Ransomware: An insurance market perspective

The frequency of ransomware attacks is increasing, along with the size and nature of ransom demands, according to a new report by The Geneva Association.

According to the report, Ransomware: An insurance market perspective, cybercriminals are deploying more sophisticated approaches to target governments, businesses and individuals, with serious and costly effects. The growth of the ransomware-as-a-service (RaaS) business model has also enabled threat actors with limited technical skills to launch highly disruptive attacks.

The report suggests that cyber insurance provides vital financial protection and operational support in the event of an attack, but ransomware has contributed to the recent deterioration in cyber insurers’ underwriting performance. Ransomware accounted for 75% of all cyber insurance claims in 2020 (AM Best) and is also likely to have been the costliest loss event category in 2021 (WTW).

The Geneva Association’s report analyses the complex policy issues surrounding ransomware and possible solutions to counter this epidemic in cybercrime, including the contribution of insurance to boosting firms’ cyber resilience.

The report’s key messages include the following:

Cyber insurance does more than provide cover for ransoms: Cyber insurance may also cover a range of first- and third-party losses incurred by victims of ransomware (e.g. business interruption, data and system recovery, forensics and legal assistance), as well as arrange expert support in managing incidents. Insurance also helps organisations identify and address cybersecurity vulnerabilities and adopt better risk prevention in a fast-changing landscape.

Banning ransom payments would be a blunt, potentially ineffective policy instrument: An outright ban on the payment of ransoms or their reimbursement by re/insurers could backfire by driving transactions underground and encouraging ransomware attackers to engage in new, more malicious forms of extortion.

Governments and regulators must do more to counter ransomware attacks: Policies aimed at deterring ransomware attacks, disrupting cybercriminals’ business models (including their use of cryptocurrencies to launder funds), better preparing organisations for intrusions and more effectively responding to attacks will improve the security of cyberspace and help legitimate businesses gain the upper hand against cyber adversaries. 

There is no silver bullet for ransomware, it suggests. A multi-faceted approach will be required to reduce the underlying drivers, limit their impact and ensure business resilience. For that reason, cyber insurance should be seen as an integral part of the solution rather than a catalyst for ransomware. 

While outright ransom bans or restrictions continue to be discussed in some jurisdictions, such legal reforms remain subject to considerable debate and ultimately may never make it to the statute book. Instead, governments seem to be coalescing around a combination of enhanced security measures to counter the rise in ransomware. 

These include updating disclosure laws to increase the understanding of the crime and enable better targeting of disruption activities; tougher regulation to make it harder for criminals to use cryptocurrencies for illicit purposes; more effective mechanisms and institutional structures to exchange threat information among stakeholders, including improved international cooperation among law enforcement agencies; and measures to promote cybersecurity best practice as well as address vulnerabilities in software supply chains. 

Cybersecurity controls 

Managing director of The Geneva Association, Jad Ariss, said: “With ransomware we see an example of the important ‘prevention and mitigation’ role insurers play as risk managers. They control a critical lever with their ability to incentivise customers to maintain strong cybersecurity controls and standards, helping to reduce firms’ vulnerability to attack and boost their cyber resilience.”

“Governments and regulators have their levers, too, and as our report highlights, they need to rein in the illegal use of cryptocurrencies and do more to ensure information exchange about incidents as well as improve international cooperation among law enforcement.”

The Geneva Association’s director of Cyber and Evolving Liability and author of the report, Darren Pain, added: “The ransomware landscape is now highly evolved and sophisticated, especially with the development of ransomware-as-a-service. Such ransomware attacks are driving significant increases in insurance claims and, as a consequence, premiums.”

Banning payments

“Would banning ransom payments be a viable solution? According to our study, insurance companies do not think so. Prohibiting ransom payments or their reimbursement by insurers would likely drive transactions underground, forfeiting the ability of the authorities to record and analyse incidents and prosecute criminals. Furthermore, the last thing we should do is take steps that might discourage smaller firms from taking out cyber insurance, the benefits of which go well beyond reimbursing ransoms.” 

This is summary of the main findings of the report by The Geneva Association. To access the full report, click here.