The policy of truth: As ransomware claims rise, what's a cyber insurer to do?

Feature If you rely on your insurer to pay off crooks after a successful ransomware attack, you wouldn't be the only one.

Ransomware victims from municipal governments to universities have turned to their cyber insurance policies to pay for decryption keys after getting pwned.

That's making some insurers nervous. How will they react as ransomware attacks keep growing?

Insurance company AXA's French unit suspended ransom payouts to criminals as part of its cyber insurance policy in early May. The company pulled the plug after French justice officials voiced their concerns to the Senate. The problem, they said, was that paying ransoms online validates the crooks' business model, emboldening them to keep doing it.

When you're dealing with a ransomware attack, how much do you know about who you're making a payment to? And what's the role of not just the insurer but also, say, the intermediary company that the insurer contracts with to negotiate the payment?

Elsewhere, insurers face legal worries following government warnings that those paying the ransom could be held responsible. In October last year, both the US Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) warned in advisories [PDF] about the potential liability of those facilitating ransomware payments.

FinCEN requires businesses facilitating payments to file suspicious activity reports. OFAC specifically called out cyber insurers, warning that they should consider the risk that their payment could reach a perpetrator on its Specially Designated Nationals and Blocked Persons (SDN) list.

• Axa insurance offshoots pwned as Ireland reveals second ransomware hit
• Have I Been Pwned goes open source, bags help from FBI
• Fujitsu pulls ProjectWEB tool offline after apparent supply chain attack sees Japanese infosec agency data stolen
• Russian gang behind SolarWinds hack returns with phishing attack disguised as mail from US aid agency
• American insurance giant CNA reportedly pays $40m to ransomware crooks
• How do we stamp out the ransomware business model? Ban insurance payouts for one, says ex-GCHQ director
• REvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs off attack
• Cyberlaw wonks squint at NotPetya insurance smackdown: Should 'war exclusion' clauses apply to network hacks?

"Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States," it warned.

"For this reason, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial."

This leaves companies with what Josephine Wolff, assistant professor of cybersecurity policy at Tufts University's Fletcher School, calls an ambiguous piece of policy, created by an institution that is still trying to get its head around the topic.

"When you're dealing with a ransomware attack, how much do you know about who you're making a payment to? And what's the role of not just the insurer but also, say, the intermediary company that the insurer contracts with to negotiate the payment? There are a lot of intermediaries involved," she says. "The question of what you're supposed to do with those rules is still unanswered."

Payouts are on the rise

Legal uncertainty isn't the only problem plaguing cyber insurers. Ransomware attacks are on the rise, and so are payments. AM Best, which provides financial data and credit ratings for the insurance industry, has said that cyber insurance claims have grown by around 40 per cent on average in the past four years, while premiums have only grown by half that.

While online issues are still a relatively small part of most insurers' business, this increasing disparity between claims and payouts is uncomfortable for insurers. "Now they're realizing that the insurance coverage that they provide for ransomware may be too expensive," said Fred Eslami, associate director at AM Best, who leads its cyber security initiative for property/casualty and life/health insurers.

Underwriting cyber insurance is difficult for insurers for a couple of reasons. One is the immaturity of the risk itself compared to others. Insurers have been pricing other kinds of property and casualty losses for centuries. There's a large corpus of actuarial data to draw on. Conversely, cyber insurance is barely 20 years old.

A fast-moving risk area

The other problem is the fast-moving nature of technology, warns Katharine Hall, SVP of the national cyber practice at risk management company AON in Canada.

Other risk areas are more predictable. Hurricanes might be getting worse, but insurers at least know what to expect when underwriting them. "Cyber is much different than that," she says. "It is continually evolving at an incredible pace. So once I've solved this risk problem, somebody else on the other side of the fence equally as creative comes up with a new way to get you."

Insurers are responding by raising rates. The Council of Insurance Agents and Brokers charted a whopping 18 per cent rise in cyber insurance premiums during Q1 2021. Normally, rates in this subsector rise by a modest 1 to 2 per cent.

"Insurance companies are changing the terms and conditions such that the clients are retaining a lot more of the risk," adds Sridhar Manyem, director of research and analytics at AM Best.

That includes adjusting deductibles, meaning that clients have to pay more out of their own pocket.

More scrutiny

Other emerging tactics include coinsurance, where the insurance company gets the client to match a proportion of the payout with their own money to share the risk. AIG introduced this to its cyber insurance policies in January for clients that have only average or below-average controls. Those internal controls that help to stave off ransomware attacks will continue to come under more scrutiny, warns Hall.

"The questions right now are plentiful, very, very detailed, and I think, new to people in the environment," she says, citing scrutiny of specific measures around account authentication and business continuity strategy. "You wouldn't have had to answer these questions on the last go around."

Strategies like coinsurance will only work if enough other insurers jump aboard, says Hall. Otherwise, companies will just find a more equitable contract with another provider.

In an ideal world, Wolff says, companies would all get better at protecting themselves against ransomware. Aon's Hall agrees that companies shouldn't use ransomware insurance as their only strategy. By all means transfer some of the risk, she advises, but also focus on proper cyber hygiene. The problem is that there isn't a clear incentive to do so when insurers keep stepping up to pay the crooks.

"You might look at the calculus and say, 'It's honestly easier and cheaper for me to pay a ransom than it is to invest in a lot more security'," Wolff points out. She doesn't believe that hiking premiums and capping payouts is likely to change that substantially. More companies would need to follow AXA France's example and step back from paying ransoms altogether.

In the meantime, there are proposals to try and ease the burden for insurers. The Institute for Security and Technology recently published a proposed framework for fighting ransomware. Measures on the table included a consortium of insurers who would share ransomware loss data at the level of crypto wallet addresses and transaction hashes to get more visibility into attacks. It would also foster best practices around underwriting, which could hold insurance clients more accountable, and would encourage more consistency in dealing with regulators like OFAC.

That's a start, as is the US Department of Justice's recent announcement of a task force to tackle ransomware. Still, the successful targeting of AXA's Asia units with ransomware in the same month that the French unit announced its policy decision shows that there is still much work to be done.

How can insurers guide us on the technical hurdles to qualify for a cyber insurance policy with any authority if they're getting clobbered themselves? ®