Organizations with cyberinsurance are more than twice as likely to pay ransoms as those without, according to a global survey commissioned by U.K.-based cybersecurity and software firm Sophos of 1,823 companies, governments, health systems, and other organizations that had been hit by ransomware. This is one of the first times such data have been gathered that show the extent of the relationship between cyberinsurance and ransomware payments. Critics say that relationship helps fuel a ransomware economy that the federal government estimates causes $445 billion in damages to the global economy every year.
At Barron’s request, Sophos asked market research firm Vanson Bourne to revisit data from the survey of information-technology executives it commissioned for a 2020 report on ransomware. In that survey, Sophos provided questions that it wanted answered, but it did not ask Vanson Bourne about the relationship between organizations carrying ransomware insurance, and whether they ended up paying ransom if attacked.
Vanson Bourne calculated that 32% of organizations with cyberinsurance against ransomware paid the ransom, while only 15% of those without it paid. “The criminals are counting on that insurance payout,” says Chester Wisniewski, a data scientist at Sophos, whose clients include organizations responding to ransomware attacks under insurers’ guidance. “When a customer knows they have insurance, they often say, ‘Let’s pay the ransom.’
Critics say it doesn’t have to be this way and that insurers’ practices reinforce a negative feedback loop. With the help of attorneys, insurers have helped mold ransomware defense into a series of programmed steps, say insurance professionals and academic researchers. They argue that the cottage industry of insurer-guided incident-response services may encourage online extortion rackets by unintentionally smoothing the path from attack to ransom payment.
“Anecdotally, we see that by getting these attorneys and other guys involved, in the end, they prefer to pay the ransom,” says Fred Eslami, head of a cybersecurity initiative at credit rating firm AM Best.
Janet Ruiz, a representative for the Insurance Information Institute, a trade association, says insurers have no choice but to honor valid claims, even if it’s to pay ransom. She compares ransomware to forest fires or flooding, as disasters where an insurer is obliged to help policyholders recover. “We help them mitigate those risks,” she says. “But in the end, if they have a loss, they pay the losses.”
Why It Pays to Pay
The new data analysis by Vanson Bourne yielded another insight: Ransom-payers with insurance reported they were much likelier to get their data back than uninsured ransom-payers. While 21% of uninsured ransom-payers surveyed said they did not get their data back, only 1% of insured ransom-payers didn’t.
The survey data didn’t reveal why. But some security specialists and academic researchers believe there is a too-close-for-comfort relationship between criminals and the incident-response operations guided by insurers. Ransomware insurers do more than just pay out ransoms: They take an important role in strategizing how policyholders should respond to a ransom demand.
As a result, cybercriminals, cyberinsurers, and the victims are caught in a complicated and costly dance that increases the likelihood of ransom payments, further encouraging attacks, prompting more companies to buy ransomware insurance, and driving up premiums even as the ransomware insurance business expands, according to academic researchers and security industry experts.
Insurers frequently recommend that victims work with particular ransomware negotiators, among a panel of consultants provided by the insurance company. Ransomware perpetrators, meanwhile, seek to keep up their reputation with negotiators by delivering on their promises to return data in exchange for payment, according to security specialists and academic researchers who spoke to Barron’s.
‘Trust With Criminal Gangs’
“Insurers push work to the same incident-response firms, which push work to the same ransom negotiator. These same firms are negotiating with the same criminals again and again, and the criminals also know that. The criminals will actually sometimes ask for a certain negotiator,” says Daniel Woods, a fellow at the University of Innsbruck’s Security and Privacy Lab who specializes in the economics of ransomware insurance. “It shows this awareness that they are working with each other, and they build up trust. But this is trust with criminal gangs.”
With this approach, everyone gets paid. Negotiators are able to advertise an ability to make sure data are restored, creating demand for their services. Insurers get a quick, predictable result, as well as a reputation for getting data back. Cyberextortionists gain a reputation for being trustworthy earners of ransom money, say security specialists including Wisniewski, the Sophos data scientist.
“This new information certainly seems to imply there is a reputational advantage to both insurance companies and criminals, and there’s an advantage to the victim,” says Wisniewski, whose company’s business includes working with insurers on incident-response teams. “Everybody is a winner except for society at large.”
Insurance industry executives say that ransom payments can often be the only reasonable option when there is a “$10 million ransomware demand, and the client is losing $3 million or $4 million per day,” says Shay Simkin, global head of cyber for Howden Group Holdings, a $5 billion London-based insurance underwriter and broker.
Crown Jewel Insurance is a Miami-based specialist broker that provides insurance that supplements ransomware and other types of policies when those policies don’t fully cover costs. Nonetheless, founder and CEO Mary Guzman acknowledges the problem. “Insurers have to do what’s right by shareholders and the insured, which might cause them to make a short-term decision that only benefits them, and doesn’t benefit the greater good,” she says.
Ransom and Repeat
In 2016, Max Kelly co-founded the San Francisco cybersecurity firm Redacted, which included an insurance division. But Kelly came to realize that cyberinsurers’ interests intrinsically conflict with those of clients and spun off the insurance unit. “It’s clear that every time I’ve seen insurance companies at work in an incident, they are working toward their agenda, and not necessarily on the insured’s agenda,” he says. “For them, it’s a very simple transaction. They go and negotiate the ransom, and pay some money. That has the effect of throwing toast into the yard and hoping the birds go away.”
The number of ransomware attacks worldwide increased by 170% from the first quarter of 2019 to the fourth quarter of 2020; the average ransom payment in the U.S. is up by about 400% in this year’s first quarter as compared with 2019; and the average cost to recover from a ransomware attack has exceeded $2 million, according to an AM Best report.
The number of cyberinsurance policies increased by two-thirds during the past half-decade. Premium payments more than doubled from 2016 to 2020, going up by 22%, to $2.7 billion, in just the past year, according to Aon (ticker: AON), a multinational insurance firm. And according to AM Best, ransomware now makes up three-quarters of cyberinsurance claims, up from about half in 2016.
However, cyberinsurers’ profitability tumbled as the size of ransomware payouts exploded over the past two years. Where payouts were less than half of premium revenue in 2019, they were 72.8% of revenue on average by 2020. Top U.S. cyberinsurer AXA-XL, a division of French insurer Axa , last year paid out 98% of premiums, according to Fitch Ratings. Second-ranked American International Group (AIG) paid out 101% of premiums.
Insurers contend that major losses have led them to require improvements in security against attack, potentially a blow against ransomware. Janet Ruiz, the Insurance Information Institute representative, says that some insurers are leaving the business. Others are hardening underwriting standards, demanding anti-cyberattack measures such as security software and worker training. Premiums are going up, as are the level of deductibles, she says.
“That’s what the insurance industry does. We evolve with the issues,” she says.
According to think tank Rand Corp., deductibles for large companies of $500,000 to $1 million are common, with some as high as $25 million.
Pumping Up Premiums
Analysts expect premiums to climb and coverage to narrow as insurers that have lost money during the recent ransomware surge issue fewer policies and provide narrower coverage.
Even so, ransomware is evolving and growing so rapidly that insurers have no reliable way to assess the risk. The chairman and CEO of insurer Chubb (CB) said in July that cyberinsurance rates were still too low to account for the true risk of a catastrophic attack.
“Right now, the insurance industry is a mess. It is filled with contradictory motivations,” says security specialist Kelly. “It has shown that, even though it’s able to collect money, it doesn’t really help solve the problem, or help the victims.”