CyberGuide - Information Security and Cyber Risk Management



Ransomware claims ‘unsustainable’ for insurance industry

By Chad Hemenway, Advisen

SAN FRANCISCO—The “extreme rise” in ransomware attacks, and an increase in demands, are at an untenable level, said John Coletti, chief underwriting officer – Cyber and Technology for AXA XL, at Advisen’s Cyber Risk Insights Conference.

“Something has to be done,” added Coletti at the conference on February 11. Ransomware demands that were once thousands of dollars are now tens of millions of dollars, he said.

“It’s unsustainable,” Coletti said. “You get in a situation where you get a demand for $10 million on a Friday and you’ve paid your limit by Monday – without any recourse. You don’t look good to your bosses when you’ve just paid that amount of money in three days.”

Though it is not something the insurance industry wants to do, coverage will have to start to shrink if the current rapid rate in the increase of ransomware losses doesn’t stop, Coletti said.

The individual or group behind a ransomware attack can originate from so many places and have so many different motivations that, from a claims perspective, attribution is not important unless the attack has been deemed an act of war, which would trigger an exclusion.

“Regardless if it’s a criminal, hacktivist, insider, organized crime – we’re going to treat the situation the same,” Coletti said. “We handle claims agnostic of who the actor is. We’ll take care of our client and that’s the number one priority.”

There’s not much of a choice. Policyholders may not be the target of a ransomware attack but are rather collateral damage to nations engaging in cyber warfare. These nation-states have elevated the profession of hacker, and it has become a well-paid career—especially in certain struggling economies. The job puts food on the table. According to reports, cyber crime will soon become more lucrative than the illegal drug trade.

“This is a 9-5 job,” said Tony Cook, director at Crypsis Group. “There are people who get paid to do this. They’ve been doing this for many years. There are teams of people doing this work.”

In fact, hackers can be specialized. For instance, a hacker might be particularly experienced and effective striking the healthcare industry, Cook said.

From an underwriting perspective, there have been enough ransomware incidents and a general understanding of threat actors, to learn about this risk, Coletti said. Factors such a company’s product, size and assets can be contemplated in policy language and price. Energy companies may be more susceptible to hacktivists, for instance. The financial sector is prone to attacks for monetary gain.

But there does not appear to be an end in sight because hackers rarely face consequences. Mike Snader, associate director of cyber investigations for Kivu said law enforcement typically “follows the money” when investigating a crime, but because ransom is paid in cryptocurrency, it can be difficult to trace to an actor or organization.

“It’s a good business model,” said Snader, associate director of cyber investigations for Kivu. “You can run and be somewhat anonymous.”

Or the investigation takes time, in which case an insurer cannot wait two years to pay a claim.

The volume of these attacks is also a factor. Law enforcement must pick and choose which attack to investigate, Snader said. “You have so many cases and only so many investigators,” he said.

Managing Editor Chad Hemenway can be reached at chemenway@advisen.com