There has never been a brighter spotlight on the societal scourge of ransomware than the one cast over the past two weeks, as separate attacks led to a temporary gas shortage across the eastern United States, disrupted the IT networks of nationalized health care systems in Ireland and New Zealand and caused an international uproar for governments and industry to do more to hold cybercriminals accountable.
The development of cybersecurity insurance has played an important role in determining how companies prepare for and respond to ransomware attacks and the resulting fallout. That in itself has evolved, as insurers and insured learn just how expensive that fallout can be. But still unclear is how more recent and arguably far-reaching attacks mights shape policies in the future.
The ransomware reality check for insurers
Prior to 2017, most insurers covered ransomware under traditional property and casualty policies. NotPetya changed that.
The worm-like ransomware ripped through the computers and systems of infected companies and locked them up with blinding speed, first in Ukraine and Russia, then Europe and the United States. Cybersecurity officials within the Obama White House said the attack caused as much as $10 billion in global damages.
Benjamin Wright, an attorney who teaches data security and investigations law at the SANS Institute, said NotPetya cost the global insurance industry around $2.7 billion in payouts.The speed of such attacks, their growing frequency and efficiency as well as the second and third order effects they can have on customer data and service delivery for other stakeholders in the supply chain forced a broader reevaluation of how to treat the problem.
“They decided that NotPetya has demonstrated to us that ransomware is a whole new ballgame and it’s not traditional damage to property and extortion,” said Wright during a session at the RSA Conference.
Click here for more coverage of the 2021 RSA Conference.
It was particularly devastating for large enterprises. Because of their scale and the speed at which the worm-like ransomware spread, some companies received individual insurance payouts of $300 million or more.
Large companies generally have more computers, it’s more expensive to remediate, there are larger customer counts, so these costs are astronomical,” said John Pescatore, director of emerging security trends at the SANS Institute.
The incident caused many insurers to create ransomware-specific coverage policies and led to a renewed vigilance around compliance. As Trent Cooksley, chief operation officer at Cowbell Cyber, told SC Media in February, specific controls on businesses allow insurance companies to “I maintain a profitable loss ratio." While ultimately driven by the bottom line, he still believed the approach to be “good for businesses as, through the insurance process, they will gain better visibility into their cyber risks and measures they can deploy to keep digital operations secure and compliant to data privacy regulations.”
And with millions of dollars at stake, the details truly do matter when companies report on the specifics of their security operations. What an organization’s security policy says it does and what it actually does are not always the same. It may be the organization’s official policy to patch vulnerabilities within thirty days, but if the reality is more nuanced a cursory answer can come back to bite them. Ransomware attacks are often followed up with security audits from insurance companies and Wright said your company is hit with a ransomware attack and an audit finds discrepancies, it could be used to deny or reduce coverage.
“One of the really important things for a security team to bear in mind as it’s working with insurance is to tell the truth,” said Wright. “That’s so obvious, but telling the truth to an insurance company with respect to a very complex, technical topic like cybersecurity can be a challenge.”
Maybe a statement about how a professional team reviews patches, then goes through a risk assessment and makes decisions based on a responsible review is more accurate, Wright said, than just quickly saying 'yes, we normally install patches within thirty days.'"
Conflicting interests?
One of the biggest unsettled controversies in ransomware is over how much pressure the government and society should place on individual organizations to not pay the ransom, under the logic that each successful attack funds and feeds the next. Many individual businesses are more focused on finding the best way to salvage their business and data and restore operations in a timely fashion than they are about the broader societal impact.
Bad publicly, along with the specter of facing legal or regulatory repercussions for paying ransoms to groups that are subject to U.S. sanctions, has also led some companies to clam up when discussing payment. For example, members of Congress are complaining that the refusal of Colonial Pipeline officials to talk publicly about its reported $5 million payment to the DarkSide group, which is not specifically listed as a sanctioned entity by the Treasury Department, is making it harder for Congress to understand the issue and develop effective legislative solutions.
Wright said that even when companies do want to hold out, insurers may be pressing them to pay. Since they tend to cover both ransomware payments and business interruption due to ransomware attacks, if the costs of expected downtime and business disruption exceeds the costs of paying up, insurers can and do diverge from their clients when it comes to the costs and negatives incentives around ransom payment.
“The insured enterprise may not want to pay ransom, it may not like publicity of paying ransom, it may not like the politics or the morality of paying the ransom, but the insurance company may have a little different priority and that can come as a surprise to the entire enterprise,” said Wright.
Indeed, even as insurance companies push for security best practices among customers, Netenrich Chief Information Security Officer Brandon Hoffman told SC Media in February “it's hard to tell whether those actually align with best practices or if they somehow fit into their actuarial science conveniently.”