Ransomware & Cyber Insurance

In the wake of recent ransomware attacks, Cyber Insurance and its role in risk management have become active topics of discussion among cyber professionals. Many organizations and their cyber leaders find it challenging to navigate the complexities of cyber insurance, making it hard to manage ransomware risks and coverage. 

Given these realities, Rain Capital convened a panel of 10 CISOs from multiple industries to discuss cyber insurance and ransomware risks. The event included two attorneys with expertise in cyber insurance: Charisse Castagnoli, adjunct professor of law at John Marshall School of Law, and Judy Selby, a partner with Kennedys, an international law firm. Castagnoli focuses on information security, approaching risk from a legal and data privacy perspective, while Selby focuses on insurance matters, particularly emerging technology, digital, and compliance risks. Selby also authored the book “Demystifying Cyber Insurance.” This is the first of several posts on the presentations they gave the group and the discussions that ensued.

Insurance premiums are rising: Many organizations are experiencing a visible increase in their cyber insurance premium due to the risk of ransomware attacks. The attendees of the event saw premium increases this year, ranging from 40 to 200 percent. A carrier told one large healthcare company to expect a 134 percent increase in cyber insurance premium despite having had no claims. 

Selby said that her data shows insurance costs in the United States and the United Kingdom rose more than 50 percent in Q2 this year. In June alone, US cyber insurance costs increased 68 percent. When asked if this increase was due to ransomware attacks, Selby indicated that ransomware is a likely cause, amongst other factors. 

Business Downtime: In most cases, downtime and business disruption are the highest costs of a ransomware attack. According to Selby, ransomware attacks cause 21 to 23 days of downtime, up about 10 percent over Q4 of 2020. Given the evolving abilities of threat actors, it’s likely to get worse. 

Lost revenue and income can be devastating to a business, but follow-on effects can also be costly. While Colonial Pipeline was offline, the gas stations it served couldn’t get fuel, losing revenue and income as well. Consequently, station operators sued Colonial Pipeline for failing to meet its obligations to deliver. (Note: this is an example of a loss that third-party liability policies may cover, which we’ll cover in a subsequent post.)

The core of ransomware coverage, then, is business interruption coverage. Some policies have “failure to supply” coverage that could be triggered when an organization can’t meet its obligations. 

To Pay or Not to Pay: This is, of course, the ransomware question. It’s one that made the front page of many newspapers with the Colonial Pipeline case, and it’s a question that no company executive wants to face. 

According to the panel, the most critical factor in determining whether to pay is the value of the hostage data to the organization's continued operation, not how much it can fetch on the dark web. If you have good backups, it may not be worth that much. On the other hand, it could be worth a great deal if you can’t function, backups aren’t working, or trade secrets are involved. Other considerations include reputational impact and the organization’s ability to recover. 

Selby says that working with an experienced negotiator is vital because they can assess the trustworthiness of the threat actor. Getting the decryption key, for instance, is just one step in recovering from the attack. There is no guarantee that a second attack won’t demand a second payment. Experienced negotiators know the difference between the various threat actors and help an organization make the best decision. Many policies also require prior authorization from the carrier for paying ransoms, so companies must work closely with their insurance carrier before making any payments.

While the attendees believe that 50 percent of attacked companies pay the ransom demand today, Selby indicated that the number of companies deciding not to pay a ransom appears to be increasing. Insurance carriers have covered more than 70 percent of the ransomware claims to date. But Selby said that this number is likely to decrease as insurance companies tighten up ransomware claims in the future. In May this year, AXA, a major cyber insurer in France, ceased its coverage for ransom payments. It’s unclear if other insurers will follow suit. 

How to pay? Once they have decided to pay, enterprises must be mindful of the legal risk associated with making the payment. For instance, the Office of Foreign Assets Control (OFAC), part of the U.S. Department of the Treasury, maintains a sanctions list of “Specially Designated Nationals” (SDN). It’s illegal in the United States to use any of these sanctioned entities to process payments. Similarly, the Council of the European Union added a list of natural persons to its sanctions list, expanding the 2019 directive “Cyber Sanctions Regime.” These individuals may not enter EU territory, all of their funds and economic resources are frozen, and it is illegal to make funds available to them.  

On September 21, 2021, OFAC took a significant step by adding the SUEX OTC Bitcoin exchange--a service owned by Russian nationals and used by many ransomware attackers to process payments--to the SDN list. OFAC has also indicated it will move soon to sanction other “nested,” “mixer,” and peer-to-peer exchanges that facilitate attackers’ access to hard currency. In early November of 2021, the US Justice Department seized $6.1 million in digital currency belonging to an alleged REvil operator and Russian national. The Treasury Department levied sanctions against these individuals and Chatex, a Russian-linked crypto exchange that allegedly facilitated ransomware payments.

In addition to legal risks, organizations should understand whether ransom payments are an “exclusion” from the insurance policy. For instance, payment to a “state threat actor” could be considered a war exclusion. 

Finally, organizations can still have trouble making an approved payment if they don’t establish a payment infrastructure ahead of time. The experts on the panel pointed out that setting up a crypto wallet and establishing an account with an exchange aren’t trivial tasks. Trying to set them up during an attack is even more challenging. In some cases, enterprises can outsource payment infrastructure provisioning and management to a cyber insurance legal firm. In any case, companies must work closely with their insurance carriers, legal firms, and experienced response teams to avoid legal pitfalls and risks in making ransom payments.

Will the government outlaw ransomware payments? Whether ransomware payments should be illegal was a hotly debated topic at the panel. While there has been some talk of making ransom payments illegal, Castagnoli and Selby agree that most insurance carriers don’t think governments should make that move. 

Conclusion

As these issues demonstrate, ransomware and cyber insurance are complicated and rapidly evolving issues. The panel's best advice for CISOs is to create strong relationships with carriers, legal counsel, and law the relevant law enforcement officials ahead of time. Such connections will help companies stay abreast of the rapidly changing insurance environment, and better prepare them for any future attack. We’ll cover more of these issues in subsequent posts.