Is Cyber Insurance a Panacea for Ransomware Attacks?

By Saryu Nayyar, Chief Executive Officer, Gurucul

In early June, Joseph Blount was in an unenviable position. The CEO of Colonial Pipeline had to testify in front of the Senate Homeland Security and Governmental Affairs Committee as to how his company succumbed to a high profile cyber-attack that resulted in the total shutdown of a pipeline that provides fuel to much of the Eastern Seaboard. While in the hot seat, Blount was forced to defend his company’s payment of a 75 bitcoin ransom (roughly $4.3 million at the time) to the Russian criminal group DarkSide. (Fortunately for Colonial Pipeline, the FBI managed to recover much of that payment from the criminals.)

Just weeks after the pipeline attack, the world’s largest meat processing company, JBS Foods, paid the equivalent of $11 million in bitcoin as ransom to free up its encrypted systems. Andre Nogueira, CEO of JBS USA, said the decision to pay the ransom was difficult but was made to prevent any potential risk for the company’s customers.

For large companies like Colonial Pipeline and JBS Foods, the decision to pay millions of dollars in ransom is more of a legal and moral dilemma than a financial issue. Such organizations are very likely to have cyber insurance that will cover the cost of the ransom and potentially much of the cost of recovery from an attack. According to The State of Ransomware 2020 report by Sophos, when the ransom is paid, 94% of the time it’s an insurance company dishing out the money. The NotPetya attacks a few years ago cost the global insurance industry about $2.7 billion in payouts.

Cyber Insurance is a Risk Mitigation Tool

Cyber insurance has been growing in prominence over the past decade. Companies use insurance as a risk mitigation tool in the event they experience a data breech or other disruption in their computing systems that can harm the business. The cost of a single cyber-attack can run into the millions of dollars and insurance can help offset those losses.

In the early days of cyber insurance, the focus was on the loss or exposure of sensitive or regulated data. While that’s still an issue today and of high concern to company boards, attention is turning to companies’ complete loss of access to their data that has been locked up by a ransomware attack. Organizations are prudent in this concern. Cybersecurity Ventures predicted that by 2021, there would be a ransomware attack against businesses every 11 seconds, with global damages in the $20 billion range.

Ransomware attacks are growing in size and frequency, threatening businesses, public transportation and utilities, healthcare facilities, government agencies, and other entities around the world. Attacks are on the rise for one reason: criminals are succeeding at collecting the big ransoms which are typically paid in untraceable digital currencies like bitcoin.

The blockchain research firm Chainalysis says that ransom payments increased 341% during 2020, totaling $412 million. The insurance industry is reaching a tipping point where premiums will increase and the underwriting process will get more onerous.

To Pay or Not to Pay

As the CEO of JBS Foods discovered, making the decision of whether or not to pay the ransom is not easy. The FBI discourages companies from meeting the criminals’ demands, as this only encourages more attacks. However, the federal agency does acknowledge that making the payment may be a last resort for a company to get its files back.

In some cases, it’s actually illegal for U.S. companies to pay the ransom. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) recently published an advisory on the potential risks of violating U.S. sanctions on foreign criminal entities when facilitating ransomware recovery efforts. It’s against U.S. law to provide a ransom payment to any of these sanctioned entities. For example, In May 2017, a ransomware known as WannaCry 2.0 infected approximately 300,000 computers in at least 150 countries. This attack was linked to the Lazarus Group, a cybercriminal organization sponsored by North Korea. OFAC designated the Lazarus Group and two subgroups, Bluenoroff and Andariel, as sanctioned entities, making it illegal to provide them any sort of payment.

Still, victim organizations feel the pressure to get back to operations quickly—especially when business stoppage has dire effects on the broader community, as in the pipeline attack. Some companies are able to recover their data on their own if they have good data backups that weren’t affected by the attack. In other cases, the insurance company may see a quick ransom payout as a way to reduce potential losses. The longer a business is down, the higher the recovery cost will be.

Ironically, studies show that companies who pay the ransom to unlock their data have overall higher recovery costs. This is attributed to the need to fix the issues caused by the ransomware and to ensure that no backdoor malware is left behind to enable a second attack.

Is Ransomware in the Insurance Policy?

Enterprises need to check their cyber insurance policy closely to verify that it covers ransomware. Many policies do not. One in five organizations will find they are not insured for this type of attack, and they should question the value of cyber insurance with such a gaping hole in coverage.

Overall, an insurance provider can be a good partner in helping an organization shore up its cybersecurity posture. The policy underwriting process is going to require a company to show that it takes strong cybersecurity measures and has a solid incident response plan. A good insurance partner will raise awareness of cyber threats and help to educate its clients. The provider might even require a third-party security assessment before offering a cyber policy.

Still, the best policy is to have proactive cybersecurity controls in place that can help prevent a cyber-attack in the first place. After all, no CEO wants to be the next one called to testify before Congress about their company’s failings.

About the Author:

Saryu Nayyar is the CEO of Gurucul. She is an internationally recognized cybersecurity expert, author and speaker with more than 15 years of experience in the information security, identity and access management, IT risk and compliance, and security risk management sectors. She was named EY Entrepreneurial Winning Women in 2017. She has held leadership roles in security products and services strategy at Oracle, Simeio, Sun Microsystems, Vaau (acquired by Sun) and Disney, and held senior positions in the technology security and risk management practice of Ernst & Young. She is passionate about building disruptive technologies and has several patents pending for behavior analytics, anomaly detection and dynamic risk scoring inventions.