After a brief lull, ransomware attacks have roared back as a major and persistent security problem in the past year. These attacks have become so frequent and so widespread that cyber insurance rates are spiking, with Reuters reporting some premiums increasing as much as 25% in price.
The central issue is the cost of fulfilling claims. When ransomware attacks lock a policyholder out of their network, there are effectively only two options; pay the ransom or restore from backups. If the client doesn’t have adequate backups, they’re locked into option A. The insurance policy may not need to cover just the ransom amount, but also costs of recovery if the hackers fail to make good on unlocking the compromised systems.
The renaissance of ransomware attacks
Malwarebytes Labs reports that ransomware attacks were actually down in total in 2019, decreasing 6% from the previous year. However, the attacks are more sophisticated and more damaging. Attackers are more discerning about picking vulnerable targets, are using tools that make recovery efforts more troublesome, and are demanding larger sums in ransom.
Coveware, an international ransomware response firm, reported that the average ransom demand in Q3 of 2019 ($41,198) was triple that of the average demand in Q1. That’s also up from average demands in the low single-digit thousands of dollars in previous years, and in the mere hundreds of dollars prior to 2016.
The ransom demands do tend to scale with the size of the company, but insurance giant Allianz SE reports that hackers are becoming increasingly aggressive in their demands on medium-sized organizations.
Pressure on cyber insurance rates
In addition to more effective attacks and larger demands, cyber insurance rates are increasing to cover added costs. For example, emerging data breach and data privacy regulation can mean companies have increased legal liabilities when ransomware attacks strike. Cyber insurance policies have also increasingly incorporated extras like negotiation with hackers and assistance with data recovery if those efforts fail, which has put natural upward pressure on cyber insurance rates.
Insurance companies are more frequently advising clients to pay the ransom when they have coverage, as that is seen as the least expensive resolution with the lowest amount of business interruption. However, this can backfire and simply increase costs when hackers take the money but do not unlock the computer systems. There is also the cost of a forensic investigation to determine if sensitive data was exposed or exfiltrated prior to the ransomware being activated.
All of this has driven cyber insurance rates up from 5% to 25% in the past several months, according to research conducted by insurance and risk management firm Marsh & McLennan Companies.
Cost control measures
To date, insurers are not tending to offer policyholders the option to scale back their coverage to make cyber insurance rates more affordable. However, there is broad speculation in the industry that this will be forthcoming.
One cost control idea being floated in the cyber insurance market is to separate ransomware coverage from other forms of computer and network insurance. Companies may also be given the option of partial insurance coverage specific to ransomware attacks; high-risk companies with a history of breaches may be forced into this sort of model, which could pay out as little as 20% of the claim in the event of ransomware attacks.
Attacks on United States municipalities became more common, particularly school districts. The figurehead of this trend was the Ryuk ransomware attack, which hit 15 districts and over 500 schools across 11 states. An August 2018 report by security firm Barracuda Networks found that two-thirds of the known ransomware attacks to that point had targeted the US public sector.
Hackers seemed particularly fond of smaller municipalities, which have enough funds (or insurance) to handle paying ransoms but are often understaffed in terms of IT support.
Ransomware insurance has become a virtual necessity, as the recovery costs of some of the municipalities that opted against the ransom payment demonstrates. The city of Baltimore, struck last summer by a major ransomware attack, ended up paying over $18 million in recovery costs. The previous year, the city of Atlanta spent about $17 million in total recovering from a similar attack after refusing to pay.
Another, more global trend in ransomware incidents was a series of attacks on health care organizations. These are seen by cyber criminals as another prime ransomware target as they cannot afford extended downtime, making them very likely to pay the ransom. These facilities are not always the wealthiest targets, but are very likely to carry cyber insurance. A number of hospitals and clinics in the United States, Australia, and throughout Europe experienced ransomware attacks in 2019. One of the most significant was an attack on the Rouen University Hospital-Charles Nicolle in France, in an attack that mirrored the WannaCry incident that caused havoc in the United Kingdom National Health Service in 2017.
How can organizations control their own insurance costs?
Cyber insurance rates now often take into account an organization’s IT security and preparedness for cyber risks. Measures specific to ransomware mitigation, such as regular backups and a tested incident response plan, can help.
Regardless of current cyber insurance rates, a robust backup system could be a critical long-term cost savings in the event of an attack. Ideally, regular “snapshot” backups are made that are stored both locally and in the cloud for redundancy.