We are all well aware that ransomware exposures and impacts have grown rapidly as professionals have shifted to working from home because of the pandemic, resulting in expanded threat and attack surfaces. By some accounts, ransomware attacks increased nearly 150% in the past year, and insurance claims and costs of payments skyrocketed after having already jumped approximately 230% between 2018-19. Insurance claims from cyber/ransomware events have consumed up to 40% of the claims of some insurers’ cyber books.
Cyber insurance was once seen as a stable sector of commercial insurance, with lower-than-average loss ratios compared to other major commercial coverages. However, that landscape has faded fast – threatening the very availability of cyber insurance for ransomware.
The insurance industry – and government regulators – are notably concerned. Recently, New York State’s Department of Financial Services issued a memorandum providing guidance to the insurance industry to help stabilize and safeguard the cyber insurance market. The NY DFS Cyber Insurance Risk Framework outlines a 7-point program for insurers to manage their cyber insurance risk.
Of course, appreciable erosion in the availability and breadth of cyber insurance coverage will have a negative impact on corporate profitability if meaningful risk transfer is no longer an option. As well, progress between the security community and insurers will certainly relapse.
I recently published a white paper that examines the causes of this crisis and makes recommendations for how the insurance industry, security professionals and regulators can work to stem the impacts of ransomware – and its threat to the cyber insurance market. The paper proposes several adaptations that cyber insurers can take to maintain reasonable loss ratios, while serving the risk transfer needs and demands of security organizations and their businesses, including:
Infosec loss prevention and mitigation: While progress on incident actuarial data leaves much to be desired, infosec statistics around threat and vulnerability dimensions have improved. In fact, they show remarkable consistency in the case of ransomware. Reports from leading vendors such as Coveware, Emsisoft, and Recorded Future agree that the most popular attack vectors and sources of ransomware incidents are remote desktop protocol (RDP), email phishing and spam, and unpatched vulnerabilities. Basic “blocking and tackling” can significantly decrease risk exposures.
Risk management coordination: Start with good tech hygiene, but intertwine it with insurance industry risk mitigation coordination. Rather than rely solely on factors like compliance or case law developing over time, embracing a risk management coordination role can help insurers take the fight to ransomware. Have insurers and infosec professionals coordinate closely on security risk metrics. Such coordination can better align risk optics, lower information asymmetries, and scale victimology beyond the current ad hoc dynamics. At a basic level, insurers may simply need to start requiring policyholders to assist in providing or verifying technographics and security posture to bring about more accurate cyber risk assessment. More aggressive measures might include incentivizing companies to share internal security telematics could add the missing link in cyber risk assessment and measurement.
Ransomware disclosure regulation: Since federal regulation, litigation, and state laws which require reporting and disclosure of data breaches served as the foundational basis upon which the industry anchors data breach underwriting and coverage, it bears asking: Do we need a similar enforcing function to adapt to ransomware risk? Regulatory fines, reporting requirements, and liability and legal costs have made data breach losses tangible, thereby capturing the attention of the industry. Government action via legislation, regulation, or judicial rulings can play a role in reducing risk and enforcing compliance.
Controls failure reporting: Attackers will generally follow the path of least resistance – so knowing and documenting their tactics, techniques and procedures (TTPs) and victim company technographics can go a long way to reducing exposures. However, there’s a trend with insurers to cut costs by collecting less information during the underwriting and claims processes. This trend works counter to the recommendation aimed at developing more mature cyber loss models to align risk with price premiums, because better modeling demands better data. Adaptation within the cyber risk landscape requires committing higher quality and quantity data to the actuarial record as possible. Collecting and sharing controls failure data would mark a significant step toward being able to quantify the end-to-end relationships between threats, security compliance, and incident outcomes.
Data-driven predictive models: In managing ransomware, mere knowledge of yesterday’s attacks won’t suffice to inform us about tomorrow’s outcomes. Any foresight becomes highly valuable for effective ransomware risk segmentation, assessment, pricing, and defense. Foresight in cyber insurance can come by way of predictive models. We need better validated and empirical data-driven models which incorporate expert knowledge. Such predictive models can drive more robust and reliable pricing models and inform underwriting guidelines.
Extortion payment policy reform:Cryptocurrency has fueled the growth of ransomware. Under debate is whether current regulations and policy appropriately guard against facilitating ransomware, or if more robust prohibitions are needed. It’s an open question whether further government interventions around ransomware will develop, such as outright prohibition of ransomware pay-outs, or improved attribution and enforcement against bad actors. As well, the insurance industry should strongly consider a self-regulatory approach that establishes a ransom non-payment policy.
Only innovation and evolution at the individual company, industry, and governmental levels will ensure resiliency of the cyber insurance market, and ultimately impact ransomware risk itself.
The new malware, which is designed to mimic the appearance of ransomware but includes no mechanism for ransom recovery, has not been tied to any currently tracked APT group or nation, but was found in “dozens” of Ukrainian systems across the government, non-profit and information technology sectors.