The ransomware attack on Colonial Pipeline Co., which caused gasoline shortages along the US East Coast, has also sparked debate over whether cyber insurance helps protect against marauders – or attracts them.
Some cybersecurity experts say hackers target companies that have cover because they know companies can pay ransoms. But others believe the blame is shifted and that insurers, where appropriate, have raised the bar on cybersecurity.
“Ransomware players are there for the money, so if they know a target is assured, they can go after that target,” said Chris Painter, chair of the Global Cyber Expertise Forum and former cyber coordinator at the US State Department. “On the other hand, underwriting standards for insurance often contain requirements that motivate their policyholders to be better at cybersecurity and hopefully prevent some of these attacks.”
Attacks are on the increase. Cybersecurity firm Emsisoft sees an increase of around 12.4% in the number of victims who say they were affected last year, compared to 2019. The amount of ransom demanded almost doubled in 2020, according to Group-IB.
“Ransomware has increased dramatically in its frequency and the number of requests requested,” said Matthew McCabe, senior vice president of cyber practice at Marsh McLennan. “Cyber attacks are increasingly sophisticated and organizational. Ransomware gangs have been involved in this for quite some time, and like any business, they get better as they go. “
Meanwhile, the cyber insurance market is growing. Autonomous cyber policy premiums increased 28% in 2020 from a year earlier and increased by around 76% since 2016, according to rating firm AM Best. But not all businesses buy coverage. In the United States, just 47% of insurance broker Marsh’s clients purchased stand-alone cyber policies, up from 42% in 2019, the company said.
Having that assurance can put a target on a company’s back, according to Jon DiMaggio, chief security strategist at Analyst1. He cited a 2021 Cisco Talos report that cited an attacker saying that a ransom payment was virtually guaranteed if the target had insurance.
Some do not agree. Joshua Motta, co-founder and CEO of cyberinsurer Coalition, and Adam Lantrip of insurance broker CAC Specialty said system vulnerabilities were more to blame.
“I don’t think it’s as binary as a process of saying, ‘This company is buying cyber insurance so I’m going to sue them,'” said Lantrip, head of cyber practice at CAC. “When we talk to security companies and people doing threat intelligence, they will generally say that attackers are more likely to be looking to find out who is showing the world a particular technology than they know they are. can exploit. This is how they narrow their target list. “
Motta, of the Coalition, said paying a ransom was often the only way to respond to attackers.
“At least 50% of the time, there isn’t really an option,” he says. “Not only have they encrypted the data, but they have encrypted the backups and there is no way to recover without paying the ransom.”
Motta argues that insurers are helping the industry by increasing the level of cybersecurity due diligence by companies. And those efforts are stepping up after a high-profile incident like Colonial, according to Adam O’Donnell, an Internet 2.0 cybersecurity expert.
“I’ve seen a lot of organizations where their self-assessment maturity is very high and then a very basic cyberattack proves them dead wrong,” O’Donnell said.
Insurers have responded to the upsurge in attacks by stepping up scrutiny of new customers and their efforts to protect data, according to McCabe of Marsh. Axa SA’s France activity no longer subscribes to new ransomware reimbursement policies, according to a spokesperson. Other insurers have sought to cap their exposure, according to CAC’s Lantrip.
For now, the question of how to stop the cycle of ransomware attacks and payments remains.
“You have to tackle the money,” the Coalition’s Motta said. “Some of these threat actors report more trafficking than the international drug cartels.”
Copyright 2021 Bloomberg.