2014, dubbed “The Year of the Retail Breach”, saw major cyberattacks on retailers, such as Target, Neiman Marcus, and more. Then, in 2015, a series of severe attacks on healthcare providers, such as Excellus BlueCross BlueShield and Premera Blue Cross, crowned the year “The Year of the Healthcare Breach”. The cyber security trends of this year indicate that 2020 is set to be the “The Year of Ransomware”.
Ransomware activity has dramatically outpaced data breaches and privacy event activity this past year. In fact, the number of ransomware incidents has risen by 486% from Q1 2018 to Q4 2020. And while ransomware has been rising, data breaches or privacy events appear to have dropped in 2020, down 60% for the first decline in five years.
Why are ransomware attacks increasing?
Ransomware attacks have been around for many years. But 2020 has seen particularly dramatic growth due to the following factors:
- The global pandemic – has caused in itself a surge in online traffic and a dramatic acceleration of the digital transformation. The more businesses are online the more potential targets for attacks.
- Lowering the bar for attackers – in the past to launch a ransomware attack you had to be a sophisticated hacker (in addition to being a criminal that is willing to extort). Today, the bar is dramatically lower. Attack tools are offered online and there is even the possibility to hire 3rd party Ransomware as a Service (RaaS) to conduct attacks.
Another recent ransomware trend is the shift from the “scattergun” approach of hitting large numbers of organizations with relatively small demands to the reconnaissance-based and carefully researched specific organizations. After infiltrating an organization’s systems, the attackers will take their time inside a network, identifying the biggest pain points at which to deploy their ransomware to maximum effect.
In some cases, the attackers employ a double or even triple extortion scheme by which they start by encrypting the organization’s sensitive data (such as customer’s private data), then as part of their extortion process, they will threaten to expose the data. If their demands are not met, they will proceed to expose the data. And in the case of a triple extortion scheme, perpetrators use another (third) extortion tactic in order to impose even more pressure on their potential victims.
Cyber Insurance companies still forking out for Ransomware
In 2020, ransomware demands have risen to a staggering estimate of $20 billion last year, nearly 75% higher than in 2019 (CheckPoint). In many cases, these demands are paid out by the insurance companies as part of the organization’s cyber insurance. But as in all insurance fields experiencing a rise in risk, these payments are not free. Usually, the risk changes are factored into the renewal price of the policy. In fact, Aon research suggests that cyber insurance pricing began to shift dramatically at the end of 2020, hitting an average 15.8% increase on primary layers, and Aon predicted premium price hikes between 20% and 50% for the remainder of 2021.
But even with rising prices, the rate adjustments are still outpaced by the increase in frequency and severity of losses. Some even say that ransomware may be excluded from cyber insurance policies altogether.
What are insurers doing in addition to raising prices?
In response to the risk and loss trends described previously, carriers are adjusting their underwriting approach, reviewing terms and conditions of coverage, and reevaluating capacity deployment. In general, insurers are finding ways to restrict the exposures, while pricing the lower risks higher. To reduce risk, they are cherry-picking the “right” clients, by conducting in-depth security audit processes to ensure that insureds are hitting minimum benchmarks of cyber security hygiene. In addition, insurers are restricting their exposure by implementing the following mechanisms:
- Stricter sub-limits – some carriers have started posing stricter sub-limiting on ransomware. This means that policyholders will only be able to claim a fixed amount for all of their ransomware event costs. This fixed amount is all that the insurer will pay for the entire incident, including forensic costs, legal costs, cyber extortion payments, and so on. Essentially this practice limits the insurer’s exposure up to the limit.
- Co-insurance – some insurers are also applying co-insurance provisions. This means that they will not insure the entire amount by themselves, forcing insurers to share the risk with the insurance company. This is a mechanism that was built to make sure that the burden and the risk lie on both sides, thereby, both sides will take steps to lower the risk.
According to AON’s Cyber Insurance Snapshot report, in 2021 “Coinsurance is also being proposed, in some cases, in conjunction with a sub-limit” as part of the movement to a limit deployment strategy where they may cap the total aggregate limit they offer to any insured to some factor of the total policy limit.
Regulators are also intervening
This rise in ransomware attacks also raised regulators’ concerns. The Treasury’s Office of Foreign Assets Control (OFAC) issued a warning saying: “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
This means that these companies could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions. OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions.
Since insurers often offer cyber policies that cover ransom payments, this warning obviously has a huge effect on the cyber insurance industry.
It is unclear how exactly the sudden dramatic rise in ransomware will play out in terms of the cyber insurance industry, but the direction is pretty clear. Insurers will not just “pick up the tab” by themselves. It looks like across the board insurers are simultaneously raising the prices and finding ways to limit and/or reduce their exposure to this rising risk. However, if regulators impose strict rules of “no payment to cyber criminals”, which could apply to carriers, the reward to cyber criminals may be reduced, resulting in a decrease in the number of ransomware attacks.
Interested to learn more about the latest developments in cyber insurance? Visit our course catalog for more information on our cyber insurance training.