CyberGuide - Information Security and Cyber Risk Management

Held hostage: Insurers look to focus ransomware narrative on resilience

By Erin Ayers, Advisen

It’s become a common headline – cyber insurance ransomware payouts embolden criminals, encouraging larger and more frequent ransomware demands. However, for the insurance industry, the narrative playing out in the media is frustrating, confusing, and, in many ways, inaccurate.

As ransomware has expanded in frequency and cost, as more and more cities, school systems, hospitals, and businesses become victims of these disruptive cyberattacks, the role of cyber insurers in handling these claims has come under fire. Cybersecurity professionals and public officials say that paying the ransom – for any reason – exacerbates an already severe problem.

Industry insiders speaking with Advisen objected to the idea that insurers leap to ransom payment as the first option or that companies pressure clients to pay for decryption keys.

“A lot of what’s been written has misdefined the role of the carrier,” said Kimberly Horn, global focus group leader for cyber claims at Beazley. “Whether it’s a data breach or ransomware, we are a facilitator of services. There’s a disciplined process.”

There may be a “moral hazard” to paying the ransom –a coalition of 225 U.S. mayors resolved in July to not pay ransomware demands and the FBI has repeatedly advised against paying to avoid funding criminal activity.

However, many victims have few options, if they don’t have functional back-ups or the time needed to rebuild entirely. In fact, without cyber insurance, many smaller organizations may not have the connections or resources to go through the breach recovery process.

“You don’t want to reward bad actors, but it’s crazy to run the victims’ costs sometimes two, three, four times more expensive to try and rebuild,” said James Jaeger, president and cybersecurity strategist at Arete Advisors. “That’s when we support paying the ransom, if the victim doesn’t have a good back-up.”

Beazley’s Horn explained that the insurer and service providers evaluate whether an insured has viable back-ups, determine what type of data is encrypted, and whether it’s “mission-critical” to moving forward. The goal is to provide organizations with as much information as possible “so they can make an informed decision.”

“I think the biggest myths to dispel are that the insurer decides for the company and pays the ransom. Not so. We are agnostic. The company makes the decision to pay or not pay, and our policies are set up to reimburse when an insured chooses to make a ransom payment.  We act as facilitator, reimburse, and educator, offering services and risk management tools to help companies prevent and mitigate the impact of these attacks.  Also, contrary to popular belief, most ransom demands are not paid,” said Horn. “At the end of the day, it’s the company’s decision whether they pay. That’s a business decision they have to make.”

Nearly every organization examines all alternatives before making a decision to pay a ransom, frequently pursuing multiple avenues of recovery. Insurers and cybersecurity vendors assert that the focus of the ransomware claims process is to determine how quickly business can be up and running again.

“It’s not just about paying the ransom. That ought to be the last resort, and it is,” said Tim Francis, vice president and enterprise cyber lead for Travelers. “It’s about making the connection to the right expertise to bring them back online.”

For some entities, paying may not be feasible – despite increases in cyber insurance take-up rates, not every business or city carries the coverage. One of the highest-profile ransomware cases involved the city of Baltimore, which didn’t have cyber insurance, and to date has paid out over $18 million to remediate the May 2019 attack.

Ransomware demands have risen, with the average nearly doubling between 2018 and 2019. While most demands seem to be six figures on average, the city of New Bedford, Mass., received a demand for $5.3 million after being hit with a variant of the Ryuk malware in July 2019. Even with extensive efforts on the part of the city’s IT staff to prevent such attacks, one succeeded, according to city officials.

New Bedford attempted to negotiate with the hackers, offering $400,000, with the assistance of their cyber insurer and the city’s information security team.

“While I am generally averse to engage in a negotiation of this kind, I concluded it would be irresponsible to simply dismiss out of hand the possibility of obtaining the decryption key if insurance coverage could cover the full cost of the ransom payment,” said New Bedford Mayor Jon Mitchell in a statement.

The cybercriminals refused, insisting on the multimillion-dollar payday. New Bedford ceased negotiations – the city had been comparatively lucky in that its public safety systems could still function and that the attack had been detected and contained quickly. The Massachusetts city’s experience emphasizes another point that insurers make – there are no generalizations possible in ransomware.

“There are some common patterns, but you have different individuals, different groups, and different strains of malware. Some are more pervasive than others,” said Travelers’ Francis. The factors that make each scenario different also affect customers’ decisions, he added.

Francis dismissed the suggestion that cybercriminals specifically target entities with cyber insurance. In every case, bad actors transmit malware, “hoping someone will click on it” regardless of whether there’s insurance in the mix.

“The notion that a criminal would say ‘Oh, you don’t have insurance? Our bad, never mind’ — that’s unrealistic,” he said. “They’re going to occur and do occur whether there’s insurance there or not.”

Marsh JLT Specialty’s cyber practice team recently commented on the “opposing viewpoints” on ransomware and cyber insurance, saying that the critics’ arguments “don’t hold up.” They also miss the point that the coverage benefits insureds in ways beyond ransomware.

“Beyond its specific purpose in thwarting ransomware attacks, cyber insurance is valuable for other reasons. The insurance underwriting process raises awareness of cyber threats, identifies how companies should be responding, and educates insureds,” said Matthew McCabe, Marsh’s senior vice president and assistant general counsel for cyber policy. “Cyber underwriters now demand much more information on how the companies they insure are combatting phishing attacks, which account for a large majority of cyber incidents.”

The implication that paying the ransom immediately restores any entity to business as usual and lets insurers off the hook for additional costs is also a myth.

“That’s not how it works,” Horn of Beazley said. Restoring from backups can often be faster than negotiating and paying the ransom demand. Even when a ransom is paid, forensic work continues to ensure all threats have been eliminated and determine the extent of the attack. And recovery of data isn’t always an option – but usually not because cybercriminals don’t decrypt the files as promised.

Arete’s Jaeger said it is “extremely rare” to pay for decryption keys and not receive them. If data can’t be recovered, he added, it is more likely to be because the ransomware caused unintended damage.

“You’ll always hear that [paying] doesn’t guarantee you get the key or the key doesn’t work – that’s not the case,” Jaeger said.

Since ransomware attacks continue to occur even with not all ransom demands being paid, experts say the focus should be on prevention, business continuity, and recovery.

Awareness of the risk for organizations is improving, according to Francis. Travelers’ annual business risk survey revealed that cyber events and cybersecurity are top of mind. Ransomware in specific ranks third among cyber risks for survey respondents, he said.

Having viable back-ups stored offline dramatically reduces the time and cost spent recovering after a ransomware attack.

“In at least 50 percent of the attacks that we see, the very first thing attackers go after is the backup,” said Jaeger. “An online back-up, unless it’s very well protected, isn’t going to do you much good.”

Jaeger advocated for more rigorous prevention of ransomware. Behavioral-based endpoint detection and response (EDR) tools that offer continuous monitoring and automated response to malicious activity provide the best defense against attacks, he added.

Experts also say that focusing on reducing the spread of malware in a system helps minimize impact.

“The key to resilience is having robust back-ups and segmentation in your network,” said Horn. “This is true whether it’s a breach or ransomware, how well can you contain them in your network?”

However, the public debate on ransomware may have inadvertently succeeded in upending another myth facing the industry – suggestions that cyber insurance doesn’t pay out when it’s needed.

“So what do the critics get right? Just one important point: Cyber insurance pays claims. For more than a decade, cyber insurance policies have reliably paid claims for ransomware, network interruptions, data breaches, and related liability. Leading insurers handle thousands of claims a year, and US carriers paid cyber claims totaling an estimated $394 million in 2018,” said Marsh’s McCabe.

Editor Erin Ayers can be reached at [email protected].