Ransomware is the most prominent issue the cyber insurance community is dealing with today. According to Coalition’s ‘H1 2020 Cyber Claims Report,’ there was a dramatic increase in the severity of ransomware attacks in the first half of 2020, with the average ransom demands among its policyholders increasing 100% from 2019 through Q1 2020, and then jumping another 47% from Q1 to Q2 last year. Through the second half of the year and into 2021, that trend shows no signs of abating.
Over the past few years, the adversarial community has learned that the idea of infiltrating a network, collecting personally identifiable information, like credit cards, and then selling that information online, is less lucrative than it is to hold that data hostage for ransom. Cyber criminals gain a lot more by socially engineering individuals in Human Resources or Finance, and tricking people into exposing commercial networks or fraudulently transferring funds.
“Frankly, it’s become so lucrative that there are entities that are building out-of-the-box software where, for a fee, they will give adversaries all of the tools needed to deploy ransomware and they will tell them what companies they can exploit,” said Shawn Ram (pictured), head of insurance at Coalition. “There’s ransomware-as-a-service (RaaS) that’s available to buy on the internet because of how prominent ransomware is, and how lucrative it has become. The impact of ransomware is debilitating, and it’s hurting companies of all sizes. I think, if you solve ransomware today, you solve cyber risk. It’s the most prominent issue we’re dealing with.”
Read next: Cyber wave sweeping personal lines
The cyber insurance marketplace has reacted to this challenging trend in multiple ways. Many insurers are now offering, or in some cases requiring, policyholders to submit a ransomware supplemental application, which asks additional questions around data back-ups, segmentations, and whether or not multi-factor authentication is leveraged on corporate networks. The purpose of these ransomware supplemental applications is to mitigate the impact of ransomware once it has been deployed, and therefore reduce the severity of claims.
Furthermore, pockets of the cyber insurance market – especially those that have experienced sub-optimal loss ratios – have started sub-limiting ransomware and applying co-insurance provisions. However, as Ram pointed out, sub-limiting ransomware coverage is often not viable for policyholders given the sheer enormity of ransomware demands today. While these strategies are emerging with more frequency, they’re not currently market standard, but as ransomware continues to plague the insurance community, Ram expects more carriers to come out with solutions.
“The impact of all of this is interesting, especially when coupled with the OFAC advisory on ransomware, which could potentially lead to more companies refusing to pay ransoms,” said Ram, who added that such a trend would increase the likelihood of business interruption costs. “While limiting the exposure to ransomware, cyber insurance also covers business interruption and extra expense exposure for companies. If a company elects not to pay a ransom, but the adversary is still holding their data and their servers hostage, they could find themselves in a situation where it potentially takes a lot longer to get back up to speed, and the carrier is exhausting its business interruption expenses.”
Companies will continue to be at a higher risk to ransomware with employees working remotely due to COVID-19. Business email is a frequent and easy target, and criminal actors are exploiting email security vulnerabilities such as misconfigured sender policy framework (SPF), domain keys Identified Mail (DKIM), and domain message authentication reporting & conformance (DMARC) to enact phishing and email spoofing attacks, which could ultimately result in ransomware being deployed.
Coalition monitors the worldwide internet through a honeypot network, with the sole purpose of identifying what adversaries are scanning for, what type of malware they’re deploying, and what they’re looking for. The firm saw a spike in March and April 2020 of adversaries scanning for technologies associated with working remotely, the most common of which is remote desktop protocol.
“We believe there is a large percentage of ransomware that emanates from technologies like remote desktop protocol and business email exploitation. These are the most common reasons that ransomware is deployed on a network,” Ram told Insurance Business. “When you have a large percentage of the population working from home, when more individuals are using their own devices to log into a network, and when you have IT departments that have had to scramble in order to enable employees to work remotely, we’ve certainly seen adversaries exploit these tendencies. 2020 was the perfect storm. Ransomware was a prominent topic in 2019 as well; it’s just grown in significance because of the proliferation of all of these things coming together at the same time.
“At Coalition, we believe that a greater understanding of the network infrastructure that is visible to hackers is important; in fact, it’s critical. We need to shift the focus from mitigating ransomware when the malware is deployed, to avoiding ransomware. Loss prevention is key. There’s an opportunity for companies to become more sophisticated and smarter around loss prevention so that adversaries think: ‘This isn’t worth my time. I’d rather go and infiltrate an organization that doesn’t have multi-factor authentication, segmented back-ups, or updated software.’ They’re the types of things that shun adversaries, while also helping insurers improve their risk selection and underwriting.”