Hot Topics
Cyberlaw Cybersecurity Data Security Governance, Risk & Compliance Industry Spotlight Security Awareness Security Boulevard (Original) 

Ransomware and the Uncertainties of Cyberinsurance

Avatar photo by Christopher Escobedo Hart on November 4, 2021

Ransomware attacks are ubiquitous, and the insurance markets are chaotic. That, at least, seems to be the state of cybersecurity and risk mitigation since the COVID-19 pandemic began. It also isn’t far from the truth: Ransomware attacks have markedly increased, placing significant pressure on insurance markets to provide organizations with affordable options to minimize risk without running insurers out of business. But rather than present new problems, the recent spate of attacks has exposed long-existing fault lines in how organizations manage their security, how insurance markets price the risks and how other actors in the security space—especially governments—affect organizational response. How should you be thinking about these risks? What practices should you consider incorporating as you try to minimize the effect of an attack?

The Unique Challenges of Ransomware

All information security incidents are serious, but ransomware attacks are particularly insidious. While a typical attack might, for example, lead to the exposure or even theft of sensitive information or induce a counterparty to reroute a wire payment to an offshore bank account, a ransomware attack will not only allow an attacker to access and potentially exfiltrate information but also encrypt and make information inaccessible until the victim pays hundreds of thousands—or even millions—of dollars in exchange for a decryption key. At best, data inaccessibility might mean that a business needs to clean its drives or servers and pull from backup data, assuming useable backup data exists and is unaffected by the attack.  At worst, it can mean that a hospital, for example, will be unable to access patient data for days or weeks, placing untold numbers of individuals at risk. And it’s those latter categories of information and institutions where information is particularly vulnerable and lives are literally endangered, that are being targeted by attackers. For example, according to a June 3, 2021 report, the U.S. Department of Homeland Security estimated that nearly 60% of notable global ransomware attacks affected the United States health care sector.

Ransomware attacks have, over the past two years, become increasingly severe and sophisticated, forcing extended periods of information technology downtime and increased incidents of data exfiltration. Particularly successful attackers employed social engineering, such as phishing scams, to prey on people’s fears during the COVID-19 pandemic. In other words, ransomware attacks are the worst of both worlds, stressing—if not eviscerating—business continuity and forcing organizations to confront regulatory, litigation and counterparty risks. Compliance risks alone can measure in the tens of millions of dollars, taking into account recent trends under the European Union’s General Data Protection Regulation (GDPR).  

But on top of the potentially existential threat ransomware poses to an organization’s ability to function is the cost of the ransom itself. Ransom payments stemming from an attack average a little under $1 million, with the price tag reaching as high as $40 million. For organizations facing the unique risk of having vast oceans of sensitive data inaccessible, it can be tempting to pay. And until recently, the U.S. government, while not exactly encouraging the practice, has not actively discouraged it. That led to a cottage industry of providers that specialized in negotiating with ransomware attackers to accept payment for the release of data. On the other side of the ecosystem, as the Colonial Pipeline hack illuminated, ransomware-as-a-service (RaaS) threat actors sprung up, offering their ransomware technology to anyone who would pay. It is lucrative to be an attacker, and the market has allowed such attacks to flourish.

But the U.S. government began to look at ransomware attacks differently. Such actions include the Biden administration’s directives to federal agencies to shore up their information security to better protect against cybersecurity attacks (in particular, those from nation-states or those sponsored by nation-states), and the U.S. Treasury Department’s Office of Foreign Asset Controls (OFAC) issuing guidance cautioning against paying ransoms. This last development is particularly important, especially in the absence of any law or regulation outlawing ransomware payments (though such laws have been proposed in Congress). Under OFAC regulations, individuals or entities that pay money to those on a sanctions list may be considered in violation of those regulations, which can lead to severe penalties. As the most recent advisory makes clear, even if the entity making a ransomware payment does not know that the recipient is on the OFAC sanctions list, they can still be held liable. OFAC instead encourages victims to develop a risk-based compliance program, take risk mitigation steps outlined in the Cybersecurity and Infrastructure Security Agency’s (CISA‘s) September 2020 ransomware guidance, cooperate with law enforcement and contact any one of a number of U.S. agencies.

In other words, as ransomware attacks increase and become more sophisticated, the dangers to businesses have also increased and deepened the incentive to pay. At the same time, governments have started to consider taking a harder line against paying attackers and forced organizations to improve their information security.

Insurance Market Chaos

Insurance providers are critically important actors when organizations plan for or respond to ransomware attacks. When an attack occurs, organizations will either make claims on their existing cyberinsurance policies or seek cybersinsurance to mitigate future risk. The cyberinsurance market has thus been forced to respond to the prevalence of attacks and the government’s current posture, and the results have been predictable, although also deeply problematic for those seeking coverage.  

One predictable outcome: Rates have gone up and coverage has gone down. Average rate increases in 2021 approached or exceeded 40% per month. At the same time, carriers either dropped ransomware coverage altogether or conditioned such coverage on organizations’ implementation of specific security controls. It’s no surprise this would be the case; insurers contended with severely decreased profitability stemming from not only the ransomware payments themselves but also from the regulatory, litigation and business continuity risks that these attacks bring. On top of these risks are the limitations that come from coverage in light of increased scrutiny by OFAC and the reluctance of law enforcement agencies to assist in paying attackers.

The insurance market has not yet settled to a point where pricing is standard or predictable; not even the terms of coverage are standardized.  But volatility in the markets is leading to a greater focus on cyberhygiene as a way to help control the risk of ransomware attacks. The list of such practices should be familiar to privacy and security practitioners: Use multifactor authentication, create strict and stratified access controls, create secure, offline backup systems, create a protocol to incorporate critical security patches into information technology systems, create detection and response systems for all endpoints and so on. As risks increase and the insurance market contracts, organizations seeking coverage will need to comply with the need to demonstrate rigorous controls.

But seeking insurance may be necessary for organizations, especially heavily regulated ones, to demonstrate their own compliance and diligence to regulators in the event the worst happens. For example, the Securities and Exchange Commission requires public disclosure on the costs of known or potential incidents; reporting such costs in the absence of cyberinsurance can send a worrying signal that an organization is unprepared for the fallout from an attack.  

And even having such insurance will not guarantee coverage when the time comes. A growing body of case law stemming from cyberinsurance litigation leaves some doubt as to whether an attack that encrypts information has created the kind of harm contemplated by a policy. In other words, there are important questions for potential insureds about whether they can effectively mitigate risk—or if they can at all. 

Navigating Competing Forces

In many ways, none of the challenges posed by ransomware are new: Organizations must always adequately plan for the risk of a catastrophic attack to their information structures and to the data they maintain; governments must step in to stem the tide of systemic actions that threaten the economy and critical infrastructure and insurance carriers must constantly grapple with the unique risk-pricing challenge that comes from information security. But ransomware attacks, and their significant increase and prevalence in sensitive areas of the U.S. economy, have exacerbated all of these problems. Already, the government has reacted by discouraging payment while insurance markets have reacted by trying to force certain mitigating behaviors. In all likelihood, the severity and ubiquity of attacks is likely to lead to heightened information security becoming more commonly shared among organizations and to legal changes meant to curtail the behavior. Following best and evolving practices in information security is the best course for organizations seeking to obtain coverage and prevent an attack. Having outside counsel and a line to law enforcement are other crucial steps. Given the chaos, organizations are left with the need to plan carefully for the coming crisis.

Christopher Escobedo Hart , , ,
Avatar photo

Christopher Escobedo Hart

Chris Hart is a litigation partner at Foley Hoag, LLP, where he co-chairs the firm's Privacy and Data Security practice.  A certified privacy professional, Chris counsels a wide variety of different clients -- from tech and life sciences start-ups to Fortune 50 companies -- on regulatory compliance, breach response, government investigations, and domestic and international litigation relating to data privacy.  In addition to his substantial practice as a privacy lawyer, Chris is active as a member of the International Association of Privacy Professionals (IAPP) and the American Bar Association's privacy and security steering committee.  Chris writes and speaks extensively on privacy and security issues, and regularly teaches a data privacy compliance course as an adjunct professor at Northeastern Law School.

christopher-escobedo-hart has 1 posts and counting.See all posts by christopher-escobedo-hart