Written by Kevin Richards and Robert Vescio
From Colonial Pipeline to JBS, from President Biden to in-house cybersecurity experts, from CNA to individual insurance brokers, everyone seems to be talking about ransomware as if it’s the most serious cyber threat in modern history. Colonial Pipeline, JBS, and CNA paid a combined $56 million in extortion (and this does not include recovery costs and downstream economic impact), President Biden signed an executive order on improving the nation’s cybersecurity in the wake of the Colonial Pipeline attack and recently sparred with Russian President Vladimir Putin in Geneva regarding Russia being the source of some notable attacks, and the cyber insurance industry started increasing requirements and coverage costs due to the unprecedented surge in attacks.
However, are these ransomware attacks truly impacting everyone the same? Sure, every victim feels some type of pain. Though, is that pain tolerable or intolerable?
Colonial Pipeline, JBS, and CNA will get past these ransomware attacks, they will figure out ways to reclaim lost revenue due to the business interruption portion of the ransomware attack, and they will make some cybersecurity improvements to reduce the probability of future attacks. Ultimately, these attacks were an annoyance and nowhere near catastrophic.
The situation is not the same for President Biden. The surge in ransomware attacks, especially targeting national core infrastructure, represents a massive weakness that could be exploited by our enemies (political and economic) and harm US citizens. The United States is a nation that is heavily dependent on gas and oil, and its citizens always expect gas and oil to be available. Situations, like the Colonial Pipeline ransomware attack, prove that a singular cyber incident could cause widespread and downstream economic impact. US citizens expect President Biden to do something about this problem. Fortunately, he has defensive and offensive options.
The situation is worse for the cyber insurance underwriters. For years, the cyber insurance industry has been underestimating the realities of cyber-attacks and selling insurance fast and cheap. The competition has been fierce, with some carriers selling policies for less than 1% of limit to buy their way into the market. Low requirements, super low premiums, and reasonable deductibles have created a situation that is mathematically untenable. The surge in ransomware claims was not anticipated, and the increasing extortion demands (which are generally covered by cyber extortion policies) rapidly eroded what has been historically high margins within the cyber insurance portfolios. This reality is causing the carriers to rethink cyber insurance at large because no carrier wants a portfolio that produces negative margins. In one case so far, the pain from ransomware is intolerable, and the carrier is dropping ransomware coverage.
What is ransomware anyways?
Ransomware is malicious software that aims to hold data or systems hostage until an extortion (aka ransom) is paid. In many cases, the attacker even threatens to disclose stolen data if the victim organization does not pay the ransom. Victim organizations can be targeted by the attacker, or the circumstance can be purely opportunistic. Fortunately, there are ways to reduce the probability and impact of ransomware. However, it is impossible to eliminate the risk.
Ransomware is a criminal activity, and as with most criminal activity, the crime is about economics.
As a financially motivated crime, the aim is to extort millions of dollars from one or more organizations.
As an activist crime, the aim is to disrupt operations for one or more organizations to inflict pain onto the victim organization and the downstream economy.
As an activist + financially motivated crime, the aim is to disrupt operations for one or more organizations to inflict pain onto the victim organization and the downstream economy and to use the extortion to fund future crime activity.
The victim organizations of ransomware are generally high-profile targets, selected by the criminal. Colonial Pipeline, JBS, and CNA were high profile targets. Of course, this doesn’t dismiss the notion that other victim organizations were opportunistically caught in the criminals “web of extortion” by broadly disseminating their malicious software. Many small and medium size organizations are the victims of an opportunistic crime.
Why is ransomware so bad for the insurance carriers?
The problem isn’t ransomware itself. The problem is about probability and leverage.
Insurance carriers play a game of chance. Ideally, the sum of all insurance premiums would outweigh processed claims. The carriers use tools like deductibles, waiting periods, and limitations to eliminate high probability claims, which means they are only paying on low probability claims.
Of course, the use of deductibles and waiting periods doesn’t solve the problem that one claim equals many premiums. To solve for this problem, the carriers must sell lots of policies. They might even set targets that indicate for each claim paid, they need 100 customers to break even. This logic isn’t a problem for certain markets like auto and life insurance where the potential customer volume is over 200 million. However, with cyber insurance, the potential customer volume is dramatically smaller.
It is also important to note that the premium is always some percentage of the limit. If the carriers sell lots of small policies that easily max out, then the ratio of claims to policies needs to be even greater. Fortunately, the carriers can use requirements to move an individual customer up or down in their rate cards to further offset risks. In essence, a higher risk customer would pay a higher premium than a lower risk customer. But this does mean the requirements have to match with the policy or else all movements in the rate card would be arbitrary and flawed.
Each of the above points get to the point of why ransomware been so bad for the insurance carriers.
For years, the brokers have been pressuring the carriers to sell fast and cheap. In many cases, the carriers are expected to provide a quote within 24 hour or less. With this pressure, the carriers have no choice but to breeze over requirements, discount premiums in the hope of winning volume, soften certain limitations, expand insurable components like cyber extortion, sell smaller limits, and pray for the best outcome. At some point, the claims were eventually going to outweigh the premiums with this fast and loose method.
The carriers took on an unknown risk with ransomware. They had no way of predicting the subjective extortions that have increased year over year. CNA has paid the highest extortion on public record. They paid $40 million to their attacker. Additionally, they underestimated the frequency, recovery costs, and business interruption costs. Low limit policies were being maxed out, which placed significant pressure on their portfolios that were limited in volume. In all, this was a bad combination of factors.
It is important to note that cyber losses will continue to evolve over time, and that something will replace ransomware in terms of severity. To say it another way, the carriers need a solution that helps them understand the probability and impact of cyber losses amongst a distinct set of loss categories that are regularly being calibrated to the ever-changing environment. The statistics for cyber are not the same as auto or life insurance, and it should be assumed that cyber statistics will become stale within 12 months.
So, what can the insurance carriers do now regarding ransomware?
Just like President Biden, the carriers have both offensive and defensive options to improve their odds and ensure profitable portfolios.
As a massive first step, the carriers need to increase their limits. This may seem counterintuitive. However, by increasing their limits they are lowering their chance of the policies being maxed out and they are lowering their need for excessive customer volumes. With higher limits, they generate higher revenue because the premium is based on limit. Besides, large organizations will continue to self-insure if limits only cover 5%, 10%, or 20% of total losses.
As a second step, the carriers need to stop paying the extortions. It would be unfair to solely blame the carriers for the recent surge in ransomware. However, they are the fuel that keeps the fire burning. The attackers are emboldened with each ransom paid. If everyone stopped paying the ransoms, then the criminal ransomware market would lose its fuel and would be reduced to activist motivated purposes.
Even the US Treasury Department Office of Foreign Assets Control (OFAC) warned that making ransomware payments is a violation of economic sanctions. By the way, this doesn’t mean there isn’t anything left to cover. The carriers can still cover losses due to ransomware recovery, business interruption, and many other cost elements.
As a third step, the carriers need to align requirements to loss categories that then map to insurance products. With this alignment, they can better eliminate high risk customers, more appropriately move other customers up or down within their rate cards and set better deductibles and waiting periods to offset higher probability claims. Of course, this will slow down the application process and require annual updates to the application. But this shouldn’t be viewed as a bad thing. Ultimately, cyber insurance is needed, and we need the industry to be successful. Taking a bit more time to get things right will be better for our economy.