How The Cyber Insurance Industry's Bottom Line Is Fueling Ransomware

The past decade or so has seen an explosive upward trend for the cyber insurance industry. Given the rise of malware, particularly of ransomware, it's perhaps not surprising that an insurance market sprouted up around that reality. It's gotten to the point that those of us who's day to day business is managing client networks in the SMB space are now regularly fielding requests for how to obtain cyber insurance.

But when you begin to dig into how that industry operates and the methodology by which it advises its clients, it becomes quickly apparent that the cyber insurance industry itself is fueling the growth in ransomware attacks worldwide. ProPublica has a long and fascinating post on the topic, first discussing a real world example concerning a municipality that was hit with ransomware, attempted to resolve this on its own through restoration of backups, but ultimately was advised by its cyber insurance partner to pay the ransom. In doing so, the municipality was out only its $10k deductable, while the insurance company paid out over $400k to the attacker. This was seen as a good deal for the municipality.

But was it? It turns out that the IT department for the city was putting together a restoration plan. That plan would take time to implement, require the involvement of outside consultants, and would require overtime work by the IT staff. All of that, of course, would be paid for by the cyber insurance company if the city went down that path. Instead, the ransom was paid.

This highlights two troubling trends in the cyber insurance industry. The first trend concerns how insurance companies advise their clients when attacked... and why they advise them in the way they do.

A spokesperson for Lloyd’s, which underwrites about one-third of the global cyber-insurance market, said that coverage is designed to mitigate losses and protect against future attacks, and that victims decide whether to pay ransoms. “Coverage is likely to include, in the event of an attack, access to experts who will help repair the damage caused by any cyberattack and ensure any weaknesses in a company’s cyberprotection are eliminated,” the spokesperson said. “A decision whether to pay a ransom will fall to the company or individual that has been attacked.” Beazley declined comment.

Fabian Wosar, chief technology officer for anti-virus provider Emsisoft, said he recently consulted for one U.S. corporation that was attacked by ransomware. After it was determined that restoring files from backups would take weeks, the company’s insurer pressured it to pay the ransom, he said. The insurer wanted to avoid having to reimburse the victim for revenues lost as a result of service interruptions during recovery of backup files, as its coverage required, Wosar said. The company agreed to have the insurer pay the approximately $100,000 ransom.

Examples of this abound throughout the rest of the post. Essentially, the insurance company simply calculates what will be the more expensive payout for the insurer: the ransom or the cost of recovery? If the cost of the ransom is less, the insurance company advises, and sometimes pressures, the client to decide to pay the ransom. This can often times look like the better option, as recovery from malicious disaster is time-consuming and comes without the assurance that a full recovery is even possible. What's a $10k deductible compared with a city's systems being down for two weeks? This can seem like a win for the insuree, or at least the most mitigated loss possible.

The problem is what this does throughout the rest of the world, which is troubling trend number two.

As insurance companies have approved six- and seven-figure ransom payments over the past year, criminals’ demands have climbed. The average ransom payment among clients of Coveware, a Connecticut firm that specializes in ransomware cases, is about $36,000, according to its quarterly reportreleased in July, up sixfold from last October. Josh Zelonis, a principal analyst for the Massachusetts-based research company Forrester, said the increase in payments by cyber insurers has correlated with a resurgence in ransomware after it had started to fall out of favor in the criminal world about two years ago.

One cybersecurity company executive said his firm has been told by the FBI that hackers are specifically extorting American companies that they know have cyber insurance. After one small insurer highlighted the names of some of its cyber policyholders on its website, three of them were attacked by ransomware, Wosar said. Hackers could also identify insured targets from public filings; the Securities and Exchange Commission suggests that public companies consider reporting “insurance coverage relating to cybersecurity incidents.”

To some degree, this