In crosshairs of ransomware crooks, cyber insurers struggle

Jul 4, 2021, 9:28 PM | Updated: Jul 7, 2021, 3:39 am
FILE - In this Feb. 21, 2019, file photo, people stand in front of the logo of AXA Group prior to t...

FILE - In this Feb. 21, 2019, file photo, people stand in front of the logo of AXA Group prior to the company's 2018 annual results presentation, in Paris. The cyber insurance industry, once a profitable niche, is now in the crosshairs of ransomware criminals. Pressure is building on the industry to stop reimbursing for ransoms, but so far only one major cyber insurer, AXA, is doing so — and only with new policies in France. To try to absorb the growing onslaught and stay profitable, insurers are retooling coverage, demanding clients up their security. (AP Photo/Thibault Camus, File)

(AP Photo/Thibault Camus, File)

BOSTON (AP) — In the past few weeks, ransomware criminals claimed as trophies at least three North American insurance brokerages that offer policies to help others survive the very network-paralyzing, data-pilfering extortion attacks they themselves apparently suffered.

Cybercriminals who hack into corporate and government networks to steal sensitive data for extortion routinely try to learn how much cyber insurance coverage the victims have. Knowing what victims can afford to pay can give them an edge in ransom negotiations. The cyber insurance industry, too, is a prime target for crooks seeking its customers’ identities and scope of coverage.

Before ransomware evolved into a full-scale global epidemic plaguing businesses, hospitals, schools and local governments, cyber insurance was a profitable niche industry. It was accused of fueling the criminal feeding frenzy by routinely recommending that victims pay up, but kept many from going bankrupt.

Now, the sector isn’t just in the criminals’ crosshairs. It’s teetering on the edge of profitability, upended by a more than 400% rise last year in ransomware cases and skyrocketing extortion demands. As a percentage of premiums collected, cyber insurance payouts now top 70%, the break-even point.

Fabian Wosar, chief technical officer of Emsisoft, a cybersecurity firm specializing in ransomware, said the prevailing attitude among insurers is no longer: Pay the criminals. It’s likely to be cheaper for all involved.

“The ransomware groups got way too greedy too quickly. So the cost-benefit equation the insurers initially used to figure out whether or not they should pay a ransom — it’s just not there anymore,” he said.

It’s not clear how the single biggest ransomware attack on record, which began Friday, will impact insurers. But it can’t be good.

Pressure is building on the industry to stop reimbursing for ransoms.

In May, the major cyber insurer AXA decided to do so with all new policies in France. But it is so far apparently alone in the industry, and governments are not moving to outlaw reimbursement.

AXA is among major insurers that have suffered ransomware attacks, with operations in Thailand hard-hit. Chicago-based CNA Financial Corp., the seventh–ranked U.S. cybersecurity underwriter last year, saw its network crippled in March. Less than a week earlier, the cybersecurity firm Recorded Future published an interview with a member of the Russian-speaking ransomware gang, REvil, that is skilled in pre-attack intelligence-gathering and happens to be behind the current attack. He suggested it actively targets insurers for data on their clients.

CNA would not confirm a Bloomberg report that it paid a $40 million ransom, which would be the highest reported ransom on record. Nor would it say what or how much data was stolen. It said only that systems where most policyholder data was stored “were not impacted.”

In a regulatory filing with the Securities and Exchange Commission, CNA also said that its losses might not be fully covered by its insurance and “future cybersecurity insurance coverage may be difficult to obtain or may only be available at significantly higher costs to us.”

Another major insurance player hit by ransomware was broker Gallagher. Although it was hit in September, only this past week (June 30) did it disclose that the attackers may have stolen highly detailed data from an unspecified number of customers — from passwords and Social Security numbers to credit card data and medical diagnoses. Company spokeswoman Kelli Murray would not say if any cyber insurance policy contracts were on compromised servers. Nor would she say whether Gallagher paid a ransom. The criminals, from the RagnarLocker gang, apparently never posted information about the attack on their dark web leak site, suggesting that Gallagher paid.

Of the three insurance brokers that ransomware gangs claimed to have attacked in recent weeks, posting stolen data on their dark web sites as evidence, two, in Montreal and Detroit, did not respond to phone calls and emails. The third, in southern California, acknowledged being hobbled for a week.

By the time the Colonial Pipeline and major meat processer JBS were hit by ransomware in May, insurers were already passing higher coverage costs to customers.

Cyber premiums jumped by 29% in January in the U.S. and Canada from the previous month, said Gregory Eskins, an analyst at top commercial insurance broker Marsh McLennan. In February, the month-to-month jump was 32%, in March it was 39%.

In a bid to turn back ransomware-related losses — Eskins said they amounted to about 40% of cyber insurance claims in North America last year — policy renewals are carrying new, stricter rules or lowered coverage limits.

“The price has to match the risk,” said Michael Phillips, chief claims officer at the San Francisco cyber insurance firm Resilience and a co-chair of the public-private Ransomware Task Force.

A policy might now specify that reimbursement for extortion payments can’t exceed one-third of overall coverage, which typically also encompasses recovery and lost income and can include payments to PR firms to mitigate reputational damage. Or an insurer may cut coverage in half, or introduce a deductible, said Brent Reith of the broker Aon.

While some smaller carriers have dropped coverage altogether, the big players are instead retooling.

Then there are hybrid insurers like Resilience and Boston-based Corvus. They don’t simply ask potential customers to fill out a questionnaire. They physically probe their cyber defenses and actively engage clients as cyber threats occur.

“We’re monitoring and making active recommendations not just once a year but throughout the year and dynamically,” said Corvus CEO Phil Edmundson.

But is the overall industry nimble enough to absorb the growing onslaught?

The Government Accountability Office warned in a May report that “the extent to which cyber insurance will continue to be generally available and affordable remains uncertain.” And the New York State Department of Finance said in a February circular that massive industry losses were possible.

Both insured and insurers, stingy about sharing experiences and data, shoulder the blame for that, the U.K. Royal United Services Institute said in a new report. Most ransomware attacks go unreported, and no central clearinghouse on them exists, though governments are beginning to pressure for mandatory industry reporting. As a business sector, insurers are not especially transparent. In the U.S. they are regulated not by the federal government but by the states.

And for now, cyber insurers are mostly resisting calls to halt reimbursements for ransoms paid.

In a May earnings call, the CEO of U.K.-based Beazley, Adrian Cox, said “generally speaking network security is not good enough at the moment.” He said it is up to government to decide whether payments are bad public policy. CEO Evan Greenberg of the leading U.S. cyber insurer, Chubb Limited, agreed in the company’s annual report in February that deciding on a ban is government’s purview. But he did endorse outlawing payments.

Jan Lemnitzer, a Copenhagen Business School lecturer, thinks cyber insurance should be compulsory for businesses large and small, just as everyone who drives must have car insurance and seat belts. The Royal United Services Institute study recommends it for all government suppliers and vendors.

While he considers banning ransom payments problematic, Lemnitzer says it would be a “no-brainer” to compel insurers to stop reimbursing for them.

Some have suggested imposing fines on ransom payments as a disincentive. Or the government could retain a percentage of any cryptocurrency recovered from ransomware criminals, the proceeds going to a federal ransomware defense fund.

Such measures could bite into criminal revenues, said attorney Stewart Baker of Steptoe and Johnson, a former NSA general counsel.

“In the long run, it probably means that resources that are currently going to Russia to pay for Ferraris in Moscow will instead go to improve cybersecurity in the United States.”

Copyright © The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.


FILE - Construction crews install new border wall sections seen from Tijuana, Mexico., Jan. 9, 2019...
Associated Press

Judge: Suit by group critical of immigration can proceed

A group calling for sharply limiting immigration has scored a legal victory in its federal lawsuit arguing the Biden administration violated environmental law when it halted construction of the U.S. southern border wall and sought to undo other immigration policies by former President Donald Trump.
19 hours ago
FILE - Wild horses that were captured from U.S. rangeland stand in a holding pen, at the U.S. Burea...
Associated Press

Biggest US holding pen planned for wild horses faces suit

RENO, Nev. (AP) — Advocates for wild horses are accusing federal land managers of illegally approving plans for the largest U.S. holding facility for thousands of mustangs captured on public rangeland in 10 Western states. Friends of Animals said in a lawsuit filed Tuesday up to 4,000 horses would be held captive inhumanely for months […]
19 hours ago
FILE - Japanese fashion designer Hanae Mori, center, is applauded by models after the presentation ...
Associated Press

Hanae Mori, designer for films, empress, dies, reports say

TOKYO (AP) — Designer Hanae Mori, known for her elegant signature butterfly motifs, numerous cinema fashions and the wedding gown of Japan’s empress, has died, local media reported Thursday. She was 96. Mori symbolized the rise of Japan as a modern, fashionable nation and the rise of the working woman. The reports said she died […]
19 hours ago
Former Vice President Mike Pence gestures during the "Politics and Eggs" breakfast gathering, Wedne...
Associated Press

Pence tells GOP to stop lashing out at FBI over Trump search

MANCHESTER, N.H. (AP) — Former Vice President Mike Pence on Wednesday implored fellow Republicans to stop lashing out at the FBI over the search of Donald Trump’s Florida home and denounced calls by some of the former president’s allies to defund the FBI, saying that was “just as wrong” as a push by Democratic activists […]
19 hours ago
Associated Press

Police: Man who broke into Wisconsin home wanted a bath

CHIPPEWA FALLS, Wis. (AP) — A Minnesota man who allegedly broke into an occupied Wisconsin home last week and locked himself in a bathroom never had a chance to come clean. He was getting ready to take a bath when authorities arrived. Authorities say the 29-year-old St. Paul, Minnesota man was filling up the tub […]
19 hours ago
FILE - Allen Weisselberg, right, stands behind then President-elect Donald Trump during a news conf...
Associated Press

Trump CFO’s plea deal could make him a prosecution witness

NEW YORK (AP) — Donald Trump’s chief financial officer is expected to plead guilty to tax violations Thursday in a deal that would require him to testify about illicit business practices at the former president’s company, two people familiar with the matter told The Associated Press. Allen Weisselberg is charged with taking more than $1.7 […]
19 hours ago

Sponsored Articles

Day & Night Air Conditioning, Heating and Plumbing

Here are 4 signs the HVAC unit needs to be replaced

Pool renovations and kitchen upgrades may seem enticing, but at the forefront of these investments arguably should be what residents use the most. In a state where summertime is sweltering, access to a functioning HVAC unit can be critical.
Sanderson Ford

Don’t let rising fuel prices stop you from traveling Arizona this summer

There's no better time to get out on the open road and see what the beautiful state of Arizona has to offer. But if the cost of gas is putting a cloud over your summer vacation plans, let Sanderson Ford help with their wide-range selection of electric vehicles.
Dr. Richard Carmona

Great news: Children under 5 can now get COVID-19 vaccine

After more than two years of battle with an invisible killer, we can now vaccinate the youngest among us against COVID-19. This is great news.
In crosshairs of ransomware crooks, cyber insurers struggle