2014, for example, became known as “The Year of the Retail Breach” with major cyber attacks on retailers, such as Target, Neiman Marcus, and more. The following year, 2015, became “The Year of the Healthcare Breach” with major healthcare providers, such as Excellus BlueCross BlueShield and Premera Blue Cross, being affected. And 2020 will undoubtedly become “The year of Ransomware”.
Ransomware activity has dramatically outpaced data breaches and privacy event activity this past year. In fact, the number of ransomware incidents have risen by 486% from Q1 2018 to Q4 2020. And while ransomware has been rising, data breach/privacy events appear to have dropped in 2020, down 60% for the first decline in five years.
Contributing factors to the dramatic rise in ransomware
Ransomware attacks have been around for many years. But 2020 has seen a dramatic growth due to the following factors:
- The global pandemic – has caused in itself a surge in online traffic and a dramatic acceleration of the digital transformation. The more businesses are online the more potential targets for attacks.
- Lowering the bar for attackers – in the past to launch a ransomware attack you had to be a sophisticated hacker (in addition to being a criminal that is willing to extort). Today, the bar is dramatically lower. Attack tools are offered online and there is even the possibility to hire 3rd party Ransomware as a Service (RaaS) to conduct attacks.
Another recent ransomware trend is the shift from the “scattergun” approach of hitting large numbers of organizations with relatively small demands to the reconnaissance-based and carefully researched specific organizations. After infiltrating an organization’s systems, the attackers will take their time inside a network, identifying the biggest pain points at which to deploy their ransomware to maximum effect.
In some cases, the attackers employ a double or even triple extortion scheme by which they start by encrypting the organization’s sensitive data (such as customer’s private data), then as part of their extortion process, they will threaten to expose the data. If their demands are not met, they will proceed to expose the data. And in case of a triple extortion scheme, perpetrators use another (third) extortion tactic in order to impose even more pressure on their potential victims.
Insurance companies are currently still paying the price
In 2020, ransomware demands have risen to a staggering estimate of $20 billion last year, nearly 75% higher than in 2019 (according to Check Point research). In many cases these demands are paid out by the insurance companies as part of the organization’s cyber insurance. But as in all insurance fields experiencing a rise in risk, these payments are not free. Usually the risk changes are factored into the renewal price of the policy. In fact, according to Aon’s analysis, cyber insurance pricing began to shift dramatically at the end of 2020, hitting an average 15.8% increase on primary layers, and Aon predicted price hikes between 20% and 50% for the remainder of 2021.
But even if prices are trending upwards, Aon said that most insurers have said “those rate adjustments were not enough to compensate for the increase in frequency and severity of losses.” Some even say that ransomware may be excluded from cyber insurance policies altogether.
What are insurers doing in addition to raising prices
In response to the risk and loss trends described previously, carriers are adjusting their underwriting approach, reviewing terms and conditions of coverage, and reevaluating capacity deployment. In general, insurers are finding ways to restrict the exposures, while pricing the lower risks higher. To reduce risk, they are cherry picking the “right” clients, by conducting in-depth security audit processes. In addition, insurers are restricting their exposure by implementing the following mechanisms:
- Stricter sub-limits – some carriers have started posing stricter sub-limiting on ransomware. This means that policyholders will only be able to claim a fixed amount for all of their breach event costs. This fixed amount is all that the insurer will pay for the entire incident, including forensic costs, legal costs, cyber extortion payments, and so on. Essentially this practice limits the insurer’s exposure up to the limit.
- Co-insurance – some insurers are also applying co-insurance provisions. This means that they will not insure the entire amount by themselves, forcing insurers to share the risk with the insurance company. This is a mechanism that was built to make sure that the burden and the risk lays on both sides, thereby, both sides will take steps to lower the risk.
According to AON’s Cyber Insurance Snapshot report, in 2021 “Coinsurance is also being proposed, in some cases, in conjunction with a sub-limit” as part of the movement to a limit deployment strategy where they may cap the total aggregate limit they offer to any insured to some factor of the total policy limit.
Regulators are also intervening
This rise in ransomware attacks also raised regulators’ concerns. The Treasury’s Office of Foreign Assets Control (OFAC) issued a warning saying: “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
This means that these companies could face steep fines from the U.S. federal government if the crooks who profit from the attack are already under economic sanctions. OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program and other sanctions programs, including perpetrators of ransomware attacks and those who facilitate ransomware transactions.
Since insurers often offer cyber policies that cover ransom payments, this warning obviously has a huge effect on the cyber insurance industry.
It is unclear how the sudden dramatic rise in ransomware will play out in terms of the cyber insurance industry, but the direction is pretty clear. Insurers will not just “pick up the tab” by themselves. It looks like across the board insurers are both raising the prices, while at the same time finding ways to limit and/or reduce their exposure to this rising risk. However, if regulators impose strict rules of “no payment to cyber criminals”, which could apply to carriers, the reward to cyber criminals may be reduced, resulting in a decrease in the number of ransomware attacks.