According to a growing number of risk management specialists, cyber insurance companies are increasingly to blame for a sharp uptick in ransomware attacks in both the private and public sectors. A new ProPublica investigation, for example, unveiled that cyber insurance companies are far too eager to pay ransom demands, and that is only encouraging hackers, criminals and cyber terrorists to ask for more and more money. In many ways, it’s a vicious cycle, in which each new cyber insurance payout emboldens hackers to carry out even more of these ransomware attacks.
Why cyber insurance companies are so eager to pay ransoms
Despite constant warnings by law enforcement authorities such as the FBI that organizations should never pay ransom demands, the evidence is mounting that the entire system of cyber insurance now available to organizations, both large and small, is only exacerbating the problem. Every time a cyber insurance payout is made, it only fuels more criminal activity, and emboldens more hackers to get into the game of shaking down corporations and public sector entities for cash by taking their computer systems offline. As a result, cyber insurance is actually increasing, not decreasing, cyber risks.
It might sound counter-intuitive, but insurance companies are actually incentivized to pay out ransom demands – even as these demands are starting to escalate into the tens and even hundreds of thousands of dollars. The reason is simple: it’s cheaper, faster, and easier just to fork over a large sum of money rather than deal with covering all the business interruption costs and delays of re-booting a company from scratch. In other words, if insurance companies don’t pay out the ransom, then it could take weeks for an organization to get back up and running properly. In the meantime, those cyber insurance companies must cover the cost of lost profits during corporate downtime, as well as the expensive costs of hiring IT consultants to restore a company back to operational health from backup recovery assets. So, it just makes more sense to settle things quickly and easily with a ransom payment, and get on with business.
But here’s where things get very perverse – hackers carrying out these ransomware attacks are very much aware of this mindset, and specifically target companies or organizations that have cyber insurance policies in place to protect mission-critical operating systems. With a little bit of calculation, they can figure out the size of the cyber insurance policy, how likely a company is to capitulate to ransom demands, and how much they should ask for as part of the ransom. The optimal amount to ask for in a ransom demand, say cyber insurance experts, is $1 less than the cost it would take a company to get its computer systems back up and running. From a simple cost-benefit analysis, it makes rational, economic sense to pay the lesser of the two evils – especially when you can get your systems back up and running in 24 hours or less (and not the days, weeks, or months it might take to restore from a backup system).
Ransomware attacks in the public and private sectors
When most people think of ransomware attacks, they probably think of hackers extorting huge private sector corporations for massive sums of money. In reality, however, it’s the public sector that is actually bearing the brunt of a recent uptick in ransomware attacks. For example, according to a study carried out by Insurance Journal, municipalities (i.e. both state and local governments) now account for at least 60% of all ransomware attacks. In 2019 alone, there have already been at least 70 ransomware attacks focused on state and local governments – including an unbelievable string of 22 ransomware attacks carried out on Texas municipalities within approximately the same period of time.
The ransomware attacks in Texas illustrate an important concept: hackers typically act in waves. Once they uncover a weakness, they will hit every company they can within the same geographic area or the same economic sector. This is what leads to the so-called “proliferation” of ransomware. In many ways, it is the same effect that is observed in the real world – once a neighborhood experiences a series of burglaries and becomes known to criminals as a profitable place to strike, it only encourages more break-in attempts.
As the ProPublica study of the cyber insurance market points out, the reason why public sector entities are so attractive these days to hackers is because they have shown a propensity to pay the ransom. The standard course of action is to pay the ransom demand and get on with business as usual rather than deal with data recovery costs. Governments have much less wiggle room than corporations to experience an extended period of “downtime” – you can’t tell the residents of a city that essential government services will not be available for an extended period of time while your incident response team fixes things.
Moreover, governments have the type of financial resources (i.e. deep pockets) that smaller corporations may not – there’s always some government budget line item that can be moved around to cover the cost of paying the ransom. For municipalities, the growing popularity of taking out cyber insurance policies only makes it easier to pay the ransom. In one example highlighted by ProPublica, for example, a total ransom payout in the hundreds of thousands of dollars might only cost a city a $10,000 deductible. Thus, ransomware attacks are increasingly targeting city governments, schools and even police departments – basically, any public entity where it is essential to be up and running immediately. Hackers know this, and realize that they can hold them hostage by threatening to shut down their operations.
The future of the cyber insurance market
All of this, of course, raises questions about the future of the cyber insurance market. Right now, cyber insurance is projected to be a $7 billion market in the U.S. alone. Insurance companies are getting into the business of offering cyber insurance because it’s easy money – at least upfront, while they are collecting the monthly premiums from companies that buy the cyber insurance to protect themselves from the economic impact of ransomware attacks.
Unfortunately, the whole system of cyber insurance is at risk of imploding on top of itself. Paying the ransom in a ransomware attack is the easy, short-term solution, but in the long run, it actually makes the problem much worse. Now that hackers know that companies are taking out massive cyber insurance policies, they know exactly whom to target. With a little due diligence, they know who’s likely to pay, and for how much. Going forward, then, it might require organizations such as the National Association of Insurance Companies to step in and establish some ground rules for the industry. Organizations should never pay the ransom demand, and incentives need to be put into place to make sure that paying the ransom never happens.