Ransomware is becoming an increasingly common cause of cyber loss for both healthcare and non-healthcare businesses. According to the NAS Insurance 2019 Cyber Claims Digest, which analyzed data from 2018 claims, ransomware was the second most common cause of cyber claims last year – just as it was in 2017.
“In 2017 and 2018, ransomware events were front and center as an area of great concern for our insureds and remained the second-most cause of loss among all of our cyber claims in each year,” says Jeremy Barnett, senior vice president of marketing at NAS Insurance. “Over the past two years, we resolved over 90 ransomware incidents among a broad range of businesses and with various ransom demands. Payment demands were wide-ranging and topped out over $30,000, and in a variety of currencies.”
Costs go much further than just the ransom payment itself. The technical and legal expenses associated with negotiating and paying the ransom, which are often demanded in cryptocurrency, can triple or quadruple the cost of resolving the issue. It’s not uncommon for expenses to go beyond $70,000.
“Looking across both segments, healthcare ransomware costs were significantly higher than non-healthcare,” Barnett says. “In 2017, the average ransom payment to healthcare insureds was 106% greater than non-healthcare. In, 2018, the gap was smaller, with healthcare ransom payments only 18% greater than non-healthcare.”
NAS has already witnessed a significant shift in its cyber claims data from early 2019. In three separate events, ransomware demands have ranged from $100,000 to $1.2 million. However, it’s not just NAS that is seeing this spike in ransomware losses. According to a study by the NetDiligence Insurance Industry Cybercrime Task Force, other carriers are seeing this trend of much higher ransom demands.
“We are often asked for suggestions or guidance on how to reduce the risk of a cyber incident. Given the complexity of cyber incidents and the wide range of types of attacks, there are no easy answers,” Barnett says. “However, we have found that the more prepared an organization is to respond, the faster they recover. As a means of first response to a suspected incident, we recommend an insured to isolate the infected computer from all networks by unplugging network cables and/or turning off Wi-Fi, taking a picture of the ransomware message, and to not immediately reboot the system because that might destroy important forensic evidence.”