Industry’s reassessment of ransomware has been underway for months, and awareness helps
By Erin Ayers, Advisen
The Colonial Pipeline ransomware event brought widespread attention to a problem long-recognized by the insurance industry – the systemic risk posed by critical infrastructure’s myriad cyber vulnerabilities and the essential need for investment in cybersecurity.
The cyberattack has also deepened the focus on ransomware, a threat that has reached epidemic levels for insurers and organizations of all sizes and in every sector. It also shines a spotlight on cyber insurance at a time when prices, demand, and questions over ransom demand payments are rising.
“Given the rise in ransomware, that is one area we’re definitely looking at now to say, ‘What should be the government’s approach to ransomware actors and to ransoms overall?’” said Anne Neuberger, deputy national security advisor for cyber and emerging technologies, during a White House press briefing this week. President Joe Biden issued an executive order on cyber defenses for federal agencies and software contractors this week.
After the cyberattack that brought down 5,500 miles of the nation’s largest refined-fuel pipeline stretched to five days of disruption, Colonial said on May 12 it was restarting service. However, fuel shortages remained and could have knock-on effects on transportation and other sectors.
The Federal Bureau of Investigation attributed the attack to Darkside, a ransomware-as-a-service threat actor thought to be purely criminal rather than state-sponsored. The group explained on its website it had not intended the “social consequences” of the hack.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives,” said the group. “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
The Colonial Pipeline is the latest in a recent string of attacks on the utility sector, following an attempted attack on a Florida water treatment facility and a malicious insider’s efforts to take down a Kansas water utility. In 2020, a ransomware attack targeted a natural gas firm, causing a multi-day downtime. The events highlight a threat the cyber risk and insurance world has warned of for many years – the hack of the nation’s critical infrastructure, much of which is privately owned. Colonial Pipeline, for example, has several owners including Koch Industries, KKR & Co., and Royal Dutch Shell.
Industry observers have suggested disruptive and damaging cyberattacks on essential aspects of society are less likely than financially-motivated attacks, since intentional attacks on critical infrastructure by a nation-state would be considered acts of war.
For the energy sector, reliance on a network of suppliers increases the risk of substantial costs and downtime. According to a client alert from wholesale broker Amwins, if any one U.S. oil refinery were taken offline for three days by a cyberattack, the costs could reach an estimated $13.5 million, assuming an output of 75,000 barrels per day.
“There’s no question the oil & gas sector is highly sensitive to supply chain risks and disruptions – whether from weather, geopolitical, or other macroeconomic pressures,” said Megan North, vice president and broker at Amwins. “We’ve historically seen these factors result in volatility in pricing of the commodity itself to inflated operating costs for those companies who participate along the supply chain all the way to consumers. This cyber event – though unique in its genesis — is likely to be similar in its result to the more traditional interruptions.”
North told Advisen in an email that virtually all industries have seen a hardening market for cyber insurance, one that will likely deepen especially for the energy and critical infrastructure sectors.
“Lately, that trend has accelerated in certain sectors that are notorious for supply chain risk and usage legacy industrial control systems – such as manufacturing, energy, and critical infrastructure,” she said. “Though the increased frequency of attacks has been making headlines, many of these industries have produced slower take-up rates than other, more digital and data-driven industries such as healthcare and financial services.”
According to Marc Voses, partner with Clyde & Co., absent regulation of ransom payments, the practice will expand in frequency and severity.
“There is an increasing pattern and practice of threat actors going after infrastructure like the Tampa water authority hack a few months back, and now the pipeline,” he said in an email to Advisen. “We need a more robust and centralized cyber defense branch of the military to defend and respond to these attacks before it results in widespread loss of life or property.”
The event has thrust the cyber insurance market and its role in ransomware into the headlines, according to commentary from AM Best. Standalone cyber premiums rose more than 28% in 2020, and Best suggested the Colonial Pipeline event could spur insurers to re-evaluate their approach to ransomware.
For most insurers in the space, that process has been underway for several months, resulting in the harder market featuring price corrections and coverage restrictions.
The attention to ransomware stemming from the pipeline event will have some beneficial effects for insurance and cybersecurity, according to Brad Gow, global cyber product leader for Sompo International.
“The impacts on the cyber insurance market are going to be profound, and for the most part, pretty positive,” he said. Already a headline risk, the attack on the fuel supplier should boost the public’s awareness of ransomware and the major threat it represents.
“It gets really tangible when you get to the gas station and the pumps aren’t running because of a ransomware attack,” Gow told Advisen. From a public policy standpoint, Colonial Pipeline has “focused a lot of minds” with ransomware already a key focus of the Biden Administration, he added.
It also underscores the message of mitigation the industry has championed for years. Insurers have reached a point in the evolution of cyber where strict technical controls are broadly being required to get coverage. It’s a significant shift, Gow said, and one that is having a positive impact on losses.
“After 20 years of being in the backseat and not having any say over how companies manage their network security and witnessing the gulf between information security and operational security, I’m seeing a definite change in 2021, with the industry saying, ‘This is what you need to have this is what you need to have in place to get cyber insurance at a reasonable rate, or to get full limits you want.’ That message is getting out,” he said.
Organizations also more readily take the initiative to protect themselves. Companies are seeking out tabletop exercises, boosting their security, and buying as much cyber insurance as they can afford.
“Some of these recent events are so high-profile, so public, and so impactful, executives are saying, “holy cats, what do we have to do to make sure that doesn’t happen to us?” said Gow.
Editor Erin Ayers can be reached at firstname.lastname@example.org