Shadowing the rapid growth of cyber liability insurance has been an ominous trend of more frequent cyber extortion hacks with higher monetary demands, attacks so effective that victims increasingly feel pressured to pay the hackers off quickly.
The cyber insurance market has expanded rapidly but still lacks the historical loss data on which underwriters in most lines rely to design and price coverage. Insurers have long offered extortion and kidnap coverages, but law enforcement has traditionally counseled against paying criminals' demands because doing so encourages more attacks.
But when a hacker seizes computer systems in a way that threatens a company's viability, investigators are no longer in any position to advise that type of social prudence, said John Stark, a former SEC cybercrimes investigator who now runs a ransomware response and consultancy business.
Paying ransom often the only option
In such a scenario, with customers falling away and interruption costs soaring, agents who are first to the scene of the investigation might honestly tell executives they have no other option besides paying the ransom, Stark said in an interview.
"[The suspect] might be in some foreign country, and it would take 15 judicial requests to get an opportunity to speak with him," he said. A substantial slice of Stark's clientele originates after desperate executives of hacked businesses find a functioning or clean computer to search for ransomware assistance, he said.
Technology and enterprise have smoothed the way for malware attacks because hackers can sell "pre-breached" servers on the dark web, complete with verification protocols for potential "buyers." Hard-to-trace cryptocurrencies like Bitcoin are now the ransom payment method of choice for cyber extortion, Stark added.
The result is that ransomware payments have become virtually reflexive, and extortion attacks have ramped up. Malware attacks nearly doubled in 2018 compared to 2017, and the number of cases in 2018 was exceeded just in the first half of 2019, according to a report from Chubb Ltd. Ransom demands have been growing into the six- and seven-figure range, the report found.
Professional services have been hackers' biggest target because of their reliance on email and susceptibility to phishing scams enticing workers to click on malicious links. Manufacturing is the second-largest industry target because companies have an outsized incentive to get their operations back running as soon as possible, according to the Chubb report.
Does insurance attract hackers?
The growth of the cyber liability industry has made more insurance money available to respond to ransomware attacks and led to the suspicion that carriers might be enticing extortion demands because of the capital from insurance backing. The scrutiny prompted Marsh executive Matthew McCabe to publish an article in response, emphasizing that carriers do not encourage ransom payments and do not take the decision out of clients' hands.
Insurance companies are more likely to be barriers to ransom payments, especially if they have employed a forensics company to investigate the attack for response options, McCabe said in an interview.
"It's more common based on the carriers' forms that the insureds are not allowed to make a payment unless the carrier says it's OK," said McCabe, senior vice president and assistant general counsel for cyber policy.
He said criminals are not inclined to research their targets' insurance coverage, as most ransom demands are still beneath $100,000. Rather, what's driving the rise in attacks is success from a criminal enterprise that is low-cost and high-reward given the right expertise.
"For the most part, these are smash-and-grab events where the hacker wants to make a quick hit," McCabe said.
No ordinary ransom demand
Still, what had been a nuisance is growing into a major business risk, and carriers have needed to adjust, said Tom Srail, a cyberrisk researcher for Willis Towers Watson PLC.
Some companies had been fielding ransomware claims under kidnapping and ransom policies, which were typically underwritten for a fairly remote risk without as much coverage as anticipated for cyber liability, Srail said in an interview. Losing a book of Social Security numbers is likely to cost much more than the $1 million to $2 million anticipated for a kidnapping ransom, he observed.
"Insurance companies offering that coverage have started to look a lot more closely at what was previously just a small, throw-in coverage," Srail said.
There was a time when Stark assumed that data security technology would close the gates to ransomware attacks, but that optimism is gone. Even data quarantined offline in a remote warehouse requires regular maintenance to make it accessible after technological updates, and hackers need not do anything with valuable backup data to hold a company to ransom — just lock it digitally, Stark said.
"Anytime there's access, there's opportunity for infiltration," Stark said.