Cyberinsurance’s “insurance” against ransomware payout
An increase in ransomware activity and losses incurred from it, are causing frequent and lucrative payouts that cripple cyberinsurance companies.
American tycoon Warren Buffet, was once asked why Berkshire Hathaway was not writing cyberinsurance policies. He famously responded, “I don’t think we or anybody else really know what they’re doing when writing cyberinsurance. (Hence) we don’t want to be a pioneer on this.”
He was referring to the uncertain risks involved in writing cyberinsurance much less measuring those risks. Anyone who claims to know the base case or worst case for losses is “kidding themselves,” Warren emphasised.
This was in 2018. Fast forward to 2021 today, and the situation has not improved.
If anything, it has exacerbated as demonstrated by rising ransomware attacks which are crippling insurance companies.
During a Veeam-Cloudian webinar about ransomware and cyberinsurance, Cloudian CMO Jon Toor said, “What we’ve seen is cyberinsurance companies are really being hit with losses.
When ransomware occurs, attackers would encrypt crucial company data, effectively halting a business’s operations. This in turn lead to loss due to downtime, reputation loss, and more.
Many companies take out insurance policies to protect against these losses incurred by their data being held ransom.
Ransomware and cyberinsurance – a board-level conversation now
Jon shared that of all companies worldwide attacked last year, 73-percent had their data encrypted and paid ransom to recover their data.
Attack methods to gain foothold in an organisation are so sophisticated, that it is becoming increasingly hard to detect.
Phishing emails, for example. They are increasingly difficult to detect because of how legitimate they look. “That’s the insidious thing about it. Phishing emails are so hard to spot, and they only need to succeed one time in order to achieve their goals,” Jon pointed out.
And when they succeed, the losses they incur are huge – an average cost of an attack rose to USD761,000 in 2020, while the volume of attacks have increased about ten times in the last four years.
This threat has amplified many times over with Covid and the public health crisis we all lived through the past year.
“So, the cyberinsurance industry is sitting up. And it is important for this to be a C-level conversation because it affects the business.”
Cyberinsurance – struggling to keep up
According to Veeam’s Chief Information Security Officer, Gil Vega, an average cybersecurity insurance policy has improved but “it isn’t really a good understanding of the notion of risk, or of good underwriting standards.”
He added, “Some cyberinsurance underwriters are much more sophisticated than they were years ago.
“But there is still, not a lot of (data) loss data that they can use to fairly set your premium.”
Things may have gotten better because cybersecurity experts are hired to help through with the underwriting process. Even so, it is still a struggle to understand and quantify risk in the cybersecurity sphere.
Now due to the incredibly high volatility of insurance premium costs, Gil pointed out that insurers are balking at renewing insurance policies. “Even though you haven’t had a data breach, insurers will not renew your policy, because of overall losses they are facing,” he said.
One significant announcement that reflects the massive losses cyberinsurance companies are undergoing, comes from AXA.
AXA, one of the five biggest insurers in Europe said in early May that it will stop policies in France whereby they reimburse ransomware victims, the ransom amount paid out to cybercriminals.
Cybersecurity risk – the current landscape
The onslaught of ransomware attacks is relentless. “Software-as-a-service revoutionised the way companies leveraged business apps. Ransomware-as-a-service has revolutionised extortion,” Gil noted.
“Nearly anyone can do (ransomware attacks). Criminals and nation state threat actors create complex ransomware code and license it for a fee (or revenue share model) to would-be attackers.
Gil even shared that while the webinar was going on, there was also a 60-day sprint by the U.S. government,. The aim of this sprint is to better prepare companies, critical infrastructure and agencies to deal with this threat before it compromises government operations.
And now ransomware has escalated not just in frequency and scale. It now has a two-fold mission. Important company files are usually encrypted and rendered useless for day-to-day business operations.
In a diabolical twist, attackers now also exfiltrate the data. Attackers then threaten to publicly post sensitive information like customer data, compensation data, and so on, unless ransom is paid.
“So, it’s a two-in-one attack now,” Gil said.
Is immutable storage the answer to unwanted data encryption?
Cloudian is well positioned to see the problem and address it head on, as an enterprise data storage company. Sure enough, Jon has had to help customers deal with navigating the cyberinsurance landscape due to ransomware’s meteoric rise.
Jon pointed out, “The cyberinsurance industry is very aware (making the data unchangeable) is potent way of preventing ransomware attacks, defending your data, and preventing having to pay a ransom.”
Gil and Jon echoed each other that customers say they get insurance premium discounts when they have immutable storage in place.
They have heard of cyberinsurance companies not wanting to run the risk of covering losses from encrypted, exfiltrated data.
“They are asking for companies to have things like 6 months immutable storage,” Jon said.
Cloudian has a S3 Object Lock feature to ‘lock’ the data, that is worth noting. Data cannot be encrypted, when it cannot be changed.
S3 Object Lock is part of a Veeam automated backup workflow with a timer that sets the duration that the data cannot be changed.
Cybersecurity in the past couple of years has become the top, if not one of the top operational risks for large companies.
While it is important to keep boards engaged and apprised of cyberinsurance, they need to understand its true risk.
“The boards have to take an active role in overseeing cyber risk management,” he said. He adds that US regulators especially in financial services are demanding this and that boards are following through on their responsibilities.
Also important, is to educate and make the board aware of cyber policy features and limitations, if any. In the event the company suffers a loss or attack, that the board needs to be prepared for cyberinsurance possibly invoking exclusions.
Some famous war stories include Merck and Mondelez, which were victims of the the NotPetya ransomware attacks in 2017. With ransomware payouts amounting to almost a billion, their cyberinsurance companies have denied them coverage by invoking a war time clause.
Merck’s policies had specifically excluded this class of risk.Cyberinsurance companies denied their claims, citing NotPetya as a result of heightened conflict between Russia and Ukraine.
“There are many, many exclusions besides war-time, that you should fully understand, before you agree to a cybersecurity policy,” Gil said.