If you are remotely involved with risk management for business and you haven’t heard of ransomware demands from cyber criminals, then you must be living on Mars at the moment.
Ransomware is a type of malware that threatens to publish data or perpetually block access to it unless a ransom is paid – and it is a huge issue for business at the moment, with a spate of high profile ransomware attacks hitting the headlines in recent months. The attack on Colonial Pipeline is perhaps the most significant in a series of similar cyber-attacks from sophisticated criminals, with other targets including meat producer JBS; Toshiba; Axa Insurance; CNA Insurance; and the Irish Health Service.
In the case of Colonial Pipeline significant disruption was suffered by the US East coast energy infrastructure network, and Colonial ended up paying a $4.4 million ransom – though reports have suggested that with the help of US federal agencies $2.3 million of the cryptocurrency demand was subsequently recouped.
And it’s a problem that is not likely to go away any time soon. Indeed, the number of ransomware attacks in 2021 on US companies could end up being as high as 100,000 according to former CEO of Cisco Systems John Chambers.
According to Chambers, US companies are expected to endure over 65,000 ransomware attacks this year, an estimate he noted was conservative, with the ultimate figure possibly being as high as 100,000, as he stressed that cybersecurity is now one of the top three issues facing corporate boardrooms.
At present, in most jurisdictions, it isn’t illegal to pay cyber criminals a ransom demand but law enforcement agencies such as the FBI have warned that doing so will give the cyber gangs funds to launch more attacks, and have come up publicly to ask companies not to do so.
Given this alarming context, one would have thought that cyber insurance would be an essential prerequisite for companies, then. But this is a complicated area. Yes, ransomware is one of the biggest cybersecurity issues facing organisations today but as claims mount and cyber insurers examine the coverage they are offering, changes may be coming. And the controversial new research paper from defence think tank the Royal United Services Institute (RUSI) suggests that cyber insurance isn’t necessarily helping with cybersecurity.
According to the paper, allowing organisations to claim back ransom payments could be making the problem of ransomware worse, though it notes that cyber insurance can be used to help improve security.
But let us track back. Cyber insurance is designed to protect organisations against the fallout of cyber-attacks, including in some instances covering the financial costs of dealing with incidents- which may include ransom demands.
However, some critics argue that insurance encourages ransomware victims to simply pay the ransom demand that will then be covered by the insurers, rather than having adequate security to deter hackers in the first place. Insurers, on the other hand, understandably argue that it’s the customer that makes any decision to pay the ransom, not them.
According to the research paper by RUSI, examining cyber insurance and the cybersecurity challenge, this practice isn’t just encouraging cyber criminals, it’s also not sustainable for the cyber insurance industry, warning that ransomware has become an existential threat for some insurers:
“To date, cyber insurance has failed to live up to expectations that it may act as a tool for improving organisations’ cybersecurity practices… cyber insurers may be unintentionally facilitating the behaviour of cyber criminals by contributing to the growth of targeted ransomware operations.”
Refusing to pay the ransom can lead to months of downtime and huge costs for organisations that attempt to restore their networks from scratch. According to RUSI, some ransomware victims and their insurers will pay the ransom because they see it as the lowest cost option for restoring networks:
“There are widespread concerns that insurers are fuelling ransomware attacks by paying ransom demands. Paying ransoms is not currently illegal, and it is often cheaper to pay off extortionists than it is to rebuild IT infrastructure or cover losses from business interruption.”
Indeed, there is the suggestion from some that savvy ransomware criminal networks are even actively seeking to target victims with cybersecurity policies because they believe that’s the most effective way to guarantee they will make money from encryption campaigns.
Managing cyber risk
Although the jury remains out on the efficacy of cyber insurance in relation to ransomware demands, according to the RUSI report one area where cyber insurance can play an important role in actively disrupting the ransomware business model is on the risk management side of the fence, by encouraging policy holders to improve their defences in order to do as much as possible to prevent them from falling victim to a ransomware attack in the first place. The paper suggests that insurance should require ‘minimum ransomware controls’ as part of any ransomware coverage.
These controls include timely patching of critical vulnerabilities in external-facing IT structures, enabling multi-factor authentication on remote access services, limiting lateral movement by adopting network segmentation, and implementing procedures to ensure regular backups are created.
It says that all of these recommendations could prevent a ransomware attack from happening in the first place, or mitigate the damage a ransomware attack could do – meaning that, in the event of falling victim to a ransomware attack, paying the ransom would be an absolute last resort, rather than being signed off as the simplest thing to do.
It would also cut risks for the cyber insurance industry going forward, according to RUSI, reducing the need for insurance companies to support large pay-outs for decryption keys following a ransomware attack:
“The impact of ransomware on the cyber insurance industry emphasises the need to address some of these issues and questions sooner rather than later. As some insurers risk being overwhelmed by losses, the industry and governments need to react quickly to ensure adequate protection and coverage for businesses.”
As things stand, though, the cyber mood music isn’t necessarily a positive one when it comes cyber insurance, according to RUSI:
“Interviewees from across government, industry and business consistently stated that the positive effects of cyber insurance on cybersecurity have yet to fully materialise… most of the market has used neither carrots (financial incentives) nor sticks (security obligations) to improve the cybersecurity practices of policy holders.”
To access the full research paper from RUSI click here.
Follow us on twitter: @RisksEmerging