for organizations would both minimize the damage caused by ransomware actors and increase the viability of ransomware insurance as an industry. By prioritizing cyber resilience over any one category of security, businesses can prevent breaches and get back to work easier when they do occur.