Ransomware: Addressing the Challenge to Cyber Insurance

Cyber insurance was once seen as a bright spot for the commercial insurance industry, with noticeably lower loss ratios and higher profitability compared to other major commercial coverages. However, the honeymoon period may be fading. Loss ratios have been rising, jumping 10 percent in in the past year alone.[1]

Ransomware is the main culprit for this decline – and the threat and attack surfaces are only expanding. Ransomware attacks increased nearly 150% since the onset of Covid-19 produced an increase in remote working environments. Ransomware claims and costs of payments had already jumped approximately 230% between 2018-19.[2] And claims have comprised up to 40% of some insurer’s cyber books.[3]

These trends are undoubtedly driving recent guidance issued by the New York State’s Department of Financial Services to issue a memorandum providing industry guidance on a cyber risk insurance framework. It outlines a 7-point framework for insurers “to sustainably and effectively manage their cyber insurance risk.”

These outcomes, accompanied by a growing sentiment of helplessness in the industry, are also what drove me to develop a whitepaper that examines the environmental causes and makes recommendations for how insurers, the industry and regulators and legislators can work to stem the rise of Ransomware – and its threat to the cyber insurance market. The paper, "Ransomware: A Darwinian Challenge for Cyber Insurance," examines the issue by applying Darwin’s scientific theory of evolution and the Pace Layering Method to the cyber insurance industry. The paper, which I recommend reading in its full detail, proposes some form of the below adaptations that will enable cyber insurers to maintain profitability and achieve reasonable loss ratios, while serving the risk transfer demands of organizations.

1.) Infosec Loss Prevention and Mitigation: While progress on incident actuarial data leaves much to be desired, infosec statistics around threat and vulnerability dimensions have improved. In fact, they show remarkable consistency in the case of ransomware. Reports from leading vendors agree that the most popular attack vectors and sources of ransomware incidents are remote desktop protocol (RDP), email phishing and spam, and unpatched vulnerabilities. Basic ‘blocking and tackling’ can significantly decrease risk exposures.

2.) Risk Management Coordination: Incentivizing good tech hygiene is a start, but it must be intertwined with industry risk mitigation coordination. Rather than rely solely on factors like compliance or case law developing over time, embracing a risk management coordination role can enable insurers to take the fight to ransomware. A start would be to have underwriters, brokers, and infosec professionals coordinate closely on security risk metrics. Such coordination can better align risk optics, lower information asymmetries, and scale victimology beyond the current ad hoc dynamics. How risk management coordination can be taken up by insurers can be thought of as a spectrum. At a basic level, simply requiring policyholders to assist in providing or verifying fundamentals and technographics would bring about more accurate cyber risk assessment. On the other end of the spectrum, incentivizing insureds to share internal security telematics could add the missing link in cyber risk assessment and measurement.

3.) Ransomware Disclosure Regulation: Since federal regulation, litigation, and state laws which require reporting and disclosure of data breaches served as the foundational basis upon which data breach underwriting and coverage is anchored, it bears asking: do we need a similar enforcing function in order to adapt to ransomware risk? Regulatory fines, reporting requirements, and liability and legal costs have made data breach losses tangible, thereby capturing the attention of the industry.[4] Government (via legislation, regulation, or judicial rulings) is uniquely situated to play a role in reducing risk and enforcing compliance.

4.) Controls Failure Reporting: Standard components of digital forensics and incident response (DFIR) reporting include information about attack vectors and control failures: how attackers were able to access company networks and what technical or administrative safeguards were deficient. While the certainty of these attributions varies, insurers have by and large left these ransomware claims details on the cutting room floor, foregoing valuable lessons-learned and perpetuating a piecemeal approach to underwriting. When it comes to cyber risk, attacker tactics, techniques, and practices (TTPs) definitely follow patterns of least resistance. Knowing their playbooks can go a long way to reducing exposures.

Concerningly, there is a trend with insurers (mostly in the SMB market) of cutting costs by collecting less information during the underwriting process and eliminating data fields in the notification of loss.[5] This trend works counter to the suggested adaptation aimed at developing more mature cyber loss models to align risk with price premiums.[6] Adaptation within the cyber risk landscape requires committing as much available data to the actuarial record as possible. Collecting and sharing controls failure data would mark a significant step toward being able to quantify the end-to-end relationships between threats, security compliance, and incident outcomes.

5.) Data-Driven Predictive Models: Because ransomware is a dynamic threat whose prevalence is unknown, and because it operates within interconnected landscapes, knowledge of yesterday’s attacks is insufficient to inform us about tomorrow’s outcomes. Any foresight is therefore highly valuable for effective ransomware risk segmentation, assessment, pricing, and defense. Foresight in cyber insurance can come by way of predictive models. The adaptation needed is empirical data-driven models which incorporate expert knowledge. Such predictive models can drive more robust and reliable pricing models and inform underwriting guidelines.

6.) Extortion Payment Policy Reform: Cryptocurrency is the fuel that drives the growth of ransomware. But for cryptocurrency, the pressure introduced by ransomware incidents and claims would be unremarkable. An open question is if current regulations and policy appropriately guard against facilitating ransomware, or if more robust prohibitions are needed. Government interventions around extortion payments seems likely in the longer term. Government options range from an outright prohibition of ransomware pay-outs, to aiming to improve attribution and enforcement against bad actors. As well, the insurance industry should strongly consider a self-regulatory approach that establishes a ransom non-payment policy.

In conclusion, I propose that we must do more than simply alter premiums and limits to meet acceptable loss ratios. Only innovation and evolution at the individual company, industry, and governmental levels will ensure resiliency of the cyber insurance market, and ultimately impact ransomware risk itself.

[1] Aon, U.S. Cyber Market Update, June 2020 [2] S&P Global Market Intelligence, Cyber insurers tighten underwriting, October 2020 [3] Carbon Black, Global Orgs See a Spike in Ransomware Attacks, April 2020 [4] A.M. Best, Best’s Review, Cyber Insurance Special Report, US cyber insurance market took off as data breach notice and other privacy laws implemented [5] PWC, Is your organization taking the right approach to cybersecurity? [6] U.S. Department of Homeland Security, CISA, Assessment of the Cyber Insurance Market