Is Cyber Insurance Exacerbating the Ransomware Crisis?

Written by

Alan Jenkins believes cyber insurance has heightened the threat of ransomware, whereas Ed Ventham argues that insurers are helping protect organizations by driving cyber preparedness

Ed Ventham, co-founder, Assured
Ed Ventham, co-founder, Assured

Is cyber insurance exacerbating the ransomware crisis? Of course not.  

Insurance, by its very nature, is a reactive industry that allows its customers to be proactive. Insurance enables a business to return to the position they were in before a ‘fortuitous risk’ knocks it off its feet.  

Ransomware is a major modern risk, and removing insurance coverage for this threat, and banning the payment of ransoms completely, would not fix the problem.  

Over a decade ago, the shipping industry voiced a similar objection: consensus reasoned that paying ransoms to pirates allowed them to profit from their criminal conduct. It is wrong to fund piracy in the same way that it is wrong to fund any criminality, but it is also wrong to suggest that insurance is being purchased as an alternative option to security.  

Running a business with consistent ransomware threats is akin to being the captain of a ship sailing through pirate-controlled waters. If, and indeed when, the ship is hijacked, the captain is left with no choice but to pay the ransom. For what else can they do? The alternatives listed below are bleak:  

  1. Not pay and consequently lose the ship and crew 
  2. Rely on international law enforcement, but consider how well (and how quickly) nations work together in military (or cyber) exercises. With lives at stake, how long can you afford to wait?

The third option, of course, is to negotiate, pay the ransom and save lives.  

Of course, there are measures taken to prevent hijacking, just like there should be measures to secure networks. No insurer would provide the cover to pay for the ransom unless they were satisfied their client had taken all possible steps to avoid being hijacked in the first place. This reinforces my argument above; insurance is not being purchased as an alternative to security – insurers will not take on that risk without a demonstration of precaution.  

Once the ship has been accosted, there is no other option left to the captain since the lives of his or her crew depend on being able to pay the pirates.  

In the cyber world, the CEO’s company network is the equivalent of that captain’s ship. This, too, could be life or death. Hospitals are the perfect (and sadly most tragic) example. Hospitals have become a prime target for ransomware groups in the last few years. When so much depends on the protection of life, the urgency and desperation caused by ransomware attacks are magnified.  

If I managed a hospital that had been targeted and paying a ransom was the fastest way to get my life support systems back up and running, I wouldn’t think twice. Now imagine your company being held to ransom, and the potential impact it will have on your balance sheet, reputation, employees, shareholders and clients. What would you do?  

The argument that cyber insurance is the catalyst that encourages ransomware is flawed. It naively ignores the 70% of global businesses that don’t purchase the cover but are still victimized. Removing this coverage would only take away the final backstop of protection for the 30% of businesses that choose preparedness for those aforementioned likely events, and insurers are right to support them. 

It is often argued that having cyber insurance makes an organization more vulnerable to attack, but that simply isn’t true. Taking out a policy is not public knowledge, so it categorically does not make that organization more of a target.  

Insurers are driving cyber preparedness, an extremely positive force for improved security. A cyber insurance policy is only provided once a client’s security has been demonstrated to be at an adequate level.

The good news is that this approach is working. According to the Corvus Risk Insights Index research report, there is evidence to suggest that ransomware attacks decreased by up to 30% in Q1 2022 compared to Q4 in 2021. Better questions from insurers drove that decrease, including more scrutiny of security practices and controls and, consequently, better investment into breach prevention. 

Cyber insurance is not exacerbating the ransomware crisis. On the contrary, evidence suggests that insurers are leading the fight against it by encouraging best practices and providing the reimbursement of the ransom as a last resort. So to suggest we are not united in our efforts to eradicate the threat to our customers is wrong.

The only other possible solution lies in a ubiquitous approach from all nations around the globe to first effectively tackle the threat actors and second provide bona fide financial loss support to those businesses still subjected to ransomware attacks. Until this solution is realized, we as an industry must continue to support businesses that choose to protect themselves from ransomware.

Alan Jenkins, CISO-in-residence, CyLon Labs
Alan Jenkins, CISO-in-residence, CyLon Labs

Is cyber insurance exacerbating the ransomware crisis? BLUF – The answer to the question is yes, sadly.

I’ve been in this business for long enough to know that there is no silver bullet, no one thing that will fix all the ills and make the bad stuff go away. However, amidst all my skepticism born from over 30 years of experience as a security practitioner, there has been a small hope that cyber insurance might be the driver for businesses to invest upfront in security (by design) rather than after a breach.

I know it is idealistic, perhaps even optimistic, but that is my hope, and it continues to be. However, I don’t think we’re quite there yet. After all, it has taken the general insurance market some 300 years since the Great Fire of London in 1666 to get to the point when building and fire safety standards have matured and consequently, catastrophic house/building fires are rare. That said, events like Grenfell Tower prove that work remains to reduce the risk further, although that tragedy was due to sub-standard components and shortcuts instead of a design flaw equivalent to an IT zero-day, a so-called ‘Black Swan’ event. It was the insurance companies that set up the first fire brigades to safeguard their insured properties, using fire insurance marks as an indicator. These ultimately became the municipal and then publicly funded fire services that we see today.

So, why has the growth of the cyber insurance industry over the past 15 years or so not yet had the positive change anticipated? Further, why is it exacerbating the current plague that is ransomware? 

There is a combination of factors at play, but the overarching issue facing us is that there are too many ways into an enterprise’s IT and OT infrastructure, meaning that malware has a high chance of breaching security controls and gaining entry. If that malware is ransomware, with a short dwell time and ineffective lateral movement controls in effect, it’s game over for many victims faced with the dilemma of whether to pay the ransom, as we have seen play out in multiple incidents in recent months.

The volume of incidents has caught cyber insurance brokers and underwriters off guard in a short space of time, resulting in the hardening of the market, the rise in premiums and, sometimes, the refusal of cover. This, in turn, has caught out some enterprises (the insured) faced with increased excess amounts and rising premiums for what is arguably reduced cyber insurance coverage (in some instances), leaving organizations exposed when the almost inevitable breach occurs.

If an organization opts to take out cyber insurance cover, where does the cash come from to cover the premium? If it’s out of the IT or security budget, then the potential for a double whammy is clear.

I believe that the existence of cyber insurance cover has left many previously insured enterprises with a false sense of security, exposing their inadequate investment in the cybersecurity of their business-critical IT infrastructure, particularly their data stores. Even more worryingly, it appears that the cyber-criminals may have targeted the cyber-insurers to identify which organizations they insure and what cover they have bought, giving them a profitable target list to go after.

While I am painting a dark, albeit realistic, picture of the current state of affairs, there is hope on the horizon. The underwriters are beginning to ask better questions, gaining a superior understanding of the opaque answers from some clients. As a result, they have more numbers to quantify the risk exposure.

In tandem, standards and good practice are maturing all the time, such that the gap between secure and compliant is constantly reducing. Yet most enterprises are not yet in that better place where many of us hoped cyber insurance would drive them to. I am optimistic that this situation will change, but currently, as I stated upfront, I believe cyber insurance has exacerbated the ransomware menace for many.

What’s hot on Infosecurity Magazine?