Using Insurance Data to Better Tackle Ransomware

Since the early 2000s, many companies have purchased cyber insurance to protect them when data is stolen, networks are breached, regulatory agencies levy fines, or other related incidents occur. In recent years, cyber insurance is also used to protect against increasingly popular ransomware events.

The topics of ransomware and how the insurance industry can impact it was discussed during a recent webinar from Axio, AIG, and Security Boulevard. Axio Co-Founder and President David White and AIG Cyber Product Lead Garin Pace spoke about how companies can prepare for a ransomware event and how insurance companies can be good partners when fighting ransomware.

Below we share some of the top insights regarding the intersection of cyber insurance and ransomware from White and Pace.

Why Cyber Insurers Have ‘Privileged Visibility’ into Ransomware

It may surprise some observers, but often cyber insurers have a tight relationship with the companies they insure. Insurers have what is called “privileged visibility” into the digital operations of companies because they need to understand precisely how a company is set up to write policies. And if an event occurs where they need to pay out a claim, they will investigate and understand how it happened. They may even understand the event better than many company employees do.

“Cyber insurers are some of the only organizations that have data on the cybersecurity posture of an organization before an event, detailed insights into what happened during an event, and how the event occurred,” White said. “So they’re one of the few places in the world where you can really look for real data on the effectiveness of controls. … In the last century, the insurance industry was credited with solving the boiler safety problem by driving safety and engineering standards to solve risk. And that’s the promise of insurance, whereby aggregating all of this data on the posture of an organization and what happened during an event that caused the organization a loss. The industry has an enormous capability for driving change.”

Cyber Insurance Growing More Popular

The mainstream adoption of cybersecurity insurance began in 2003 when California became the first U.S. state to regulate online privacy. Companies and website owners could be fined for not meeting the privacy standards set out by the California Online Privacy Protection Act of 2003 (CalOPPA). Basically, companies needed to buy cyber insurance in case they were found negligent or unable to protect user privacy.

Since that time, cyber insurance has become more popular, especially in North America, where it originated. Pace notes the global market for cyber insurance is also growing at a fast clip for small, medium, and large companies.

“Cyber insurance was marketed first and probably is most heavily penetrated in North America,” Pace said. “But lately, there’s been a lot of growth. We have a significant presence in Europe, Asia Pacific, and even in South America. So it is truly global. In terms of size, it’s small companies all the way up to Fortune 1000 companies.”

Pricing for Risk

The ultimate goal for cyber insurers is to price their products correctly for risk. Suppose a company does not meet widely accepted standards in how it protects data, for example. In that case, an insurer may not want to cover the company or make the business pay a large premium for insuring them. “We, as insurers, want to make sure that we price for the risk appropriately,” Pace said.

Pace notes that AIG has been one of a handful of cyber insurers that have worked together with their clients to recommend better practices to reduce the risk of hacks and hijacked systems. Typically, the insurance company will take a hard look at infrastructure, security, backups, and more to determine risk and then offer better rates if changes are implemented.

“I’m pleased to say that at the time insurers responded, and this is how we want insurance in general to operate,” Pace said. “They looked at the problem and said, ‘We see these losses. This is why they’re unfolding. These are the best practices that we believe will reduce the risk.’ They provided incentives and implemented them. And you saw folks who were in the cyber insurance market being educated about that and say, ‘Hey, we believe this is the best-in-class solution.’ It didn’t mean you had to do it to get insurance, but you would pay less if you adopted those practices that were proven to reduce risk.”

Breach Counsel

On top of having cyber insurance to help protect the company, Pace said he believes more companies should retain breach counsel. Breach counsel typically consists of third-party legal firms with specialized training that can help assess the damage and guide the conversation on what to do next. Beach counsel’s popularity has increased as data exfiltration — where company data is stolen or copied by malware — becomes more prevalent.

“More regulation is getting involved with understanding a full range of cyber incidents, going beyond just data breaches and how they might impact us,” Pace said. “So because there is a data exfiltration component and because of potential liability, there are a lot of reasons that if I were the owner of a business that has suffered a ransomware event, I would definitely be using breach council to understand my obligations. I would make sure some parts of the incident be privileged. Some of the advice that I’m giving about the incident should be privileged and remain within the four walls of the organization.”

The average fee for breach counsel today is roughly $40,000 per incident. These types of costs will likely increase over time as threats and hacks become more complex.

Exploring Real-World Data to Better Understand Ransomware Impact

Cyber insurance is increasing in importance in part because more ransomware attacks are taking place, and frankly, many are succeeding. Companies are spending more time talking with cyber insurers to make sure they are covered for any type of attack.

Here are some of the ways these ransomware attacks are changing the cyber insurance landscape.

Ransomware Attacks and Claims More Frequent

One of the most critical takeaways from the webinar is that ransomware attacks are growing more popular. Companies have seen an average 139% year-over-year increase in ransomware attacks in Q3 2020 versus Q3 2019. And as such, cyber insurance claims are rising concurrently.

“Ransomware is an increasing threat,” Pace said. “For the past couple of years now, it’s seen no slowdown in its pace. I should mention that the cyber insurance market has also been growing. So the more policies you write, the more claims you’re going to see.”

No Industry or Sector Immune from Attacks

Another reason why companies of all stripes should be looking at cyber insurance is that ransomware attacks are impacting all industries. Healthcare, financial services, retail, business services, education, government, and manufacturing sectors all have experienced ransomware attacks in the past few years.

“As we look across the spectrum of our insurance, we’ve had claims ransomware seems to be a pretty equal opportunity,” Pace said. “No sector or geography is immune.”

Ransomware Demands Increasing But Payments Declining

Cybercriminals that use ransomware have become more sophisticated, and as their technology has improved, demands have increased. The high end of these ransoms is about $40 million, and the average demand for 2020 is about $8 million.

While demands continue to increase, one somewhat positive trend is that average ransomware payments declined in Q4 2020. Coveware’s Ransomware Marketplace Report for Q4 2020 indicates that some companies are starting to say “no” to ransom demands due to them wising up to data exfiltration and the fact that hackers don’t always return or delete the data like they say they will. Coveware notes that the median payment for ransomware in Q4 decreased to $49,450 from $110,532, a massive 55% decline.

Email Phishing Becomes Top Attack Vector

Coveware also notes in its most recent ransomware report that email phishing attacks have now become the most popular way for cybercriminals to penetrate companies. Previously, Remote Desktop Protocol (RDP) attacks were the most prevalent way to compromise business networks. As of Q4 2020, about 50% of attacks were from email phishing, but RDP attacks remain widespread, with more than 25% of attacks still being from them.

Because of this shift, companies should always be looking for new ways to stop both email phishing and RDP attacks. They also should educate employees not to fall victim to them.

Get a Free Ransomware Assessment with Axio360

If your company wants to understand the risk of ransomware threats better, the Axio360 platform can help. Right now, you can launch and complete a free ransomware preparedness assessment in the Axio360 platform. It’s a quick and painless way to understand your cyber maturity, and it can show what critical improvements need to be completed to protect you from cybercriminals.