Ransomware attacks soared in the second half of 2019, and industry experts are concerned that the cost to insurers is growing at rates unsustainable for current policies.
Businesses and organizations are more often being forced to pay hackers as they target operations that cannot suffer downtime from increasingly sophisticated attacks. Speakers at Advisen's Cyber Risk Insights Conference said barriers to entry for cyber ransom crime have fallen and the payoffs have swelled during the last three years. One consultant at the conference, who had previously worked for the Federal Bureau of Investigation, said the data insurers have collected so far is useless when it comes to underwriting cyber policies.
Cyber policies have some catching up to do to adequately cover the rise in ransomware attacks, said John Coletti, Axa XL's chief underwriting officer for cyber and technology. Where hackers once demanded payment in thousands of dollars, the criminal ask has escalated to millions payable in cryptocurrency, Coletti said.
"The ransomware attacks and hiding behind Bitcoin ... it's unsustainable, and coverage will have to shrink," he said. Federal officials do not have the staff to keep up with the trend, and investigators have told him that cyber crime has become "a great business model."
Gone are the days when hackers send out phishing emails randomly and hope to get someone to "bite," said Bridget Choi, associate director for Kivu Consulting Inc. Hackers instead target specific industries, learn unique vulnerabilities and even recruit specialists or understudies to employ for attacks, she said.
"Even the unsophisticated [hackers] are getting tech support from the ransomware family so that they can effectuate a more successful ransom," Choi said.
Industrial controls have become a favorite target because they can least afford to lose operation time, several speakers said. Local governments, major utilities, hospitals and public safety similarly provide essential services or have small IT departments and threadbare cybersecurity, said Robert Anderson, a former FBI agent who is now CEO of Cyber Defense Labs.
To keep the ransomware trend from "crippling" the insurance industry, clients need to adopt ransomware defenses that have been around for years but are rarely followed, Anderson said. Organizations must segment data, maintain redundancies and develop ransomware response plans.
The fledgling cyber insurance sector still does not have nearly the full picture of loss data that it needs, according to Anderson.
"I think the data around cyber breaches is unbelievably inaccurate," he said. After leaving the FBI to respond to breaches that have never been reported to any law enforcement or public channel, Anderson realized that thousands of hacks are never documented with authorities.
"I don't think it helps us with statistics, but it's just reality," he said.